Hi Mimi, On Thursday, April 10, 2014 11:36:15 PM Mimi Zohar wrote: > On Wed, 2014-04-09 at 18:26 -0700, Peter Moody wrote: > > On Wed, Apr 09 2014 at 10:19, Steve Grubb wrote: > > > Missing INTEGRITY_RULE > > > > IMA with an 'audit' rule generates INTEGRITY_RULE messages.
For those of us not really up on IMA and just want to generate the event to add to our collection, any tips on doing this? > > Missing INTEGRITY_DATA > > Failure to collect or appraise file data. > (Requires the filesystem to be labeled w/security.ima and integrity > appraisal enabled.) How would I cause this event to be generated if I wanted to see it? > > Missing INTEGRITY_HASH > > Not used. OK, I'll mark that deprecated. > > Missing INTEGRITY_METADATA > > Before updating/removing 'security.evm' the xattr or modifying file > metadata included in the HMAC calculation(eg. i_ino, i_uid, i_gid, > i_mode, FSUUID, i_generation), EVM verifies the existing value. > (Requires the filesystem to be labeled w/security.evm and integrity > appraisal enabled.) How to get it? > > Missing INTEGRITY_STATUS > > Errors related to the IMA policy. How to get it? Thanks, -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit