I activated IMA for the first time, I have no previous experience with it.
In VirtualBox I have a fresh Ubuntu 23.10 (Mantic), and modified /etc/default/grub as follows to activate tcb mode of IMA:
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash ima=on ima_policy=tcb"
After rebooting I inspected the file /sys/kernel/security/ima/ascii_runtime_measurements and saw that there are duplicates of system shared libraries (libc.so.6) and binaries. To create the list of duplicate entries for binaries in /usr/bin I used the following command:
</sys/kernel/security/ima/ascii_runtime_measurements grep '/usr/bin' | sort -k5 | uniq -d -D -f4
And this is the list I got (there are quite a lot more when instead grepping '/usr/lib', but the gist is the same):
10 73a4e06c2fd8712321bc081ce3a75a5ba8ef1493 ima-ng sha1:0dbf371457aec429899b59452b0abfbfc80ef7e3 /usr/bin/bash
10 930b0510b096198a1dea1c93cd453792619f3af7 ima-ng sha1:6b6843dae13e009a3267eed8f472bebe47e39e31 /usr/bin/bash
10 20c4d71ec289096393c2c923a16af80278b36a62 ima-ng sha1:7fb7026bc4c60c743055f51924793d7b2a8b7076 /usr/bin/cat
10 e7854bea304dc1fa51d9378c9551d37ffe9ed5d1 ima-ng sha1:f2e2c1b280ae3268c15fd31cd8d2fcec9a984c5f /usr/bin/cat
10 67102b007f9728bd22de3cc23a98d064dc987d27 ima-ng sha1:6b12a8618bad94d1a867271c56e415dafc8a39c4 /usr/bin/chgrp
10 ebe285835bb49218f73ed83f26e38cef6d85a7b1 ima-ng sha1:56c77fecf65426a6426e75dee773d274aa9a0e75 /usr/bin/chgrp
10 33c21ccf701f108707f3611b50425b93e2c6dd53 ima-ng sha1:ad0c4616a7924d30eb47bd269263ecd1b15c9dd4 /usr/bin/chmod
10 defce3b02b70bf106b50b83130212538c7dc0960 ima-ng sha1:a2c9093d43118d3a60df0055953403a9424a0494 /usr/bin/chmod
10 58b3c2d312c090ecc0e0fbe265f6542105c834c1 ima-ng sha1:be4b48ca1926124109cb6e4d64f47f9dd06d0e00 /usr/bin/chown
10 7321f4e8addb8daf395c8964f1d8e3ec440451a1 ima-ng sha1:dfc1fdad63b534cd19c5d1d57624dd28350eb7a5 /usr/bin/chown
10 2af01a6e4c5644080b376598810689de8a6e5b88 ima-ng sha1:3c428338cfb2372fed664c8643860180592d2129 /usr/bin/cut
10 5a5d20c86ea3f9aa06de94471e59390a4876e7d7 ima-ng sha1:5b5f6692c272bf45f4ef53d852a660eb61cbaf69 /usr/bin/cut
10 042c9ed10b091c35a5e75aa3350ef4583e942c6e ima-ng sha1:42e94914c7800c7063c51d7a17aec3a2069a3769 /usr/bin/dash
10 df862ad372149f56a1760d0e9c427123ab04d5bb ima-ng sha1:585bf8f9c4632f164639ba3418b073dd4434f11a /usr/bin/dash
10 41980244f9ec54da397fea7f7be67d5b5471ff29 ima-ng sha1:a48601e25c1d7caf17c6076b488dd783b79d6b88 /usr/bin/date
10 68d01b6579429f0e265af588be2b96a749889532 ima-ng sha1:5383dc9a156c1fa161a62858919b9e4d87ff8356 /usr/bin/date
10 b20d60c235a33ddc082e74afdf411d94e80f14e7 ima-ng sha1:894cfafe216d3484b369594bccce7d263998828f /usr/bin/env
10 f3ac171447616f3a92ba5de232f240a5dcf9f11c ima-ng sha1:86bbfe9db3a4a61b4609eb49c9f6dd021e4b092e /usr/bin/env
10 1716c80c40c16f80146e89d11937cb2ed0e8c1b3 ima-ng sha1:4364e3437c75199361968b77f556d29c097b93e5 /usr/bin/grep
10 cc1e9e8e299bdd15d92e1be941220a8bf1c81dd6 ima-ng sha1:7407d340c9134738e04313fa0d247bc6ccf7a5aa /usr/bin/grep
10 126030ccf4025e485a54cb25da848f68bc77ce72 ima-ng sha1:4b8ba2b0e5ec8dae0203208f610e07e35f9b6ff9 /usr/bin/ln
10 d9763432b59125f591c5820a6e1758dd5a1e8c9a ima-ng sha1:99ba49bf0dbc39c2394e2d8e99f5dbfb983580aa /usr/bin/ln
10 0bc25f195edd73b44c83d4c71c3bed5fe19aa3ed ima-ng sha1:f4b3255233eda80c9d33c619b48cc8ac8aa37e1b /usr/bin/mkdir
10 77d71681fa537265817fac2d00510f5065955f4f ima-ng sha1:20c32e25f5bf1b189fa917b84e258a1cdfb66bad /usr/bin/mkdir
10 a1abbc414e5e184a3444b7edaa473c3de7ac5b8b ima-ng sha1:6512153a4f7d0bd15122626d17ed1083404004ff /usr/bin/perl
10 d5b0a6d649406b34ca51ce2164594372107ae007 ima-ng sha1:fa91ad099b3cee69d5a99d6cecd5e44b363d2385 /usr/bin/perl
10 a8fcea85c4cc0bc0efbe2e00fd3727ba25b5fda9 ima-ng sha1:99fb90d8f6bee2ff00996ee0ffe125f9e7623534 /usr/bin/rm
10 f446b3b081d36cdb26128c3ff9f507e2bb22ef48 ima-ng sha1:c139ccfd3cc261d1bc9218725a788949792bd6f2 /usr/bin/rm
10 481620d178417c35bbc9c507402fdde0e3d2267f ima-ng sha1:3c085e12539181bca0c4e59217dce4fa84c7e832 /usr/bin/touch
10 4a5ba7097e0c98a585752c53ac80ef2c4dcbdd6e ima-ng sha1:3f873b5f14641a55eedfd5a715940018b086ae7f /usr/bin/touch
10 1ba8293ea10d2de1deed21174a04e299746639cf ima-ng sha1:a685d70fda356e2008e6b8ae2f8687ec157f494e /usr/bin/xdg-settings
10 ad047340eb4539844e4b044ed780ffd23ad3d7f1 ima-ng sha1:4aa1793bcca0e25797c19f7fef78a9cba48ad02f /usr/bin/xdg-settings
Running for example sha1sum /usr/bin/cat manually gives me the second recorded hash.
Now, why/how does Linux get different sha1 hashes for the very same file? The files don't seem to be modified at all - modify,change,birth dates (according to stat) are well in the past.
Let's assume that there is some reasonable explanation for this behavior (maybe some difference between different opening mechanisms like mmap vs something else?), does this mean that I need to be aware of both variants of a file's hash when auditing this list? In other words, do I assume correctly that it would be unsafe to ignore the first of the two entries and just verify the second line for e.g. /usr/bin/cat?