Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 24. Extending, customizing, and troubleshooting kernel integrity subsystem

Extend, customize, and troubleshoot the kernel integrity subsystem to support diverse security requirements and operational environments.

24.1. Generate good reference values for IMA appraisal
Link kopieren

Before you deploy an IMA policy that includes IMA-appraisal rules, ensure that all files governed by these rules have valid reference values stored in the security.ima extended attribute. If these reference values are missing, IMA might prevent the system from booting properly or deny access to files. 

# ima-appraise-file </path/to/file>
Copy to Clipboard Toggle word wrap

24.1.1. Adding IMA signatures as good references for immutable files
Link kopieren

Use IMA signatures as trusted reference values for immutable files to support integrity verification. This approach helps ensure that only files with valid signatures are accessed, which strengthens system security and compliance.

Prerequisites

  • You have created an IMA policy that includes IMA-appraisal rules.

Procedure

  1. Install the rpm-plugin-ima: 

    $ sudo dnf install rpm-plugin-ima -yq
    Copy to Clipboard Toggle word wrap

    This ensures that package files have IMA signature stored in security.xattr automatically during package installation, reinstallation, or upgradation.

  2. Reinstall all the packages: 

    $ sudo dnf reinstall "*" -y
    Copy to Clipboard Toggle word wrap

    This ensures that the security.xattr extended attribute is updated for all packages.

  3. Enable the dracut integrity module so the official IMA code-signing key in /etc/keys/ima loads automatically on boot: 

    $ sudo dracut -f
    Copy to Clipboard Toggle word wrap

Verification

  • Verify that signature is correctly stored in security.ima extended attribute: 

    $ # evmctl ima_verify -k /etc/keys/ima/redhatimarelease-10.der /usr/lib/systemd/systemd
keyid d3320449 (from /etc/keys/ima/redhatimarelease-10.der)
key 1: d3320449 /etc/keys/ima/redhatimarelease-10.der
/usr/lib/systemd/systemd: verification is OK

$ # evmctl ima_verify -k /etc/keys/ima/redhatimarelease-10.der /bin/bash
keyid d3320449 (from /etc/keys/ima/redhatimarelease-10.der)
key 1: d3320449 /etc/keys/ima/redhatimarelease-10.der
/bin/bash: verification is OK
...
    Copy to Clipboard Toggle word wrap

24.1.2. Generating good reference values for mutable files
Link kopieren

To maintain integrity for files that might change over time, generate and update reference values as needed. This ensures that the system accurately verifies the authenticity of mutable files and prevent unauthorized modifications.

Prerequisites

  • You have root privileges on the system.
  • You have created an IMA policy that includes IMA-appraisal rules.
  • You have generated good reference values for IMA appraisal.
  • Secure Boot is disabled.

Procedure

  1. Optional: Enable your chosen IMA-appraisal policy or skip this step if you only use your custom policy. Take built-in ima_policy=appraise_tcb as an example: 

    # grubby --update-kernel=/boot/vmlinuz-$(uname -r) --args="ima_policy=appraise_tcb"
    Copy to Clipboard Toggle word wrap

    • Additionally for s390x systems: 

      # zipl
      Copy to Clipboard Toggle word wrap

  2. Enable IMA-appraisal fix mode by adding the ima_appraise=fix kernel command line parameter: 

    # grubby --update-kernel=/boot/vmlinuz-$(uname -r) --args="ima_appraise=fix"
    Copy to Clipboard Toggle word wrap

    • Additionally for s390x systems: 

      # zipl
      Copy to Clipboard Toggle word wrap

  3. Reboot the system: 

    # reboot
    Copy to Clipboard Toggle word wrap

  4. Optional: Load your custom IMA policy: 

    # echo <path_to_your_custom_ima_policy> > /sys/kernel/security/ima/policy
    Copy to Clipboard Toggle word wrap

  5. Re-label the whole system: 

    # find / -fstype xfs -type f -uid 0 -exec head -c 0 '{}' \;
    Copy to Clipboard Toggle word wrap

  6. Turn off IMA-appraisal fix mode by removing the ima_appraise=fix kernel command line parameter: 

    # grubby --update-kernel=/boot/vmlinuz-$(uname -r) --remove-args="ima_appraise=fix"
    Copy to Clipboard Toggle word wrap

    • Additionally for s390x systems: 

      # zipl
      Copy to Clipboard Toggle word wrap
  7. Enable the secure boot if it is disabled.

Additional resources

24.2. Writing custom IMA policy
Link kopieren

If the built-in IMA policies that you enable with kernel command line parameters, such as ima_policy=tcb or ima_policy=critical_data, or the sample policies in /usr/share/ima/policies/ do not meet your requirements, you can create custom IMA policy rules. When systemd loads a policy from /etc/ima/ima-policy, it replaces the built-in IMA policy.

