Red Hat Summit 红帽全球峰会支持控制台(Console)开发人员开始试用联系人

第 24 章 Extending, customizing, and troubleshooting kernel integrity subsystem

Extend, customize, and troubleshoot the kernel integrity subsystem to support diverse security requirements and operational environments.

24.1. Generate good reference values for IMA appraisal
复制链接

Before you deploy an IMA policy that includes IMA-appraisal rules, ensure that all files governed by these rules have valid reference values stored in the security.ima extended attribute. If these reference values are missing, IMA might prevent the system from booting properly or deny access to files. 

# ima-appraise-file </path/to/file>

Use IMA signatures as trusted reference values for immutable files to support integrity verification. This approach helps ensure that only files with valid signatures are accessed, which strengthens system security and compliance.

Prerequisites

  • You have created an IMA policy that includes IMA-appraisal rules.

Procedure

  1. Install the rpm-plugin-ima: 

    $ sudo dnf install rpm-plugin-ima -yq

    This ensures that package files have IMA signature stored in security.xattr automatically during package installation, reinstallation, or upgradation.

  2. Reinstall all the packages: 

    $ sudo dnf reinstall "*" -y

    This ensures that the security.xattr extended attribute is updated for all packages.

  3. Enable the dracut integrity module so the official IMA code-signing key in /etc/keys/ima loads automatically on boot: 

    $ sudo dracut -f

Verification

  • Verify that signature is correctly stored in security.ima extended attribute: 

    $ # evmctl ima_verify -k /etc/keys/ima/redhatimarelease-10.der /usr/lib/systemd/systemd
keyid d3320449 (from /etc/keys/ima/redhatimarelease-10.der)
key 1: d3320449 /etc/keys/ima/redhatimarelease-10.der
/usr/lib/systemd/systemd: verification is OK

$ # evmctl ima_verify -k /etc/keys/ima/redhatimarelease-10.der /bin/bash
keyid d3320449 (from /etc/keys/ima/redhatimarelease-10.der)
key 1: d3320449 /etc/keys/ima/redhatimarelease-10.der
/bin/bash: verification is OK
...

24.1.2. Generating good reference values for mutable files
复制链接

To maintain integrity for files that might change over time, generate and update reference values as needed. This ensures that the system accurately verifies the authenticity of mutable files and prevent unauthorized modifications.

Prerequisites

  • You have root privileges on the system.
  • You have created an IMA policy that includes IMA-appraisal rules.
  • You have generated good reference values for IMA appraisal.
  • Secure Boot is disabled.

Procedure

  1. Optional: Enable your chosen IMA-appraisal policy or skip this step if you only use your custom policy. Take built-in ima_policy=appraise_tcb as an example: 

    # grubby --update-kernel=/boot/vmlinuz-$(uname -r) --args="ima_policy=appraise_tcb"

    • Additionally for s390x systems: 

      # zipl

  2. Enable IMA-appraisal fix mode by adding the ima_appraise=fix kernel command line parameter: 

    # grubby --update-kernel=/boot/vmlinuz-$(uname -r) --args="ima_appraise=fix"

    • Additionally for s390x systems: 

      # zipl

  3. Reboot the system: 

    # reboot

  4. Optional: Load your custom IMA policy: 

    # echo <path_to_your_custom_ima_policy> > /sys/kernel/security/ima/policy

  5. Re-label the whole system: 

    # find / -fstype xfs -type f -uid 0 -exec head -c 0 '{}' \;

  6. Turn off IMA-appraisal fix mode by removing the ima_appraise=fix kernel command line parameter: 

    # grubby --update-kernel=/boot/vmlinuz-$(uname -r) --remove-args="ima_appraise=fix"

    • Additionally for s390x systems: 

      # zipl
  7. Enable the secure boot if it is disabled.

Additional resources

Red Hat logoGithubredditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。 了解我们当前的更新.

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

Theme

© 2026 Red Hat返回顶部