From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Repository of audit events Date: Fri, 11 Apr 2014 10:07:20 -0400 Message-ID: <1667762.7KL3TunczQ@x2> References: <1397024726.23793.121.camel@swtf.swtf.dyndns.org> <1397187375.21461.2.camel@dhcp-9-2-203-236.watson.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1397187375.21461.2.camel@dhcp-9-2-203-236.watson.ibm.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Mimi Zohar , linux-audit@redhat.com List-Id: linux-audit@redhat.com Hi Mimi, On Thursday, April 10, 2014 11:36:15 PM Mimi Zohar wrote: > On Wed, 2014-04-09 at 18:26 -0700, Peter Moody wrote: > > On Wed, Apr 09 2014 at 10:19, Steve Grubb wrote: > > > Missing INTEGRITY_RULE > > > > IMA with an 'audit' rule generates INTEGRITY_RULE messages. For those of us not really up on IMA and just want to generate the event to add to our collection, any tips on doing this? > > Missing INTEGRITY_DATA > > Failure to collect or appraise file data. > (Requires the filesystem to be labeled w/security.ima and integrity > appraisal enabled.) How would I cause this event to be generated if I wanted to see it? > > Missing INTEGRITY_HASH > > Not used. OK, I'll mark that deprecated. > > Missing INTEGRITY_METADATA > > Before updating/removing 'security.evm' the xattr or modifying file > metadata included in the HMAC calculation(eg. i_ino, i_uid, i_gid, > i_mode, FSUUID, i_generation), EVM verifies the existing value. > (Requires the filesystem to be labeled w/security.evm and integrity > appraisal enabled.) How to get it? > > Missing INTEGRITY_STATUS > > Errors related to the IMA policy. How to get it? Thanks, -Steve