diff options
| author | Stefan Berger <stefanb@linux.ibm.com> | 2025-02-06 15:54:41 -0500 |
|---|---|---|
| committer | Armin Kuster <akuster808@gmail.com> | 2025-03-12 15:31:15 -0400 |
| commit | a76a5c51283b9d361caf514dc5cdebd72b5b4ca1 (patch) | |
| tree | 00849209e291ed354cc300d3dcf57cd4d921bdc0 /recipes-ids/samhain/files/0007-configure.ac-avoid-searching-host-for-postgresql.patch | |
| parent | 73077556362fb99520e452cf32501a759125d298 (diff) | |
| download | meta-security-a76a5c51283b9d361caf514dc5cdebd72b5b4ca1.tar.gz | |
meta-integrity: Enable choice of creating IMA signatures or hashes
When IMA and EVM are used for file appraisal then EVM verifies the
signature stored in security.evm. This signature covers file metadata
(uid, gid, mode bits, etc.) as well as the security.ima xattr.
Therefore, it is sufficient that only files' hashes are stored in
security.ima. This also leads to slight performance improvements
since IMA appraisal will then only verify that a file's hash matches
the expected hash stored in security.ima. EVM will ensure that the
signature over all the file metadata and security.ima xattr is
correct. Therefore, give the user control over whether to store file
signatures (--imasig) in ima.security or hashes (--imahash) by
setting the option in IMA_EVM_IMA_XATTR_OPT.
Only test-verify an IMA signature if --imasig is used as the option.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'recipes-ids/samhain/files/0007-configure.ac-avoid-searching-host-for-postgresql.patch')
0 files changed, 0 insertions, 0 deletions