6.9. Deploying Keylime agent from a package

Procedure

1. Install the Keylime agent:

   # dnf install keylime-agent

   This command installs the keylime-agent-rust package.

2. Define the agent’s IP address and port in the configuration files. Create a new .conf file in the /etc/keylime/agent.conf.d/ directory, for example, /etc/keylime/agent.conf.d/00-agent-ip.conf, with the following content:

   [agent]
   ip = '<agent_ip>'

   참고

   The Keylime agent configuration uses the TOML format, which is different from the INI format used for configuration of the other components. Therefore, enter values in valid TOML syntax, for example, paths in single quotation marks and arrays of multiple paths in square brackets.

   • Replace <agent_IP_address> with the agent’s IP address. Alternatively, use ip = '*' or ip = '0.0.0.0' to bind the agent to all available IP addresses.
   • Optionally, you can also change the agent’s port from the default value 9002 by using the port = '<agent_port>' option.

3. Define the registrar’s IP address and port in the configuration files. Create a new .conf file in the /etc/keylime/agent.conf.d/ directory, for example, /etc/keylime/agent.conf.d/00-registrar-ip.conf, with the following content:

   [agent]
   registrar_ip = '<registrar_IP_address>'

   • Replace <registrar_IP_address> with the registrar’s IP address.
   • Optionally, you can also change the registrar’s port from the default value 8890 by using the registrar_port = '<registrar_port>' option.

4. Optional: Define the agent’s universally unique identifier (UUID). If it is not defined, the default UUID is used. Create a new .conf file in the /etc/keylime/agent.conf.d/ directory, for example, /etc/keylime/agent.conf.d/00-agent-uuid.conf, with the following content:

   [agent]
   uuid = '<agent_UUID>'

   • Replace <agent_UUID> with the agent’s UUID, for example d432fbb3-d2f1-4a97-9ef7-abcdef012345. You can use the uuidgen utility to generate a UUID.

5. Optional: Load existing keys and certificates for the agent. If the agent receives no server_key and server_cert, it generates its own key and a self-signed certificate.

   Define the location of the keys and certificates in the configuration. Create a new .conf file in the /etc/keylime/agent.conf.d/ directory, for example, /etc/keylime/agent.conf.d/00-keys-and-certs.conf, with the following content:

   [agent]
   server_key = '</path/to/server_key>'
   server_key_password = '<passphrase1>'
   server_cert = '</path/to/server_cert>'
   trusted_client_ca = '[</path/to/ca/cert3>, </path/to/ca/cert4>]'

   참고

   Use absolute paths to define key and certificate locations. The Keylime agent does not accept relative paths.

6. Open the port in firewall:

   # firewall-cmd --add-port 9002/tcp
   # firewall-cmd --runtime-to-permanent

   If you use a different port, replace 9002 with the port number defined in the .conf file.

7. Enable and start the keylime_agent service:

   # systemctl enable --now keylime_agent

8. Optional: From the system where the Keylime tenant is configured, verify that the agent is correctly configured and can connect to the registrar.

   # keylime_tenant -c regstatus --uuid <agent_uuid>
   Reading configuration from ['/etc/keylime/logging.conf']
   ...
   ==\n-----END CERTIFICATE-----\n", "ip": "127.0.0.1", "port": 9002, "regcount": 1, "operational_state": "Registered"}}}

   • Replace <agent_uuid> with the agent’s UUID.

     If the registrar and agent are correctly configured, the output displays the agent’s IP address and port, followed by "operational_state": "Registered".

9. Create a new IMA policy by entering the following content into the /etc/ima/ima-policy file:

   # PROC_SUPER_MAGIC = 0x9fa0
   dont_measure fsmagic=0x9fa0
   # SYSFS_MAGIC = 0x62656572
   dont_measure fsmagic=0x62656572
   # DEBUGFS_MAGIC = 0x64626720
   dont_measure fsmagic=0x64626720
   # TMPFS_MAGIC = 0x01021994
   dont_measure fsmagic=0x1021994
   # RAMFS_MAGIC
   dont_measure fsmagic=0x858458f6
   # DEVPTS_SUPER_MAGIC=0x1cd1
   dont_measure fsmagic=0x1cd1
   # BINFMTFS_MAGIC=0x42494e4d
   dont_measure fsmagic=0x42494e4d
   # SECURITYFS_MAGIC=0x73636673
   dont_measure fsmagic=0x73636673
   # SELINUX_MAGIC=0xf97cff8c
   dont_measure fsmagic=0xf97cff8c
   # SMACK_MAGIC=0x43415d53
   dont_measure fsmagic=0x43415d53
   # NSFS_MAGIC=0x6e736673
   dont_measure fsmagic=0x6e736673
   # EFIVARFS_MAGIC
   dont_measure fsmagic=0xde5e81e4
   # CGROUP_SUPER_MAGIC=0x27e0eb
   dont_measure fsmagic=0x27e0eb
   # CGROUP2_SUPER_MAGIC=0x63677270
   dont_measure fsmagic=0x63677270
   # OVERLAYFS_MAGIC
   # when containers are used we almost always want to ignore them
   dont_measure fsmagic=0x794c7630
   # MEASUREMENTS
   measure func=BPRM_CHECK
   measure func=FILE_MMAP mask=MAY_EXEC
   measure func=MODULE_CHECK uid=0

   This policy targets runtime monitoring of executed applications. You can adjust this policy according to your scenario. You can find the MAGIC constants in the statfs(2) man page.

10. Update kernel parameters:

    # grubby --update-kernel DEFAULT --args 'ima_appraise=log ima_canonical_fmt ima_policy=tcb ima_template=ima-ng'

11. Reboot the system to apply the new IMA policy.

Verification

1. Verify that the agent is running:

   # systemctl status keylime_agent
   ● keylime_agent.service - The Keylime compute agent
        Loaded: loaded (/usr/lib/systemd/system/keylime_agent.service; enabled; preset: disabled)
        Active: active (running) since ...