Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 25. Enhancing security with the kernel integrity subsystem

Use components of the kernel integrity subsystem to improve system security. Configure relevant components such as IMA signature-based appraisal and remote attestation.

25.1. The kernel integrity subsystem
Link kopieren

The kernel integrity subsystem protects system integrity by detecting file tampering and enabling remote attestation. It includes the Integrity Measurement Architecture (IMA) and the Extended Verification Module (EVM).

Integrity Measurement Architecture (IMA)

IMA maintains the integrity of file content. It includes three features that you can enable through an IMA policy:

  • IMA-Measurement: Collect the file content hash or signature and store the measurements in the kernel. If a TPM is available, each measurement extends a TPM PCR, which enables remote attestation with an attestation quote.
  • IMA-Appraisal: Verify file integrity by comparing the calculated file hash with a known good reference value or by verifying a signature stored in the security.ima attribute. If verification fails, the system denies access.
  • IMA-Audit: Store the calculated file content hash or signature in the system audit log.
Extended Verification Module (EVM)
The EVM protects file metadata, including extended attributes related to system security such as security.ima and security.selinux. EVM stores a reference hash or HMAC for these security attributes in security.evm and uses it to detect if the file metadata has been changed maliciously.

To ensure only authorized package files are executed, enable signature-based IMA appraisal by running the ima-setup command with the sample policy. From RHEL 9, all package files are signed per file.

Procedure

  1. Run ima-setup to enable signature-based IMA appraisal: 

    # ima-setup --policy=/usr/share/ima/policies/01-appraise-executable-and-lib-signatures

    This command:

    • Stores package file signature in security.ima for all installed packages.
    • Includes the dracut integrity module to load the IMA code signing key to kernel.
    • Copies the policy to /etc/ima/ima-policy so systemd loads it at boot time.

Verification

  • The ip command can be successfully executed.

  • If ip is copied to /tmp, by default, it loses its security.ima and therefore ip command is not executed. 

    # cp /usr/sbin/ip /tmp
# /tmp/ip
     
    bash: /tmp/ip: Permission denied
     
    # /tmp/ip doesn't have security.ima
# getfattr -m security.ima -d /tmp/ip
# whereas /usr/sbin/ip has
# getfattr -m security.ima /usr/sbin/ip
# file: usr/sbin/ip
     
    security.ima=0sAwIE0zIESQBnMGUCMQCLXZ7ukyDcguLgPYwzXU16dcVrmlHxOta7vm7EUfX07Nf0xnP1MyE//AZaqeNIKBoCMFHNDOuA4uNvS+8OOAy7YEn8oathfsF2wsDSZi+NAoumC6RFqIB912zkRKxraSX8sA==

If the sample policy 01-appraise-executable-and-lib-signatures does not meet your requirements, you can create and use a custom policy.

25.3. Enabling remote attestation with IMA measurement
Link kopieren

To verify system integrity by using remote attestation tools such as Keylime, you must enable Integrity Measurement Architecture (IMA) measurement. A signed sample measurement policy is available at /usr/share/ima/policies/02-keylime-remote-attestation. Deploy and run the policy that meets your requirements.

Prerequisites

  • A signed measurement policy is available at /usr/share/ima/policies/02-keylime-remote-attestation.

Procedure

  1. Install the rpm-plugin-ima package: 

    # dnf install rpm-plugin-ima

  2. Reinstall the ima-evm-utils package so that the sample policies have IMA signatures stored in extended attributes: 

    # dnf reinstall ima-evm-utils

  3. Confirm that the IMA signature has been stored: 

    # evmctl ima_verify -k /etc/keys/ima/redhatimarelease-10.der /usr/share/ima/policies/02-keylime-remote-attestation
     
    keyid d3320449 (from /etc/keys/ima/redhatimarelease-10.der)
key 1: d3320449 /etc/keys/ima/redhatimarelease-10.der
/usr/share/ima/policies/02-keylime-remote-attestation: verification is OK

  4. Copy the signed measurement policy with extended attributes preserved to /etc/ima/ima-policy so systemd automatically loads it on boot: 

    # cp --preserve=xattr /usr/share/ima/policies/02-keylime-remote-attestation /etc/ima/ima-policy

  5. Enable the dracut integrity module so the IMA key loads at boot time: 

    # cp --preserve=xattr /usr/share/ima/dracut-98-integrity.conf /etc/dracut.conf.d/ima.conf

  6. Regenerate the initramfs to include the integrity module: 

    # dracut -f

    • On s390x systems, additionally run zipl to apply the changes for the next IPL (initial program load): 

      # zipl

  7. Reboot to load the IMA key: 

    # systemctl reboot
    Warning

    On systems with Secure Boot enabled, the kernel does not accept unsigned IMA policies. If you load a policy before the IMA code-signing key is available to the kernel, the load fails and the next reboot can hang. Therefore, you must load the policy after the key is available.

    If the sample policy does not meet your requirements, see Loading an IMA policy signed by your custom IMA key.

Verification

  • Verify that the policy is loaded: 

    # cat /sys/kernel/security/integrity/ima/policy
Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Theme

© 2026 Red HatNach oben