Warning

After you define your IMA policy, generate good reference values if the policy includes IMA-appraisal rules before you deploy it. If your policy does not include IMA-appraisal rules, you can verify the policy by running echo /PATH-TO-YOUR-DRAFT-IMA-POLICY > /sys/kernel/security/integrity/ima/policy. This approach helps prevent system boot failures.

See Generate good reference values for IMA appraisal.

An IMA policy rule uses the format action [condition …​] to specify an action that is triggered under certain conditions. For example, the sample policy in /usr/share/ima/policies/01-appraise-executable-and-lib-signatures includes the following rules: 

# Skip some unsupported filesystems
# For a list of these filesystems, see
# https://www.kernel.org/doc/Documentation/ABI/testing/ima_policy
# PROC_SUPER_MAGIC
dont_appraise fsmagic=0x9fa0
…
appraise func=BPRM_CHECK appraise_type=imasig
Copy to Clipboard Toggle word wrap

The first rule, dont_appraise fsmagic=0x9fa0, instructs IMA to skip appraising files in the PROC_SUPER_MAGIC filesystem. The last rule, appraise func=BPRM_CHECK appraise_type=imasig, enforces signature verification when a file is executed.

24.3. Creating custom IMA keys using OpenSSL
Link kopieren

You can use OpenSSL to generate a CSR for your digital certificates to secure your code.

The kernel searches the .ima keyring for a code signing key to verify an IMA signature. Before you add a code signing key to the .ima keyring, you need to ensure that IMA CA key signed this key in the .builtin_trusted_keys or .secondary_trusted_keys keyrings.

Prerequisites

  • The custom IMA CA key has the following extensions:

    • the basic constraints extension with the CA boolean asserted.
    • the KeyUsage extension with the keyCertSign bit asserted but without the digitalSignature asserted.

  • The custom IMA code signing key falls under the following criteria:

    • The IMA CA key signed this custom IMA code signing key.
    • The custom key includes the subjectKeyIdentifier extension.
  • UEFI Secure Boot on x86_64 or aarch64 systems or PowerVM Secure Boot on ppc64le systems is enabled.

Procedure

  1. To generate a custom IMA CA key pair, run: 

    # openssl req -new -x509 -utf8 -sha256 -days 3650 -batch -config ima_ca.conf -outform DER -out custom_ima_ca.der -keyout custom_ima_ca.priv
    Copy to Clipboard Toggle word wrap

  2. Optional: To check the content of the ima_ca.conf file, run: 

    # cat ima_ca.conf
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = ca

[ req_distinguished_name ]
O = YOUR_ORG
CN =  YOUR_COMMON_NAME IMA CA
emailAddress = YOUR_EMAIL

[ ca ]
basicConstraints=critical,CA:TRUE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
keyUsage=critical,keyCertSign,cRLSign
    Copy to Clipboard Toggle word wrap

  3. To generate a private key and a certificate signing request (CSR) for the IMA code signing key, run: 

    # openssl req -new -utf8 -sha256 -days 365 -batch -config ima.conf -out custom_ima.csr -keyout custom_ima.priv
    Copy to Clipboard Toggle word wrap

  4. Optional: To check the content of the ima.conf file, run: 

    # cat ima.conf
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = code_signing

[ req_distinguished_name ]
O = YOUR_ORG
CN = YOUR_COMMON_NAME IMA signing key
emailAddress = YOUR_EMAIL

[ code_signing ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
    Copy to Clipboard Toggle word wrap

  5. Use the IMA CA private key to sign the CSR to create the IMA code signing certificate: 

    # openssl x509 -req -in custom_ima.csr -days 365 -extfile ima.conf -extensions code_signing -CA custom_ima_ca.der -CAkey custom_ima_ca.priv -CAcreateserial -outform DER -out ima.der
    Copy to Clipboard Toggle word wrap

24.4. Loading an IMA policy signed by your custom IMA key
Link kopieren

To maintain your system integrity and meet the security requirements your organization, you can load an IMA policy that is signed with your own custom IMA key. This approach ensures that only trusted, authenticated policies are applied during system startup or runtime.

