Integrity Measurement Architecture/Recipes

The 2 default policies included the in kernel, tcb and tcb_appraise aren't very useful on a general-purpose machine, it is recommended to create custom rules.

The format of the rules is in the Linux kernel documentation is located in. To obtain the magic numbers for the "fsmagic" condition see  or   in the kernel sources. = Built-in policies = The built-in policies are current as of Linux 4.19

tcb
Comments have been added to the policies to make it easier to understand.

The policy excludes some "pseduo" filesystem from measurement, and measures every file mapped for execution, directly executes, read by root, all modules loaded and all firmware loaded

tcb_appraise
As above, some "pseduo" filesystem are excluded, and anything owned by root is appraised

This policy requires all modules, firmware, kexec kernel's and IMA policies to have an IMA signature. = Custom policies =

Excluding log files
Measurement and appraisal of logfiles is not useful and generate kernel spam every time one is opened. It would be useful to exclude known logfiles, and with the help of SELinux, it is possible to so. List the logfile types SELinux knows about:

With this in hand, known log files can be excluded from appraisal and measurement by including this snippet before any "appraise" or "measure" rules