Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 23. Enhancing security with the kernel integrity subsystem

You can improve the security of your system by using components of the kernel integrity subsystem. Learn more about the relevant components and their configuration.

23.1. The kernel integrity subsystem
Link kopieren

The integrity subsystem protects system integrity by detecting file tampering and denying access according to the loaded policy. It also collects access logs so that a remote party can verify system integrity through remote attestation. The kernel integrity subsystem includes the Integrity Measurement Architecture (IMA) and the Extended Verification Module (EVM).

Overview of IMA and EVM

Integrity Measurement Architecture (IMA) maintains the integrity of file content. It includes three features that you can enable through an IMA policy:

IMA-Measurement
Collect the file content hash or signature and store the measurements in the kernel. If a TPM is available, each measurement extends a TPM PCR, which enables remote attestation with an attestation quote.
IMA-Appraisal
Verify file integrity by comparing the calculated file hash with a known good reference value or by verifying a signature stored in the security.ima attribute. If verification fails, the system denies access.
IMA-Audit
Store the calculated file content hash or signature in the system audit log.

The Extended Verification Module (EVM) protects file metadata, including extended attributes related to system security such as security.ima and security.selinux. EVM stores a reference hash or HMAC for these security attributes in security.evm and uses it to detect if the file metadata has been changed maliciously.

Secure Boot integration

Secure Boot establishes the chain of trust from firmware to boot loader and then to kernel. With the integrity subsystem of the trusted kernel making sure only trusted user space code is executed, the chain of trust is now extended to the user space. Although the integrity subsystem can be used alone, some behaviours of the integrity subsystem are tied to secure boot, for example,

  • Some IMA policy rules is activated automatically when Secure Boot is enabled. For example, IMA-Measurement is enabled for kexec’ed kernel and kernel modules on UEFI systems, and IMA-Appraisal is enabled for kexec’ed kernel on PowerPC.
  • Currently, for Red Hat Enterprise Linux 10, only IMA policy signed by trusted keys can be loaded when secure boot is enabled

Starting from RHEL 9, all package files are signed per file and users can make sure only authorized package files are accessed by enabling the signature-based IMA appraisal.

Enable the signature-based IMA appraisal: 

ima-setup --policy=/usr/share/ima/policies/01-appraise-executable-and-lib-signatures
Copy to Clipboard Toggle word wrap

This command:

  • Stores package file signature in security.ima for all installed packages.
  • Includes the dracut integrity module to load the IMA code signing key to kernel.
  • Copies the policy to /etc/ima/ima-policy so systemd loads it at boot time.

Verification

  • The ip command can be successfully executed.

  • If ip is copied to /tmp, by default, it loses its security.ima and therefore ip command is not executed. 

    # cp /usr/sbin/ip /tmp
# /tmp/ip
-bash: /tmp/ip: Permission denied
# /tmp/ip doesn’t have security.ima
# getfattr -m security.ima -d /tmp/ip
# whereas /usr/sbin/ip has
# getfattr -m security.ima /usr/sbin/ip
# file: usr/sbin/ip
security.ima=0sAwIE0zIESQBnMGUCMQCLXZ7ukyDcguLgPYwzXU16dcVrmlHxOta7vm7EUfX07Nf0xnP1MyE//AZaqeNIKBoCMFHNDOuA4uNvS+8OOAy7YEn8oathfsF2wsDSZi+NAoumC6RFqIB912zkRKxraSX8sA==
    Copy to Clipboard Toggle word wrap

If the sample policy 01-appraise-executable-and-lib-signatures does not meet your requirements, you can create and use a custom policy.

23.3. Enabling remote attestation with IMA measurement
Link kopieren

You can enable remote attestation with IMA measurement to verify the integrity of your system. To use remote attestation with a tool such as Keylime, you must enable IMA-Measurement. A signed measurement policy is available at /usr/share/ima/policies/02-keylime-remote-attestation. Deploy and run the sample policy that meets your requirements.

Prerequisites

  • A signed measurement policy is available at /usr/share/ima/policies/02-keylime-remote-attestation.

Procedure

  1. Deploy the policy: 

    # cp --preserve=xattr /usr/share/ima/policies/02-keylime-remote-attestation /etc/ima/ima-policy
    Copy to Clipboard Toggle word wrap

  2. Load the policy: 

    # echo /etc/ima/ima-policy > /sys/kernel/security/integrity/ima/policy
    Copy to Clipboard Toggle word wrap

If the sample policy does not meet your requirements, or if you want to ensure that only signed IMA policies are loaded for security reasons, see Deploying a custom signed IMA policy for UEFI systems.

Verification

  • Verify that the policy is loaded: 

    # cat /sys/kernel/security/integrity/ima/policy
    Copy to Clipboard Toggle word wrap
Nach oben
Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Theme

© 2025 Red Hat