Debate Essays on enabling CONFIG_IMA in the Debian kernel
Background on IMA
Wishlist bug report #788290
a null configuration allows organizations to make good use of it with an upstream kernel and causes no net performance degradation (this was what convinced Ubuntu to enable it)
Using the IMA-appraisal policy prevents the root execution of previously unseen binaries. This cannot be bypassed without rebooting to change the kernel boot parameter that enables it.
- Using just the logging of binary hashes (the ima_tcb policy) can allow for post-fail malware detection and analysis (think: where else in my fleet has this hash been seen to be executed?) A systems administrator or incident response analyst can centrally detect whether critical system files have been modified or if malicious software has been executed.
If something like #766267 (debhelper: add file signature support in .deb packages) is implemented, the kernel support will already be present