Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

Chapter 26. Extending, customizing, and troubleshooting kernel integrity subsystem

Extend, customize, and troubleshoot the kernel integrity subsystem to meet specific security requirements in different operational environments.

26.1. Generate good reference values for IMA appraisal
Copia collegamento

Before you deploy an Integrity Measurement Architecture (IMA) policy that includes IMA-appraisal rules, ensure that all files governed by these rules have valid reference values stored in the security.ima extended attribute. If these reference values are missing, IMA might prevent the system from booting properly or deny access to files. 

# ima-appraise-file </path/to/file>

26.1.1. Adding IMA signatures as good references for immutable files
Copia collegamento

To support integrity verification, you can use IMA signatures as trusted reference values for immutable files. This approach helps ensure that only files with valid signatures are accessed, which strengthens system security and compliance.

Prerequisites

  • You have created an IMA policy that includes IMA-appraisal rules.

Procedure

  1. Install the rpm-plugin-ima: 

    $ sudo dnf install rpm-plugin-ima -yq

    This ensures that package files have IMA signature stored in security.xattr automatically during package installation, reinstallation, or upgradation.

  2. Reinstall all the packages: 

    $ sudo dnf reinstall "*" -y

    This ensures that the security.xattr extended attribute is updated for all packages.

  3. Enable the dracut integrity module so the official IMA code-signing key in /etc/keys/ima loads automatically on boot: 

    $ sudo dracut -f

Verification

  • Verify that signature is correctly stored in security.ima extended attribute: 

    $ # evmctl ima_verify -k /etc/keys/ima/redhatimarelease-10.der /usr/lib/systemd/systemd
     
    keyid d3320449 (from /etc/keys/ima/redhatimarelease-10.der)
key 1: d3320449 /etc/keys/ima/redhatimarelease-10.der
/usr/lib/systemd/systemd: verification is OK
     
    $ # evmctl ima_verify -k /etc/keys/ima/redhatimarelease-10.der /bin/bash
     
    keyid d3320449 (from /etc/keys/ima/redhatimarelease-10.der)
key 1: d3320449 /etc/keys/ima/redhatimarelease-10.der
/bin/bash: verification is OK
...

26.1.2. Generating good reference values for mutable files
Copia collegamento

To maintain integrity for files that might change over time, generate and update reference values as needed. This ensures that the system accurately verifies the authenticity of mutable files and prevent unauthorized modifications.

Prerequisites

  • You have root privileges on the system.
  • You have created an IMA policy that includes IMA-appraisal rules.
  • You have generated good reference values for IMA appraisal.
  • Secure Boot is disabled.

Procedure

  1. Optional: Enable your chosen IMA-appraisal policy or skip this step if you only use your custom policy. Take built-in ima_policy=appraise_tcb as an example: 

    # grubby --update-kernel=/boot/vmlinuz-$(uname -r) --args="ima_policy=appraise_tcb"

    • Additionally for s390x systems: 

      # zipl

  2. Enable IMA-appraisal fix mode by adding the ima_appraise=fix kernel command line parameter: 

    # grubby --update-kernel=/boot/vmlinuz-$(uname -r) --args="ima_appraise=fix"

    • Additionally for s390x systems: 

      # zipl

  3. Reboot the system: 

    # reboot

  4. Optional: Load your custom IMA policy: 

    # echo <path_to_your_custom_ima_policy> > /sys/kernel/security/ima/policy

  5. Re-label the whole system: 

    # find / -fstype xfs -type f -uid 0 -exec head -c 0 '{}' \;

  6. Turn off IMA-appraisal fix mode by removing the ima_appraise=fix kernel command line parameter: 

    # grubby --update-kernel=/boot/vmlinuz-$(uname -r) --remove-args="ima_appraise=fix"

    • Additionally for s390x systems: 

      # zipl
  7. Enable the secure boot if it is disabled.

Additional resources

26.2. Writing custom IMA policy
Copia collegamento

If the built-in IMA policies that you enable with kernel command line parameters, such as ima_policy=tcb or ima_policy=critical_data, or the sample policies in /usr/share/ima/policies/ do not meet your requirements, you can create custom IMA policy rules. When systemd loads a policy from /etc/ima/ima-policy, it replaces the built-in IMA policy.

