IMA integrity enforcer
======================

Basic usage:

1. Run `integrity-applier` command. The system reloads to
   so-called Stage II with `ima_appraise=fix` kernel option.

2. Run `integrity-applier` command again to sign the files.
   The system then reloads to IMA enforced mode (i. e. with
   `ima_appraise=enforce` kernel option.

3. In order to disable IMA, run the `integrity-remover` script.

By default the file signing log is written to
/var/log/integrity-sign.log.

Advanced usage:

* Use `--log-stderr=FILE` option to output file signing log to specified
  FILE at Stage II. Use `--log-stderr` option to get it output to the
  current error stream.

* Use `--init` and `--sign` to explicitly select Stage I or Stage II.

* Use `-R | --no-reboot` to suppress automatic reboot of the system.

* Use `-a HASH | --hash=HASH` option to select the type of cryptographic
  hash function to sign the files with. It can also be configured in
  `/etc/integrity/config` (and/or `/etc/sysconfig/integrity`).

* Use `-A | --auto` option to automatically run Stage II after reboot
  using the special `ima-signing.target`.

* Visit `/etc/integrity/config` and `/etc/sysconfig/integrity` to
  configure the directories with files to sign and other options,
  such as EVM. Contents of `/etc/sysconfig/integrity` override
  values set in `/etc/integrity/config`.

* Enable ima-check.service to check IMA policy at system boot.
  Add services to ima-check-failed.target to run actions when
  the check fails.

* Touch /etc/integrity/reboot-on-initrd-error in order not to
  load the system at all if loading of IMA policy fails at initrd
  stage. Also, use /etc/integrity/on-initrd-error script to
  run it instead of reboot.

* Override the default integrity policy with `/etc/integrity/policy`.

Licence: GNU GPL version 2 or later.