Note

This procedure applies only to x86_64 and aarch64 systems with UEFI Secure Boot enabled, and to ppc64le systems running PowerVM Secure Boot.

Prerequisites

Procedure

  1. Add your custom IMA code signing key to the .ima keyring: 

    # keyctl padd asymmetric <KEY_SUBJECT> %:.ima < <PATH_TO_YOUR_CUSTOM_IMA_KEY>
    Copy to Clipboard Toggle word wrap

  2. Prepare your IMA policy and sign it with your custom IMA code signing key: 

    # evmctl ima_sign <PATH_TO_YOUR_CUSTOM_IMA_POLICY> -k <PATH_TO_YOUR_CUSTOM_IMA_KEY>
    Copy to Clipboard Toggle word wrap

  3. Load the signed IMA policy: 

    # echo <PATH_TO_YOUR_CUSTOM_SIGNED_IMA_POLICY> > /sys/kernel/security/ima/policy
# echo $?
0
    Copy to Clipboard Toggle word wrap
    0

    indicates that the IMA policy was loaded successfully. If the command returns a nonzero value, the IMA policy was not loaded successfully.

    Warning

    Do not skip this step. If you do, your system might fail to boot and you need to recover your system.

    If the IMA policy fails to load, repeat the steps 2 and 3 to fix the issue.

  4. Copy the signed IMA policy to /etc/ima/ima-policy to enable systemd load it automatically on boot: 

    # cp --preserve=xattr <PATH_TO_YOUR_CUSTOM_IMA_POLICY> /etc/ima/ima-policy
    Copy to Clipboard Toggle word wrap

  5. Automatically add your custom IMA code signing key to .ima keyring on boot by using the dracut integrity module: 

    # cp <PATH_TO_YOUR_CUSTOM_IMA_KEY> /etc/keys/ima/
# cp --preserve=xattr /usr/share/ima/dracut-98-integrity.conf /etc/dracut.conf.d/98-integrity.conf
# dracut -f
    Copy to Clipboard Toggle word wrap

    • Additionally for s390x systems: 

      # zipl
      Copy to Clipboard Toggle word wrap

Verification

  • Verify that the IMA policy is loaded successfully: 

    # cat /sys/kernel/security/ima/policy
    Copy to Clipboard Toggle word wrap

    The output should include the rules from your custom IMA policy.

24.5. Troubleshooting systemd failure to load the IMA policy
Link kopieren

If systemd does not load /etc/ima/ima-policy, the system hangs and displays the error systemd[1]: Freezing execution. 

[    5.829882] ima: policy update failed
[    5.830094] ima: signed policy file (specified as an absolute pathname) required
[!!!!!!] Failed to load IMA policy.
…
[    5.859994] systemd[1]: Freezing execution.
Copy to Clipboard Toggle word wrap

There are three methods that you can use to recover your system.

24.5.1. Turn off Secure Boot
Link kopieren

If the policy cannot be loaded because it is not signed, you might see errors similar to the following examples. 

[    5.661906] ima: policy update failed
[    5.662290] ima: signed policy file (specified as an absolute pathname) required
[    5.662496] systemd[1]: Failed to load the IMA custom policy file /etc/ima/ima-policy1: Permission denied
[    5.662663] ima: policy update failed
[    5.662856] audit: type=1800 audit(1744968172.925:7): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 op=appraise_data cause=IMA-signature-required comm="systemd" name="/etc/ima/ima-policy" dev="vda3" ino=25679834 res=0 errno=0
[    5.663205] audit: type=1802 audit(1744968172.925:8): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 op=policy_update cause=failed comm="systemd" res=0 errno=0
[!!!!!!] Failed to load IMA policy.
Copy to Clipboard Toggle word wrap

As a workaround, you can turn off Secure Boot temporarily and follow Deploying a custom signed IMA policy for UEFI systems to fix the issue.

24.5.2. Booting the system with the init=/bin/bash kernel parameter
Link kopieren

To boot the system with the init=/bin/bash kernel parameter, you can use the following steps.

