quoted

Each measurement entry in the list could have new fields to identify
the namespace. Since the namespaces can be reused, a timestamp or
others fields could be added to uniquely identify the namespace id.

The more fields included in the measurement list, the more
measurements will be added to the measurement list.  Wouldn't it be
enough to know that a certain file has been accessed/executed on the
system and base any analytics/forensics on the IMA-audit data.

With the recursive application of policy through the namespace hierarchy,
a measurement added to the parent namespace could be misleading since 
the file pathname makes sense in the current namespace but possibly not
for the parent namespace. This is the reason why I believe some new field
might be needed in the IMA template format to indicate or uniquely 
identify the namespace.

--
Guilherme

????{.n?+???????+%?????????w??{.n?+????{??????????v?^?)????w*jg???
???????j????G??????
???j:+v???w?j?m?????
??
?w?????f???h?????????