Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751916AbdGLR5D (ORCPT <rfc822;w@1wt.eu>);
        Wed, 12 Jul 2017 13:57:03 -0400
Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:60022 "EHLO
        mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1750903AbdGLR5A (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 12 Jul 2017 13:57:00 -0400
Subject: Re: [PATCH v2] integrity: track mtime in addition to i_version for
 assessment
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Bruce Fields <bfields@fieldses.org>
Cc: jlayton@redhat.com, Jeff Layton <jlayton@kernel.org>,
        "Serge E. Hallyn" <serge@hallyn.com>,
        Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
        linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org,
        linux-fsdevel <linux-fsdevel@vger.kernel.org>
Date: Wed, 12 Jul 2017 13:56:50 -0400
In-Reply-To: <20170712143504.GB31196@fieldses.org>
References: <20170707140530.30452-1-jlayton@kernel.org>
         <1499446642.4967.3.camel@poochiereds.net>
         <1499448249.3130.143.camel@linux.vnet.ibm.com>
         <1499449777.4852.3.camel@redhat.com>
         <1499457558.3130.173.camel@linux.vnet.ibm.com>
         <1499459718.4852.8.camel@redhat.com>
         <1499688612.6034.111.camel@linux.vnet.ibm.com>
         <1499822252.26839.5.camel@redhat.com>
         <1499862021.3904.23.camel@linux.vnet.ibm.com>
         <20170712143504.GB31196@fieldses.org>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) 
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-TM-AS-MML: disable
x-cbid: 17071217-0016-0000-0000-0000025D769F
X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused
x-cbparentid: 17071217-0017-0000-0000-000006DDF64B
Message-Id: <1499882210.3426.47.camel@linux.vnet.ibm.com>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2017-07-12_06:,,
 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0
 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam
 adjust=0 reason=mlx scancount=1 engine=8.0.1-1706020000
 definitions=main-1707120289
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1273
Lines: 32

On Wed, 2017-07-12 at 10:35 -0400, Bruce Fields wrote:
> On Wed, Jul 12, 2017 at 08:20:21AM -0400, Mimi Zohar wrote:
> > Right, currently the only way of knowing is by looking at the IMA
> > measurement list to see if modified files are re-measured or, as you
> > said, by looking at the code.
> 
> Who's actually using this, and do they do any kind of checks, or
> document the filesystem-specific limitations?

Knowing who is using it and how it is being used is the big question.
 I only hear about it when there are problems.

Over the years, there have been a number of Linux Security Summit
(LSS) talks, which have been mostly about embedded systems or locked
down systems, not so much for generic systems.

Examples include:

- Design and Implementation of a Security Architecture for Critical
Infrastructure Industrial Control Systems - David Safford, GE 2016

- IMA/EVM: Real Applications for Embedded Networking Systems - Petko
Manolov, Konsulko Group, and Mark Baushke, Juniper Networks 2015

- CC3: An Identity Attested Linux Security Supervisor Architecture
 - Greg Wettstein, IDfusion 2015

- The Linux Integrity Subsystem and TPM-based Network Endpoint
Assessment - Andreas Steffen, HSR University of Applied Sciences
Rapperswil, Switzerland 2012

Mimi