  1. Modify the bootloader entry and add the init=/bin/bash kernel parameter.

  2. After you access the shell, remount the system with write permissions: 

    # mount -o remount,rw /
    Copy to Clipboard Toggle word wrap

  3. Rename /etc/ima/ima-policy to /etc/ima/ima-policy.bak: 

    # mv /etc/ima/ima-policy /etc/ima/ima-policy.bak
    Copy to Clipboard Toggle word wrap

  4. Reboot the system: 

    # echo 1 > /proc/sys/kernel/sysrq
# printf "s\nb" > /proc/sysrq-trigger
    Copy to Clipboard Toggle word wrap

  5. Resolve any issues in /etc/ima/ima-policy.bak and verify that the policy can be loaded: 

    # echo /etc/ima/ima-policy.bak >> /sys/kernel/security/integrity/ima/policy
    Copy to Clipboard Toggle word wrap

  6. Rename /etc/ima/ima-policy.bak to /etc/ima/ima-policy: 

    # mv /etc/ima/ima-policy.bak /etc/ima/ima-policy
    Copy to Clipboard Toggle word wrap

If the system hangs with the error systemd[1]: Freezing execution, you can boot the system with the initcall_blacklist=init_ima kernel parameter to disable the IMA policy.

  1. Modify the boot loader entry and add the initcall_blacklist=init_ima kernel parameter.

  2. Rename /etc/ima/ima-policy to /etc/ima/ima-policy.bak: 

    # mv /etc/ima/ima-policy /etc/ima/ima-policy.bak
    Copy to Clipboard Toggle word wrap

  3. Reboot the system: 

    # systemctl reboot
    Copy to Clipboard Toggle word wrap

  4. Resolve any issues in /etc/ima/ima-policy.bak and verify that the policy can be loaded: 

    # echo /etc/ima/ima-policy.bak >> /sys/kernel/security/integrity/ima/policy
    Copy to Clipboard Toggle word wrap

  5. Rename /etc/ima/ima-policy.bak to /etc/ima/ima-policy: 

    # mv /etc/ima/ima-policy.bak /etc/ima/ima-policy
    Copy to Clipboard Toggle word wrap

24.6. Signing custom built packages
Link kopieren

To maintain the integrity of your system, it is important to sign custom built packages before deployment. With the rpm-sign tool and IMA code signing key, you can sign your custom built packages.

Prerequisites

  • You have root privileges on your system.
  • You have a custom built package that you want to sign.
  • You have the IMA code signing key.
  • You have the rpm-sign tool installed.
  • Custom IMA keys are created. See Creating custom IMA keys using OpenSSL.

Procedure

  1. Use rpmsign –signfiles to sign package files: 

    # rpmsign --define "gpg_name _<GPG_KEY_NAME>" --addsign --signfiles --fskpass --fskpath=<PATH_TO_YOUR_PRIVATE_IMA_CODE_SIGNING_KEY> <PATH_TO_YOUR_RPM>
    Copy to Clipboard Toggle word wrap
    --define "gpg_name _<GPG_KEY_NAME>"
    The GPG key signs the package, and the IMA code signing key signs each file in the package.
    --addsign
    Adds the signature to the package.
    --signfiles
    Signs each file in the package.
    --fskpass
    Avoids repeatedly entering the password for the IMA code signing key.
    --fskpath
    Specifies the path to the IMA code signing key.

Verification

  • To verify that the package is signed, you can use the following command: 

    # rpm -q --queryformat "[%{FILENAMES} %{FILESIGNATURES}\n] <PATH_TO_YOUR_RPM>"
/usr/bin/YOUR_BIN 030204...
/usr/lib/YOUR_LIB.so 030204...
...
    Copy to Clipboard Toggle word wrap

24.7. Selecting between IMA and fapolicyd
Link kopieren

IMA and fapolicyd are two different tools for enforcing file integrity. IMA is a kernel module that enforces file integrity by verifying the integrity of files at boot time. fapolicyd is a daemon that enforces file integrity by verifying the integrity of files at runtime.

The following list can help you determine which tool meets your requirements:

  • IMA verifies digital signatures to ensure integrity, while fapolicyd currently supports only hash-based verification.
  • IMA operates in kernel space, while fapolicyd operates in user space.
  • fapolicyd supports basic integrity verification by checking file size and can also verify reference hash values stored in security.ima.
  • IMA and fapolicyd use different policy syntax. For example, fapolicyd supports path-based policies, but IMA does not.
Nach oben
Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Theme

© 2025 Red Hat