Red Hat SummitChapter 24. Enhancing security with the kernel integrity subsystem
You can improve the security of your system by using components of the kernel integrity subsystem. Learn more about the relevant components and their configuration.
24.1. The kernel integrity subsystem
Protect system integrity by detecting file tampering and enforcing access policies with the kernel integrity subsystem. Comprising IMA and EVM, it logs access data to validation by remote parties through attestation.
Overview of IMA and EVM
Integrity Measurement Architecture (IMA) maintains the integrity of file content. It includes three features that you can enable through an IMA policy:
IMA-Measurement- Collect the file content hash or signature and store the measurements in the kernel. If a TPM is available, each measurement extends a TPM PCR, which enables remote attestation with an attestation quote.
IMA-Appraisal- Verify file integrity by comparing the calculated file hash with a known good reference value or by verifying a signature stored in the security.ima attribute. If verification fails, the system denies access.
IMA-Audit- Store the calculated file content hash or signature in the system audit log.
The Extended Verification Module (EVM) protects file metadata, including extended attributes related to system security such as security.ima and security.selinux. EVM stores a reference hash or HMAC for these security attributes in security.evm and uses it to detect if the file metadata has been changed maliciously.
Secure Boot integration
Secure Boot establishes the chain of trust from firmware to boot loader and then to kernel. With the integrity subsystem of the trusted kernel making sure only trusted user space code is executed, the chain of trust is now extended to the user space. Although the integrity subsystem can be used alone, some behaviours of the integrity subsystem are tied to secure boot, for example,
- Some IMA policy rules is activated automatically when Secure Boot is enabled. For example, IMA-Measurement is enabled for kexec’ed kernel and kernel modules on UEFI systems, and IMA-Appraisal is enabled for kexec’ed kernel on PowerPC.
- Currently, for Red Hat Enterprise Linux 10, only IMA policy signed by trusted keys can be loaded when secure boot is enabled
24.2. Enabling kernel’s runtime integrity monitoring through IMA-signature based appraisal
Enable signature-based IMA appraisal to ensure only authorized package files are accessed. Starting from RHEL 9, all package files are signed per file.
Enable the signature-based IMA appraisal:
ima-setup --policy=/usr/share/ima/policies/01-appraise-executable-and-lib-signaturesThis command:
-
Stores package file signature in
security.imafor all installed packages. -
Includes the
dracutintegrity module to load the IMA code signing key to kernel. -
Copies the policy to
/etc/ima/ima-policyso systemd loads it at boot time.
Verification
-
The
ipcommand can be successfully executed. If
ipis copied to/tmp, by default, it loses itssecurity.imaand thereforeipcommand is not executed.# cp /usr/sbin/ip /tmp # /tmp/ip -bash: /tmp/ip: Permission denied # /tmp/ip doesn’t have security.ima # getfattr -m security.ima -d /tmp/ip # whereas /usr/sbin/ip has # getfattr -m security.ima /usr/sbin/ip # file: usr/sbin/ip security.ima=0sAwIE0zIESQBnMGUCMQCLXZ7ukyDcguLgPYwzXU16dcVrmlHxOta7vm7EUfX07Nf0xnP1MyE//AZaqeNIKBoCMFHNDOuA4uNvS+8OOAy7YEn8oathfsF2wsDSZi+NAoumC6RFqIB912zkRKxraSX8sA==
If the sample policy 01-appraise-executable-and-lib-signatures does not meet your requirements, you can create and use a custom policy.
24.3. Enabling remote attestation with IMA measurement
Enable remote attestation with IMA measurement to verify system integrity. Use IMA measurement with tools such as Keylime by deploying the signed measurement policy from /usr/share/ima/policies/02-keylime-remote-attestation.
Prerequisites
-
A signed measurement policy is available at
/usr/share/ima/policies/02-keylime-remote-attestation.
Procedure
Deploy the policy:
# cp --preserve=xattr /usr/share/ima/policies/02-keylime-remote-attestation /etc/ima/ima-policyLoad the policy:
# echo /etc/ima/ima-policy > /sys/kernel/security/integrity/ima/policy
If the sample policy does not meet your requirements, or if you want to ensure that only signed IMA policies are loaded for security reasons, see Deploying a custom signed IMA policy for UEFI systems.
Verification
Verify that the policy is loaded:
# cat /sys/kernel/security/integrity/ima/policy
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}