In my infra, I am using strongSwan BOOT/IMA attestation. Then, as you know, the IMV policy checks my IMA logs to verify if the hash collected in IMC process matches the file hash saved in my database.
I figured out that even the hash file is changed in the IMA log and once the device is authenticated and attested in my VPN before this hash file change, the Strongswan/ipsec keep the connection.
I've tried changing the value of the lifetime property to 30s hoping that after 30s the attestation process would be restarted, but no success also.
My question is: Is there a way to trigger a new Attestation when something changes in the IMA log or at least to define a timeout which the attestation process should be trigger again?
#1 Updated by Walter Alves over 3 years ago
Update: I have found in the documentation a way to do attestation every 30s by defining the following properties: ikelifetime=570, rekeyfuzz=0% and rekey=yes
In this case, there's a strange behavior: one time all IMA data is collected by IMC and send by IMV, resulting in a "complient" status, the two times in a row, it doesn't send the client IMA data, resulting in a "Don't know status". Is it normal?
I'll keep my question partially: Is there a way to trigger attestation process as soon as any data are changed in IMA?