Chapter 23. Enhancing security with the kernel integrity subsystem

Chapter 23. Enhancing security with the kernel integrity subsystem

https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/10/html/managing_monitoring_and_updating_the_kernel/enhancing-security-with-the-kernel-integrity-subsystem

You can improve the security of your system by using components of the kernel integrity subsystem. Learn more about the relevant components and their configuration.

23.1. The kernel integrity subsystem

The integrity subsystem protects system integrity by detecting file tampering and denying access according to the loaded policy. It also collects access logs so that a remote party can verify system integrity through remote attestation. The kernel integrity subsystem includes the Integrity Measurement Architecture (IMA) and the Extended Verification Module (EVM).

Integrity Measurement Architecture (IMA) IMA maintains the integrity of file content. It includes three features that you can enable through an IMA policy:

IMA-Measurement: Collect the file content hash or signature and store the measurements in the kernel. If a TPM is available, each measurement extends a TPM PCR, which enables remote attestation with an attestation quote. IMA-Appraisal: Verify file integrity by comparing the calculated file hash with a known good reference value or by verifying a signature stored in the security.ima attribute. If verification fails, the system denies access. IMA-Audit: Store the calculated file content hash or signature in the system audit log. Extended Verification Module (EVM) The EVM protects file metadata, including extended attributes related to system security such as security.ima and security.selinux. EVM stores a reference hash or HMAC for these security attributes in security.evm and uses it to detect if the file metadata has been changed maliciously. Additional resources

Security hardening Using SELinux 23.2. Enabling kernel’s runtime integrity monitoring through IMA-signature based appraisal

Starting from RHEL 9, all package files are signed per file and users can make sure only authorised package files are accessed by enabling the signature-based IMA appraisal.

Enable the signature-based IMA appraisal:

ima-setup –policy=/usr/share/ima/policies/01-appraise-executable-and-lib-signatures

This command:

Stores package file signature in security.ima for all installed packages. Includes the dracut integrity module to load the IMA code signing key to kernel. Copies the policy to /etc/ima/ima-policy so systemd loads it at boot time. Verification

The ip command can be successfully executed. If ip is copied to /tmp, by default, it loses its security.ima and therefore ip command is not executed.

cp /usr/sbin/ip /tmp

/tmp/ip

bash: /tmp/ip: Permission denied

/tmp/ip doesn’t have security.ima

getfattr -m security.ima -d /tmp/ip

whereas /usr/sbin/ip has

getfattr -m security.ima /usr/sbin/ip

file: usr/sbin/ip

Show more

security.ima=0sAwIE0zIESQBnMGUCMQCLXZ7ukyDcguLgPYwzXU16dcVrmlHxOta7vm7EUfX07Nf0xnP1MyE//AZaqeNIKBoCMFHNDOuA4uNvS+8OOAy7YEn8oathfsF2wsDSZi+NAoumC6RFqIB912zkRKxraSX8sA==

If the sample policy 01-appraise-executable-and-lib-signatures does not meet your requirements, you can create and use a custom policy.

23.3. Enabling remote attestation with IMA measurement

You can enable remote attestation with Integrity Measurement Architecture (IMA) measurement to verify the integrity of your system. To use remote attestation with a tool such as Keylime, you must enable IMA-Measurement. A signed measurement policy is available at /usr/share/ima/policies/02-keylime-remote-attestation. Deploy and run the sample policy that meets your requirements.

Prerequisites

A signed measurement policy is available at /usr/share/ima/policies/02-keylime-remote-attestation. Procedure

Install the rpm-plugin-ima package:

dnf install rpm-plugin-ima

Reinstall the ima-evm-utils package so that the sample policies have IMA signatures stored in extended attributes:

dnf reinstall ima-evm-utils

Confirm that the IMA signature has been stored:

evmctl ima_verify -k /etc/keys/ima/redhatimarelease-10.der /usr/share/ima/policies/02-keylime-remote-attestation

keyid d3320449 (from /etc/keys/ima/redhatimarelease-10.der) key 1: d3320449 /etc/keys/ima/redhatimarelease-10.der /usr/share/ima/policies/02-keylime-remote-attestation: verification is OK Show more

Copy the signed measurement policy with extended attributes preserved to /etc/ima/ima-policy so systemd automatically loads it on boot:

cp –preserve=xattr /usr/share/ima/policies/02-keylime-remote-attestation /etc/ima/ima-policy

Enable the dracut integrity module so the IMA key loads at boot time:

cp –preserve=xattr /usr/share/ima/dracut-98-integrity.conf /etc/dracut.conf.d/ima.conf

Regenerate the initramfs to include the integrity module:

dracut -f

On s390x systems, additionally run zipl to apply the changes for the next IPL (initial program load):

zipl

Reboot to load the IMA key:

systemctl reboot

Warning On systems with Secure Boot enabled, the kernel does not accept unsigned IMA policies. If you load a policy before the IMA code-signing key is available to the kernel, the load fails and the next reboot can hang. Therefore, you must load the policy after the key is available.

If the sample policy does not meet your requirements, see Loading an IMA policy signed by your custom IMA key.

Verification

Verify that the policy is loaded:

cat /sys/kernel/security/integrity/ima/policy

Additional resources

Extending, customising, and troubleshooting the kernel integrity subsystem