Red Hat SummitDieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Chapter 23. Enhancing security with the kernel integrity subsystem
You can improve the security of your system by using components of the kernel integrity subsystem. Learn more about the relevant components and their configuration.
23.1. The kernel integrity subsystem
The integrity subsystem protects system integrity by detecting file tampering and denying access according to the loaded policy. It also collects access logs so that a remote party can verify system integrity through remote attestation. The kernel integrity subsystem includes the Integrity Measurement Architecture (IMA) and the Extended Verification Module (EVM).
- Integrity Measurement Architecture (IMA)
IMA maintains the integrity of file content. It includes three features that you can enable through an IMA policy:
-
IMA-Measurement: Collect the file content hash or signature and store the measurements in the kernel. If a TPM is available, each measurement extends a TPM PCR, which enables remote attestation with an attestation quote. -
IMA-Appraisal: Verify file integrity by comparing the calculated file hash with a known good reference value or by verifying a signature stored in the security.ima attribute. If verification fails, the system denies access. -
IMA-Audit: Store the calculated file content hash or signature in the system audit log.
-
- Extended Verification Module (EVM)
-
The EVM protects file metadata, including extended attributes related to system security such as
security.imaandsecurity.selinux. EVM stores a reference hash or HMAC for these security attributes insecurity.evmand uses it to detect if the file metadata has been changed maliciously.
23.2. Enabling kernel’s runtime integrity monitoring through IMA-signature based appraisal
Starting from RHEL 9, all package files are signed per file and users can make sure only authorized package files are accessed by enabling the signature-based IMA appraisal.
Enable the signature-based IMA appraisal:
ima-setup --policy=/usr/share/ima/policies/01-appraise-executable-and-lib-signatures
ima-setup --policy=/usr/share/ima/policies/01-appraise-executable-and-lib-signaturesThis command:
-
Stores package file signature in
security.imafor all installed packages. -
Includes the
dracutintegrity module to load the IMA code signing key to kernel. -
Copies the policy to
/etc/ima/ima-policyso systemd loads it at boot time.
Verification
-
The
ipcommand can be successfully executed. If
ipis copied to/tmp, by default, it loses itssecurity.imaand thereforeipcommand is not executed.Copy to Clipboard Copied! Toggle word wrap Toggle overflow
If the sample policy 01-appraise-executable-and-lib-signatures does not meet your requirements, you can create and use a custom policy.
23.3. Enabling remote attestation with IMA measurement
You can enable remote attestation with IMA measurement to verify the integrity of your system. To use remote attestation with a tool such as Keylime, you must enable IMA-Measurement. A signed measurement policy is available at /usr/share/ima/policies/02-keylime-remote-attestation. Deploy and run the sample policy that meets your requirements.
Prerequisites
-
A signed measurement policy is available at
/usr/share/ima/policies/02-keylime-remote-attestation.
Procedure
Deploy the policy:
cp --preserve=xattr /usr/share/ima/policies/02-keylime-remote-attestation /etc/ima/ima-policy
# cp --preserve=xattr /usr/share/ima/policies/02-keylime-remote-attestation /etc/ima/ima-policyCopy to Clipboard Copied! Toggle word wrap Toggle overflow Load the policy:
echo /etc/ima/ima-policy > /sys/kernel/security/integrity/ima/policy
# echo /etc/ima/ima-policy > /sys/kernel/security/integrity/ima/policyCopy to Clipboard Copied! Toggle word wrap Toggle overflow
If the sample policy does not meet your requirements, or if you want to ensure that only signed IMA policies are loaded for security reasons, see Deploying a custom signed IMA policy for UEFI systems.
Verification
Verify that the policy is loaded:
cat /sys/kernel/security/integrity/ima/policy
# cat /sys/kernel/security/integrity/ima/policyCopy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}