Recent updates in Rocky Linux 9 and 10 changed IMA behaviour and unexpectedly added temporary files related to /etc/group and /etc/shadow to IMA measurement log:
$ cat /sys/kernel/security/ima/ascii_runtime_measurements | grep group
10 ca81f9acb96d029daeb9492d519b8b462d3e2a73 ima-ng sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 /etc/.#group89403d28bb57f300
10 ca81f9acb96d029daeb9492d519b8b462d3e2a73 ima-ng sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 etc/.#groupc970f5c062c3ccba
Unfortunately these temporary files are problematic for one of IMA’s use case which is to check that some files on the filesystem audited with a reference hash digest were not modified (exception to some SELinux types such as tmp_t as in /usr/share/ima/policies/02-keylime-remote-attestation, see doc).
Note that there were no temporary files with patterns like /etc/group.1597 or /etc/.#group89403d28bb57f300 added to IMA measurmeent log back in June 2025 with an up-to-date Rocky Linux 9 or RHEL 9.
I think either these temporary files are not tagged withtpm_ttype or the binary doing read/write on /etc/group and /etc/shadow should not write next to the original file and use one of $TEMP, $TMP or $TMPDIR as parent directory.
Is anyone using IMA can confirm the issue?
Thanks.