8.6. Deploying Keylime for runtime monitoring
To verify that the state of monitored systems is correct, the Keylime agent must be running on the monitored systems.
Because Keylime runtime monitoring uses integrity measurement architecture (IMA) to measure large numbers of files, it might have a significant impact on the performance of your system.
When provisioning the agent, you can also define a file that Keylime sends to the monitored system. Keylime encrypts the file sent to the agent, and decrypts it only if the agent’s system complies with the TPM policy and with the IMA allowlist.
You can make Keylime ignore changes of specific files or within specific directories by configuring a Keylime excludelist.
Conditions préalables
You have network access to the systems where the Keylime components are configured:
- Verifier
- For more information, see Section 8.2, « Configuring Keylime verifier ».
- Registrar
- For more information, see Section 8.3, « Configuring Keylime registrar ».
- Tenant
- For more information, see Section 8.4, « Configuring Keylime tenant ».
- Agent
- For more information, see Section 8.5, « Configuring Keylime agent ».
Procédure
On the monitored system where the Keylime agent is configured and running, generate an allowlist from the current state of the system:
# /usr/share/keylime/scripts/create_allowlist.sh -o <allowlist.txt> -h sha256sum
Replace
<allowlist.txt>
with the file name of the allowlist.ImportantUse the SHA-256 hash function. SHA-1 is not secure and has been deprecated in RHEL 9. For additional information, see SHA-1 deprecation in Red Hat Enterprise Linux 9.
Copy the generated allowlist to the system where the
keylime_tenant
utility is configured, for example:# scp allowlist.txt root@<tenant_._ip>:/root/allowlist.txt
Optional: You can define a list of files or directories excluded from Keylime measurements by creating a file on the tenant system and entering the files and directories to exclude. The excludelist accepts Python regular expressions with one regular expression per line. For more information, see Regular expression operations at docs.python.org. For example, to exclude all files in the
/tmp/
directory from Keylime measurements, create a/root/excludelist.txt
file with the following content:/tmp/.*
Save the excludelist on the tenant system.
On the system where the Keylime tenant is configured, provision the agent by using the
keylime_tenant
utility:# keylime_tenant -c add -t <agent_ip> -u <agent_uuid> --allowlist <allowlist.txt> --exclude <excludelist> --cert default
-
Replace
<agent_ip>
with the agent’s IP address. -
Replace
<agent_uuid>
with the agent’s UUID. -
Replace
<allowlist.txt>
with the path to the allowlist file. -
Replace
<excludelist>
with the path to the excludelist file. The--exclude
option is optional; provisioning the agent works even without delivering a file. With the
--cert
option, the tenant generates and signs a certificate for the agent by using the CA certificates and keys located in the specified directory, or the default/var/lib/keylime/ca/
directory. If the directory contains no CA certificates and keys, the tenant will generate them automatically according to the configuration in the/etc/keylime/ca.conf
file and save them to the specified directory. The tenant then sends these keys and certificates to the agent.When generating CA certificates or signing agent certificates, you may be prompted for the password to access the CA private key:
Please enter the password to decrypt your keystore:
.If you do not want to use a certificate, use the
-f
option instead for delivering a file to the agent. Provisioning an agent requires sending any file, even an empty file.NoteKeylime encrypts the file sent to the agent, and decrypts it only if the agent’s system complies with the TPM policy and the IMA allowlist. By default, Keylime decompresses
.zip
files.
As an example, with the following command,
keylime_tenant
provisions a new Keylime agent at127.0.0.1
with UUIDd432fbb3-d2f1-4a97-9ef7-75bd81c00000
and loads an allowlist namedallowlist.txt
. It also generates a certificate into the default directory and sends it to the agent. Keylime decrypts the file only if the TPM policy configured in/etc/keylime/verifier.conf
is satisfied:# keylime_tenant -c add -t 127.0.0.1 -u d432fbb3-d2f1-4a97-9ef7-75bd81c00000 -cert default --allowlist allowlist.txt --exclude excludelist.txt
NoteYou can stop Keylime from monitoring a node by using the
# keylime_tenant -c delete -u <agent_uuid>
command.You can modify the configuration of an already registered agent by using the
keylime_tenant -c update
command.-
Replace
Vérification
- Optional: Reboot the monitored system before verification to verify that the settings are persistent.
Verify a successful attestation of the agent:
# keylime_tenant -c cvstatus -u <agent.uuid> ... {"<agent.uuid>": {"operational_state": "Get Quote"..."attestation_count": 5 ...
Replace
<agent.uuid>
with the agent’s UUID.If the value of
operational_state
isGet Quote
andattestation_count
is non-zero, the attestation of this agent is successful.If the value of
operational_state
isInvalid Quote
orFailed
attestation fails, the command displays output similar to the following:{"<agent.uuid>": {"operational_state": "Invalid Quote", ... "ima.validation.ima-ng.not_in_allowlist", "attestation_count": 5, "last_received_quote": 1684150329, "last_successful_attestation": 1684150327}}
If the attestation fails, display more details in the verifier log:
# journalctl -u keylime_verifier keylime.tpm - INFO - Checking IMA measurement list... keylime.ima - WARNING - File not found in allowlist: /root/bad-script.sh keylime.ima - ERROR - IMA ERRORS: template-hash 0 fnf 1 hash 0 good 781 keylime.cloudverifier - WARNING - agent D432FBB3-D2F1-4A97-9EF7-75BD81C00000 failed, stopping polling
Ressources supplémentaires
- For more information about IMA, see Enhancing security with the kernel integrity subsystem.