Warning

After you define your IMA policy, generate good reference values if the policy includes IMA-appraisal rules before you deploy it. If your policy does not include IMA-appraisal rules, you can verify the policy by running echo /PATH-TO-YOUR-DRAFT-IMA-POLICY > /sys/kernel/security/integrity/ima/policy. This approach helps prevent system boot failures.

See Generate good reference values for IMA appraisal.

Procedure

  • Review the rule format and an example policy.

    An IMA policy rule uses the format action [condition …​] to specify an action that is triggered under certain conditions. For example, the sample policy in /usr/share/ima/policies/01-appraise-executable-and-lib-signatures includes the following rules: 

    # Skip some unsupported filesystems
# For a list of these filesystems, see
# https://www.kernel.org/doc/Documentation/ABI/testing/ima_policy
# PROC_SUPER_MAGIC
dont_appraise fsmagic=0x9fa0
…
appraise func=BPRM_CHECK appraise_type=imasig

    The first rule, dont_appraise fsmagic=0x9fa0, instructs IMA to skip appraising files in the PROC_SUPER_MAGIC filesystem. The last rule, appraise func=BPRM_CHECK appraise_type=imasig, enforces signature verification when a file is executed.

26.3. Creating custom IMA keys by using OpenSSL
Copia collegamento

To secure your code, use OpenSSL to generate a Certificate Signing Request (CSR) for your digital certificates.

The kernel searches the .ima keyring for a code signing key to verify an IMA signature. Before you add a code signing key to the .ima keyring, you need to ensure that IMA CA key signed this key in the .builtin_trusted_keys or .secondary_trusted_keys keyrings.

Prerequisites

  • The custom IMA CA key has the following extensions:

    • The basic constraints extension with the CA boolean asserted.
    • The KeyUsage extension with the keyCertSign bit asserted but without the digitalSignature asserted.

  • The custom IMA code signing key falls under the following criteria:

    • The IMA CA key signed this custom IMA code signing key.
    • The custom key includes the subjectKeyIdentifier extension.
  • UEFI Secure Boot on x86_64 or aarch64 systems or PowerVM Secure Boot on ppc64le systems is enabled.

Procedure

  1. To generate a custom IMA CA key pair, run: 

    # openssl req -new -x509 -utf8 -sha256 -days 3650 -batch -config ima_ca.conf -outform DER -out custom_ima_ca.der -keyout custom_ima_ca.priv

  2. Optional: To check the content of the ima_ca.conf file, run: 

    # cat ima_ca.conf
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = ca

[ req_distinguished_name ]
O = YOUR_ORG
CN =  YOUR_COMMON_NAME IMA CA
emailAddress = YOUR_EMAIL

[ ca ]
basicConstraints=critical,CA:TRUE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
keyUsage=critical,keyCertSign,cRLSign

  3. To generate a private key and a certificate signing request (CSR) for the IMA code signing key, run: 

    # openssl req -new -utf8 -sha256 -days 365 -batch -config ima.conf -out custom_ima.csr -keyout custom_ima.priv

  4. Optional: To check the content of the ima.conf file, run: 

    # cat ima.conf
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = code_signing

[ req_distinguished_name ]
O = YOUR_ORG
CN = YOUR_COMMON_NAME IMA signing key
emailAddress = YOUR_EMAIL

[ code_signing ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer

  5. Use the IMA CA private key to sign the CSR to create the IMA code signing certificate: 

    # openssl x509 -req -in custom_ima.csr -days 365 -extfile ima.conf -extensions code_signing -CA custom_ima_ca.der -CAkey custom_ima_ca.priv -CAcreateserial -outform DER -out ima.der

26.4. Loading an IMA policy signed by your custom IMA key
Copia collegamento

To maintain your system integrity and meet the security requirements for your organization, you can load an Integrity Measurement Architecture (IMA) policy that is signed with your own custom IMA key. This approach ensures that only trusted, authenticated policies are applied during system startup or runtime.

Note

This procedure applies only to x86_64 and aarch64 systems with UEFI Secure Boot enabled, and to ppc64le systems running PowerVM Secure Boot.

