8.5. Configuring Keylime agent
The Keylime agent is the component deployed to all systems to be monitored by Keylime.
By default, the Keylime agent stores all its data in the /var/lib/keylime/ directory of the monitored system.
To keep the configuration files organized within the drop-in directories, use file names with a two-digit number prefix, for example /etc/keylime/agent.conf.d/00-registrar-ip.conf. The configuration processing reads the files inside the drop-in directory in lexicographic order and sets each option to the last value it reads.
Conditions préalables
-
You have
rootpermissions to the monitored system. The monitored system has a Trusted Platform Module (TPM).
NoteTo verify, enter the
tpm2_pcrreadcommand. If the output returns several hashes, a TPM is available.You have network access to the systems where the other Keylime components are configured:
- Verifier
- For more information, see Section 8.2, « Configuring Keylime verifier ».
- Registrar
- For more information, see Section 8.3, « Configuring Keylime registrar ».
- Tenant
- For more information, see Section 8.4, « Configuring Keylime tenant ».
- Integrity measurement architecture (IMA) is enabled on the monitored system. For more information, see Enabling integrity measurement architecture and extended verification module.
Procédure
Install the Keylime agent:
# dnf install keylime-agentThis command installs the
keylime-agent-rustpackage.Define the agent’s IP address and port in the configuration files. Create a new
.conffile in the/etc/keylime/agent.conf.d/directory, for example,/etc/keylime/agent.conf.d/00-agent-ip.conf, with the following content:[agent] ip = '<agent_ip>'NoteBecause the Keylime agent configuration uses the TOML format, which is different from the INI format used for configuration of the other components, the values must be in single quotation marks.
-
Replace
<agent_IP_address>with the agent’s IP address. Alternatively, useip = '*'orip = '0.0.0.0'to bind the agent to all available IP addresses. -
Optionally, you can also change the agent’s port from the default value
9002by using theport = '<agent_port>'option.
-
Replace
Define the registrar’s IP address and port in the configuration files. Create a new
.conffile in the/etc/keylime/agent.conf.d/directory, for example,/etc/keylime/agent.conf.d/00-registrar-ip.conf, with the following content:[agent] registrar_ip = '<registrar_IP_address>'-
Replace
<registrar_IP_address>with the registrar’s IP address. -
Optionally, you can also change the registrar’s port from the default value
8890by using theregistrar_port = '<registrar_port>'option.
-
Replace
Optional: Define the agent’s universally unique identifier (UUID). If it is not defined, the default UUID is used. Create a new
.conffile in the/etc/keylime/agent.conf.d/directory, for example,/etc/keylime/agent.conf.d/00-agent-uuid.conf, with the following content:[agent] uuid = '<agent_UUID>'-
Replace
<agent_UUID>with the agent’s UUID, for exampled432fbb3-d2f1-4a97-9ef7-abcdef012345. You can use theuuidgenutility to generate a UUID.
-
Replace
Optional: Load existing keys and certificates for the agent. If the agent receives no
server_keyandserver_cert, it generates its own key and a self-signed certificate.ImportantDo not use certificate chains. Keylime currently does not correctly use all the provided certificates during signature verification, which results in a TLS handshake failure. For more information, see RHEL-396.
Define the location of the keys and certificates in the configuration. Create a new
.conffile in the/etc/keylime/agent.conf.d/directory, for example,/etc/keylime/agent.conf.d/00-keys-and-certs.conf, with the following content:[agent] server_key = '</path/to/server_key>' server_key_password = '<passphrase1>' server_cert = '</path/to/server_cert>' trusted_client_ca = '</path/to/ca/cert>'
NoteUse absolute paths to define key and certificate locations. The Keylime agent does not accept relative paths.
Open the port in firewall:
# firewall-cmd --add-port 9002/tcp # firewall-cmd --runtime-to-permanent
If you use a different port, replace
9002with the port number defined in the.conffile.Enable and start the
keylime_agentservice:# systemctl enable --now keylime_agentOptional: From the system where the Keylime tenant is configured, verify that the agent is correctly configured and can connect to the registrar.
# keylime_tenant -c regstatus --uuid <agent_uuid> Reading configuration from ['/etc/keylime/logging.conf'] ... ==\n-----END CERTIFICATE-----\n", "ip": "127.0.0.1", "port": 9002, "regcount": 1, "operational_state": "Registered"}}}Replace
<agent_uuid>with the agent’s UUID.If the registrar and agent are correctly configured, the output displays the agent’s IP address and port, followed by
"operational_state": "Registered".
Create a new IMA policy by entering the following content into the
/etc/ima/ima-policyfile:# PROC_SUPER_MAGIC dont_measure fsmagic=0x9fa0 # SYSFS_MAGIC dont_measure fsmagic=0x62656572 # DEBUGFS_MAGIC dont_measure fsmagic=0x64626720 # TMPFS_MAGIC dont_measure fsmagic=0x01021994 # RAMFS_MAGIC dont_measure fsmagic=0x858458f6 # SECURITYFS_MAGIC dont_measure fsmagic=0x73636673 # SELINUX_MAGIC dont_measure fsmagic=0xf97cff8c # CGROUP_SUPER_MAGIC dont_measure fsmagic=0x27e0eb # OVERLAYFS_MAGIC dont_measure fsmagic=0x794c7630 # Don't measure log, audit or tmp files dont_measure obj_type=var_log_t dont_measure obj_type=auditd_log_t dont_measure obj_type=tmp_t # MEASUREMENTS measure func=BPRM_CHECK measure func=FILE_MMAP mask=MAY_EXEC measure func=MODULE_CHECK uid=0
- Reboot the system to apply the new IMA policy.
Vérification
Verify that the agent is running:
# systemctl status keylime_agent ● keylime_agent.service - The Keylime compute agent Loaded: loaded (/usr/lib/systemd/system/keylime_agent.service; enabled; preset: disabled) Active: active (running) since ...
Prochaines étapes
After the agent is configured on all systems you want to monitor, you can deploy Keylime to perform one or both of the following functions:
Ressources supplémentaires
