How to better control IMA module?
xiaolongw at mail.usf.edu
Fri Jul 2 19:41:59 EDT 2021
I have a question regard to kernel IMA module. I’ve enabled IMA on one of my Linux server with `ima=on ima_policy=tcb` everything seems working fine. The only issue is that after about a week the `/sys/kernel/security/ima/ascii_runtime_measurements` grow out of control. As for now I have about 80K items in the file. I also have a customized attestation application that compares the runtime measurements with a list of known “good” measurements. this size of runtime measurements make it substantially long to run the attestation application.
Is there a way to limit the size of the `/sys/kernel/security/ima/ascii_runtime_measurements` (not ideal, since some important info might get lost)
Is there a way to clean the items in `/sys/kernel/security/ima/ascii_runtime_measurements` (also not ideal, for the same reason as above)
Is there a way to control which file the kernel measures (e.g., I found lot of /tmp files are measured which are not necessary)
Will the kernel running out of memory?
Any suggestions will be deeply appreciated!
More information about the Kernelnewbies