Integrity Measurement Architecture/Recipes

The two default policies included the in kernel, and  aren't very useful on a general-purpose machine, it is recommended to create custom rules.

The format of the rules is in the Linux kernel documentation is located in. To obtain the magic numbers for the "fsmagic" condition see or  in the kernel sources.

Built-in policies
The built-in policies are current as of Linux 4.19. Comments have been added to the policies to make it easier to understand.

tcb
The policy excludes some "pseduo" filesystem from measurement, and measures every file mapped for execution, directly executes, read by root, all modules loaded and all firmware loaded

tcb_appraise
As above, some "pseduo" filesystem are excluded, and anything owned by root is appraised

secure_boot
This policy requires all modules, firmware, kexec kernel's and IMA policies to have an IMA signature.

Excluding log files
Measurement and appraisal of log files is not useful and generate kernel spam every time one is opened. It would be useful to exclude known log files, and with the help of SELinux, it is possible to so. List the log file types SELinux knows about:

With this in hand, known log files can be excluded from appraisal and measurement by including this snippet before any "appraise" or "measure" rules