Tool that checks the ima-log to see if a file has been tampered with.
- Set the IMA policy to
tcbby configuring GRUBGRUB_CMDLINE_LINUX="ima_policy=tcb ima_hash=sha256 ima=on" - Compile
- Grant permissions to read
/sys/kernel/security/integrity/ima/ascii_runtime_measurements - Run
./go-ima {file to check}
You will get an exit status of 0 if the file has not been modified since inception or boot. If you get an Exit status of 1 it means the IMA log contains at least one hash that does not match what is on disk. This could either be the sign of an attack, or somebody just editing files on your build server.
- Support for verifying against PCR register
- Support for different hash schemes