Prerequisites

Procedure

  1. Add your custom IMA code signing key to the .ima keyring: 

    # keyctl padd asymmetric <KEY_SUBJECT> %:.ima < <PATH_TO_YOUR_CUSTOM_IMA_KEY>

  2. Prepare your IMA policy and sign it with your custom IMA code signing key: 

    # evmctl ima_sign <PATH_TO_YOUR_CUSTOM_IMA_POLICY> -k <PATH_TO_YOUR_CUSTOM_IMA_KEY>

  3. Load the signed IMA policy: 

    # echo <PATH_TO_YOUR_CUSTOM_SIGNED_IMA_POLICY> > /sys/kernel/security/ima/policy

  4. Verify that the policy loaded successfully: 

    # *echo $?*
     
    0
    0

    indicates that the IMA policy was loaded successfully. If the command returns a nonzero value, the IMA policy was not loaded successfully.

    Warning

    Do not skip this step. If you do, your system might fail to boot and you need to recover your system.

    If the IMA policy fails to load, repeat the steps 2 and 3 to fix the issue.

  5. Copy the signed IMA policy to /etc/ima/ima-policy to enable systemd load it automatically on boot: 

    # cp --preserve=xattr <PATH_TO_YOUR_CUSTOM_IMA_POLICY> /etc/ima/ima-policy

  6. Copy your custom IMA key to the /etc/keys/ima/ directory: 

    # cp <PATH_TO_YOUR_CUSTOM_IMA_KEY> /etc/keys/ima/

  7. Copy the dracut integrity configuration file: 

    # *cp --preserve=xattr /usr/share/ima/dracut-98-integrity.conf /etc/dracut.conf.d/98-integrity.conf*

  8. Rebuild the initial RAM disk: 

    # *dracut -f*

    • Additionally for s390x systems: 

      # zipl

Verification

  • Verify that the IMA policy is loaded successfully: 

    # cat /sys/kernel/security/ima/policy

    The output should include the rules from your custom IMA policy.

26.5. Troubleshooting systemd failure to load the IMA policy
Copia collegamento

When systemd does not load /etc/ima/ima-policy, the system hangs with a systemd[1]: Freezing execution error message.

The failure can appear as follows: 

[    5.829882] ima: policy update failed
[    5.830094] ima: signed policy file (specified as an absolute pathname) required
[!!!!!!] Failed to load IMA policy.
…
[    5.859994] systemd[1]: Freezing execution.

There are three methods that you can use to recover your system:

  • Turn off Secure Boot: Use this method if the error indicates a missing signature on a UEFI system.
  • Booting with init=/bin/bash: Use this method to open a shell and fix the policy file.
  • Booting with initcall_blacklist=init_ima: Use this method to start the system with IMA disabled.

26.5.1. Turn off Secure Boot
Copia collegamento

If a policy is not signed, the kernel prevents it from loading and logs specific error messages. 

[    5.661906] ima: policy update failed
[    5.662290] ima: signed policy file (specified as an absolute pathname) required
[    5.662496] systemd[1]: Failed to load the IMA custom policy file /etc/ima/ima-policy1: Permission denied
[    5.662663] ima: policy update failed
[    5.662856] audit: type=1800 audit(1744968172.925:7): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 op=appraise_data cause=IMA-signature-required comm="systemd" name="/etc/ima/ima-policy" dev="vda3" ino=25679834 res=0 errno=0
[    5.663205] audit: type=1802 audit(1744968172.925:8): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 op=policy_update cause=failed comm="systemd" res=0 errno=0
[!!!!!!] Failed to load IMA policy.

As a workaround, you can turn off Secure Boot temporarily and follow Loading an IMA policy signed by your custom IMA key to fix the issue.

26.5.2. Booting the system with the init=/bin/bash kernel parameter
Copia collegamento

To start the system with the init=/bin/bash kernel parameter, add it to the boot loader entry and run the required commands in the recovery shell. You can then correct and verify the IMA policy before rebooting normally.

