홈
제품
Red Hat Enterprise Linux
10
Security hardening
6.10. Configuring Keylime for runtime monitoring

6.10. Configuring Keylime for runtime monitoring

To verify that the state of monitored systems is correct, the Keylime agent must be running on the monitored systems.

중요

Because Keylime runtime monitoring uses integrity measurement architecture (IMA) to measure large numbers of files, it might have a significant impact on the performance of your system.

When provisioning the agent, you can also define a file that Keylime sends to the monitored system. Keylime encrypts the file sent to the agent, and decrypts it only if the agent’s system complies with the TPM policy and with the IMA allowlist.

You can make Keylime ignore changes of specific files or within specific directories by configuring a Keylime excludelist. The excluded files are still measured by IMA.

The allowlist and excludelist are combined into the Keylime runtime policy.

Prerequisites

You have network access to the systems where the Keylime components are configured:
Verifier
For more information, see Deploying Keylime verifier from a package.
Registrar
For more information, see Deploying Keylime registrar from a package.
Tenant
For more information, see Deploying Keylime tenant from a package.
Agent
For more information, see Deploying Keylime agent from a package.

Procedure

On the monitored system where the Keylime agent is configured and running, install the python3-keylime package, which contains the keylime-policy tool:
```
# dnf -y install python3-keylime
```
Create a runtime policy from the current state of the agent system:
```
# keylime-policy create runtime --ima-measurement --rootfs '/' --ramdisk-dir '/boot/' --output <policy.json>
```
In this command,
- Replace <policy.json> with the file name of the runtime policy.
- The following directories are automatically excluded from measurement:
  - /sys
  - /run
  - /proc
  - /lost+found
  - /dev
  - /media
  - /snap
  - /mnt
  - /var
  - /tmp
- Optionally, you can exclude additional specific paths from measurement by adding a --excludelist <excludelist.txt> option. The excludelist accepts Python regular expressions with one regular expression per line. See Regular expression operations at docs.python.org for the complete list of special characters.
Copy the generated runtime policy to the system where the keylime_tenant utility is configured, for example:
```
# scp <policy.json> root@<tenant.ip>:/root/<policy.json>
```
On the system where the Keylime tenant is configured, provision the agent by using the keylime_tenant utility:
```
# keylime_tenant --command add --targethost <agent_ip> --uuid <agent_uuid> --runtime-policy <policy.json> --cert default
```
- Replace <agent_ip> with the agent’s IP address.
- Replace <agent_uuid> with the agent’s UUID.
- Replace <policy.json> with the path to the Keylime runtime policy file.
- With the --cert option, the tenant generates and signs a certificate for the agent by using the CA certificates and keys located in the specified directory, or the default /var/lib/keylime/ca/ directory. If the directory contains no CA certificates and keys, the tenant will generate them automatically according to the configuration in the /etc/keylime/ca.conf file and save them to the specified directory. The tenant then sends these keys and certificates to the agent.
  When generating CA certificates or signing agent certificates, you might be prompted for the password to access the CA private key: Please enter the password to decrypt your keystore:.
  참고
  Keylime encrypts the file sent to the agent, and decrypts it only if the agent’s system complies with the TPM policy and the IMA allowlist. By default, Keylime decompresses sent .zip files.
As an example, with the following command, keylime_tenant provisions a new Keylime agent at 127.0.0.1 with UUID d432fbb3-d2f1-4a97-9ef7-75bd81c00000 and loads a runtime policy policy.json. It also generates a certificate in the default directory and sends the certificate file to the agent. Keylime decrypts the file only if the TPM policy configured in /etc/keylime/verifier.conf is satisfied:
```
# keylime_tenant --command add --targethost 127.0.0.1 --uuid d432fbb3-d2f1-4a97-9ef7-75bd81c00000 --runtime-policy policy.json --cert default
```
참고
You can stop Keylime from monitoring a node by using the # keylime_tenant --command delete --uuid <agent_uuid> command.
You can modify the configuration of an already registered agent by using the keylime_tenant --command update command.

Verification

Optional: Reboot the monitored system to verify that the settings are persistent.

Verify a successful attestation of the agent:

# keylime_tenant --command cvstatus --uuid <agent_uuid>
...
{"<agent_uuid>": {"operational_state": "Get Quote"..."attestation_count": 5
...

Replace <agent_uuid> with the agent’s UUID.

If the value of operational_state is Get Quote and attestation_count is nonzero, the attestation of this agent is successful.

If the value of operational_state is Invalid Quote or Failed attestation fails, the command displays output similar to the following:

{"<agent_uuid>": {"operational_state": "Invalid Quote", ... "ima.validation.ima-ng.not_in_allowlist", "attestation_count": 5, "last_received_quote": 1684150329, "last_successful_attestation": 1684150327}}

If the attestation fails, display more details in the verifier log:

# journalctl --unit keylime_verifier
keylime.tpm - INFO - Checking IMA measurement list...
keylime.ima - WARNING - File not found in allowlist: /root/bad-script.sh
keylime.ima - ERROR - IMA ERRORS: template-hash 0 fnf 1 hash 0 good 781
keylime.cloudverifier - WARNING - agent D432FBB3-D2F1-4A97-9EF7-75BD81C00000 failed, stopping polling

6.10. Configuring Keylime for runtime monitoring

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat 소개

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links