From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751916AbdGLR5D (ORCPT ); Wed, 12 Jul 2017 13:57:03 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:60022 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750903AbdGLR5A (ORCPT ); Wed, 12 Jul 2017 13:57:00 -0400 Subject: Re: [PATCH v2] integrity: track mtime in addition to i_version for assessment From: Mimi Zohar To: Bruce Fields Cc: jlayton@redhat.com, Jeff Layton , "Serge E. Hallyn" , Dmitry Kasatkin , linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fsdevel Date: Wed, 12 Jul 2017 13:56:50 -0400 In-Reply-To: <20170712143504.GB31196@fieldses.org> References: <20170707140530.30452-1-jlayton@kernel.org> <1499446642.4967.3.camel@poochiereds.net> <1499448249.3130.143.camel@linux.vnet.ibm.com> <1499449777.4852.3.camel@redhat.com> <1499457558.3130.173.camel@linux.vnet.ibm.com> <1499459718.4852.8.camel@redhat.com> <1499688612.6034.111.camel@linux.vnet.ibm.com> <1499822252.26839.5.camel@redhat.com> <1499862021.3904.23.camel@linux.vnet.ibm.com> <20170712143504.GB31196@fieldses.org> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-MML: disable x-cbid: 17071217-0016-0000-0000-0000025D769F X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17071217-0017-0000-0000-000006DDF64B Message-Id: <1499882210.3426.47.camel@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2017-07-12_06:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1706020000 definitions=main-1707120289 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 2017-07-12 at 10:35 -0400, Bruce Fields wrote: > On Wed, Jul 12, 2017 at 08:20:21AM -0400, Mimi Zohar wrote: > > Right, currently the only way of knowing is by looking at the IMA > > measurement list to see if modified files are re-measured or, as you > > said, by looking at the code. > > Who's actually using this, and do they do any kind of checks, or > document the filesystem-specific limitations? Knowing who is using it and how it is being used is the big question.  I only hear about it when there are problems. Over the years, there have been a number of Linux Security Summit (LSS) talks, which have been mostly about embedded systems or locked down systems, not so much for generic systems. Examples include: - Design and Implementation of a Security Architecture for Critical Infrastructure Industrial Control Systems - David Safford, GE 2016 - IMA/EVM: Real Applications for Embedded Networking Systems - Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks 2015 - CC3: An Identity Attested Linux Security Supervisor Architecture  - Greg Wettstein, IDfusion 2015 - The Linux Integrity Subsystem and TPM-based Network Endpoint Assessment - Andreas Steffen, HSR University of Applied Sciences Rapperswil, Switzerland 2012 Mimi From mboxrd@z Thu Jan 1 00:00:00 1970 From: zohar@linux.vnet.ibm.com (Mimi Zohar) Date: Wed, 12 Jul 2017 13:56:50 -0400 Subject: [PATCH v2] integrity: track mtime in addition to i_version for assessment In-Reply-To: <20170712143504.GB31196@fieldses.org> References: <20170707140530.30452-1-jlayton@kernel.org> <1499446642.4967.3.camel@poochiereds.net> <1499448249.3130.143.camel@linux.vnet.ibm.com> <1499449777.4852.3.camel@redhat.com> <1499457558.3130.173.camel@linux.vnet.ibm.com> <1499459718.4852.8.camel@redhat.com> <1499688612.6034.111.camel@linux.vnet.ibm.com> <1499822252.26839.5.camel@redhat.com> <1499862021.3904.23.camel@linux.vnet.ibm.com> <20170712143504.GB31196@fieldses.org> Message-ID: <1499882210.3426.47.camel@linux.vnet.ibm.com> To: linux-security-module@vger.kernel.org List-Id: linux-security-module.vger.kernel.org On Wed, 2017-07-12 at 10:35 -0400, Bruce Fields wrote: > On Wed, Jul 12, 2017 at 08:20:21AM -0400, Mimi Zohar wrote: > > Right, currently the only way of knowing is by looking at the IMA > > measurement list to see if modified files are re-measured or, as you > > said, by looking at the code. > > Who's actually using this, and do they do any kind of checks, or > document the filesystem-specific limitations? Knowing who is using it and how it is being used is the big question. ?I only hear about it when there are problems. Over the years, there have been a number of Linux Security Summit (LSS) talks, which have been mostly about embedded systems or locked down systems, not so much for generic systems. Examples include: - Design and Implementation of a Security Architecture for Critical Infrastructure Industrial Control Systems - David Safford, GE 2016 - IMA/EVM: Real Applications for Embedded Networking Systems - Petko Manolov, Konsulko Group, and Mark Baushke, Juniper Networks 2015 -?CC3: An Identity Attested Linux Security Supervisor Architecture ?-?Greg Wettstein, IDfusion 2015 - The Linux Integrity Subsystem and TPM-based Network Endpoint Assessment -?Andreas Steffen, HSR University of Applied Sciences Rapperswil, Switzerland 2012 Mimi -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html