Procedure

  1. Modify the boot loader entry and add the init=/bin/bash kernel parameter. 

    # grubby --update-kernel="$(grubby --default-kernel)" --args="init=/bin/bash"

  2. After you access the shell, remount the system with write permissions: 

    # mount -o remount,rw /

  3. Rename /etc/ima/ima-policy to /etc/ima/ima-policy.bak: 

    # mv /etc/ima/ima-policy /etc/ima/ima-policy.bak

  4. Enable the SysRq magic key: 

    # echo 1 > /proc/sys/kernel/sysrq

  5. Reboot the system: 

    # printf "s\nb" > /proc/sysrq-trigger

  6. Resolve any issues in /etc/ima/ima-policy.bak and verify that the policy can be loaded: 

    # echo /etc/ima/ima-policy.bak >> /sys/kernel/security/integrity/ima/policy

  7. Rename /etc/ima/ima-policy.bak to /etc/ima/ima-policy: 

    # mv /etc/ima/ima-policy.bak /etc/ima/ima-policy

To start the system with the initcall_blacklist=init_ima kernel parameter when the system hangs with systemd[1]: Freezing execution, add the parameter to the boot loader entry and run the required commands. You can then correct and verify the IMA policy before rebooting normally.

Procedure

  1. Modify the boot loader entry and add the initcall_blacklist=init_ima kernel parameter. 

    # grubby --update-kernel="$(grubby --default-kernel)" --args="initcall_blacklist=init_ima"

  2. Rename /etc/ima/ima-policy to /etc/ima/ima-policy.bak: 

    # mv /etc/ima/ima-policy /etc/ima/ima-policy.bak

  3. Reboot the system: 

    # systemctl reboot

  4. Resolve any issues in /etc/ima/ima-policy.bak and verify that the policy can be loaded: 

    # echo /etc/ima/ima-policy.bak >> /sys/kernel/security/integrity/ima/policy

  5. Rename /etc/ima/ima-policy.bak to /etc/ima/ima-policy: 

    # mv /etc/ima/ima-policy.bak /etc/ima/ima-policy

26.6. Signing custom built packages
Copia collegamento

To maintain the integrity of your system, it is important to sign custom built packages before deployment. With the rpm-sign tool and IMA code signing key, you can sign your custom built packages.

Prerequisites

  • You have root privileges on your system.
  • You have a custom built package that you want to sign.
  • You have the IMA code signing key.
  • You have the rpm-sign tool installed.
  • Custom IMA keys are created. See Creating custom IMA keys by using OpenSSL.

Procedure

  1. Use rpmsign –signfiles to sign package files: 

    # rpmsign --define "gpg_name _<GPG_KEY_NAME>" --addsign --signfiles --fskpass --fskpath=<PATH_TO_YOUR_PRIVATE_IMA_CODE_SIGNING_KEY> <PATH_TO_YOUR_RPM>
    --define "gpg_name _<GPG_KEY_NAME>"
    The GPG key signs the package, and the IMA code signing key signs each file in the package.
    --addsign
    Adds the signature to the package.
    --signfiles
    Signs each file in the package.
    --fskpass
    Avoids repeatedly entering the password for the IMA code signing key.
    --fskpath
    Specifies the path to the IMA code signing key.

Verification

  • To verify that the package is signed, you can use the following command: 

    # rpm -q --queryformat "[%{FILENAMES} %{FILESIGNATURES}\n] <PATH_TO_YOUR_RPM>"
     
    /usr/bin/YOUR_BIN 030204...
/usr/lib/YOUR_LIB.so 030204...
...

26.7. Selecting between IMA and fapolicyd
Copia collegamento

IMA and fapolicyd are two different tools for enforcing file integrity. IMA is a kernel module that enforces file integrity by verifying the integrity of files at boot time. fapolicyd is a daemon that enforces file integrity by verifying the integrity of files at runtime.

The following list can help you determine which tool meets your requirements:

  • IMA verifies digital signatures to ensure integrity, while fapolicyd currently supports only hash-based verification.
  • IMA operates in kernel space, while fapolicyd operates in user space.
  • fapolicyd supports basic integrity verification by checking file size and can also verify reference hash values stored in security.ima.
  • IMA and fapolicyd use different policy syntax. For example, fapolicyd supports path-based policies, but IMA does not.
Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Theme

© 2026 Red HatTorna in cima