Better security auditing with Auditd and the Integrity Measurement Architecture


© Photo by Kit Ishimatsu on Unsplash

© Photo by Kit Ishimatsu on Unsplash

Article from Issue 250/2021

The Integrity Measurement Architecture adds important details to your audit logs, making it easier to track an intruder's footprints.

Sometimes event logs are not enough, and you need to supply your security systems with something more. For instance, you might want to improve the detection of anomalies or facilitate the hunt for an intruder on your network. Many commercial solutions are available for file integrity monitoring in Linux. However, some budgets don't allow for a large investment. The good news is that Linux systems have a great selection of open source tools for securing systems, and these tools provide a means for maintaining file integrity at low cost. The Integrity Measurement Architecture comes in handy.

Integrity Measurement Architecture (IMA) [1] is a component of the Linux kernel's integrity subsystem (see the "Components of the Integrity Subsystem" box.) IMA is responsible for calculating hashes of files before loading them, and it supports reporting on the hashes. The integrity subsystem also consists of an Extended Verification Module (EVM) that detects tampering with offline security attribute extensions (e.g., SELinux), which are the basis for clearance decisions of the Linux Security Modules (LSM) framework.

What Is IMA?

The main purpose of IMA is to detect if files have been accidentally or intentionally changed, evaluate the measurement of a file against a value stored as an extension attribute, and enforce the integrity of local files. These objectives are complemented by Mandatory Access Control (MAC) protections provided by LSM modules such as SELinux and Smack.


Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Security Lessons: auditd

    The auditd tool can provide system logging capabilities to satisfy even the most paranoid users.

  • SELinux

    SELinux provides a comprehensive Mandatory Access Control system for Linux, if you are ready for all the details.

  • PHP Security Principles

    Many web attacks are the result of programmer error. Sloppy code testing leaves a door open for the uninvited.

  • NEWS

    In the news: LibreOffice 6.0 released; Red Hat acquires CoreOS; Red Hat Enterprise Linux 7.5 beta out; Torvalds Is not happy with Intel’s patch, calls it garbage; and more than 2,000 WordPress sites infected by malware. 

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95