Bugzilla – Bug 1216095
[Build 26.1] ima-policy tcb with audit func=BPRM_CHECK not raising INTEGRITY_RULE audit line
Last modified: 2024-03-05 08:43:07 UTC
## Observation openQA test in scenario sle-15-SP6-Online-x86_64-ima_measurement@uefi fails in [ima_measurement_audit](https://openqa.suse.de/tests/12410596/modules/ima_measurement_audit/steps/36) ## Test suite description Setup and test for IMA measurement functions. Last good: [16.1](https://openqa.suse.de/tests/11980177) (or more recent) Test fails because since two builds ago the audit record doesn't exist and it is expected at the end of the test, see code here: https://github.com/os-autoinst/os-autoinst-distri-opensuse/blob/master/tests/security/ima/ima_measurement_audit.pm#L45 Please, let me know if you need further detail.
i would also delegate this to the kernel folks, area auditing.
This still fails in Build44.1.
As usual of an openQA report, it's unclear what's failing and how it's reproduced. Could you give a bit more elaborated description about what openQA tests, at best with a code snippet that can run locally without openQA?
Forgetting about openQA for now, a local setup and steps to reproduce: Setup 1: SLE 15 SP5 QU1, all defaults except guided partitioning setup to select ext4 Setup 2: SLE 15 SP6, -- "" -- add to kernel boot flags: rootflags=iversion ima_policy=tcb echo 'audit func=BPRM_CHECK' > /etc/sysconfig/ima-policy reboot echo -n '' > /var/log/audit/audit.log ping -c 1 localhost ausearch -m INTEGRITY_RULE Setup 1 (SLE 15 SP5): type INTEGRITY_RULE ... file="/usr/bin/ping" ... This is the expected result. Setup 2 (SLE 15 SP6): <no matches>