The kernel integrity sub-system can be used to detect if a file has been altered (accidently or maliciously), both remotely and/or locally. It does that by appraising a file's measurement (its hash value) against a “good” value stored previously as an extended attribute (on file systems which support extended attributes like ext3, ext4. etc.). Similar, but complementary, mechanisms are provided by other security technologies like SELinux which depending on policy can attempt to protect file integrity.
The Linux IMA (Integrity Measurement Architecture) subsystem introduces hooks within the Linux kernel to support creating and collecting hashes of files when opened, before their contents are accessed for read or execute. The IMA measurement subsystem was added in linux-2.6.30 and is supported by Red Hat Enterprise Linux 8.
The kernel integrity subsystem consists of two major components. The Integrity Measurement Architecture (IMA) is responsible for collecting file hashes, placing them in kernel memory (where userland applications cannot access/modify it) and allows local and remote parties to verify the measured values. The Extended Verification Module (EVM) detects offline tampering (this could help mitigate evil-maid attacks) of the security extended attributes.
IMA maintains a runtime measurement list and, if anchored in a hardware Trusted Platform Module(TPM), an aggregate integrity value over this list. The benefit of anchoring the aggregate integrity value in the TPM is that the measurement list is difficult to compromise by a software attack, without it being detectable. Hence, on a trusted boot system, IMA-measurement can be used to attest to the system's runtime integrity.
Read more about optimizing performance for the open-hybrid enterprise.
Enabling IMA-measurement:
IMA-measurement can be enabled by adding the parameters “ima=on ima_policy=<policy>” to the kernel command line and rebooting the system. The policy parameter takes one of the below values:
-
tcb
- measures all executables run, all mmap'd files for execution (such as shared libraries), all kernel modules loaded, and all firmware loaded. Additionally, all files read by root are measured as well. -
appraise_tcb
- appraises all files owned by root. -
secure_boot
- appraises all loaded modules, firmware, kexec'd kernel, and IMA policies. It also requires them to have an IMA signature as well. This is normally used with the CONFIG_INTEGRITY_TRUSTED_KEYRING option in the kernel in "secure boot" scenario, with the public key obtained from the OEM in firmware or via the MOK (Machine Owner Key) in shim.
IMA-measurements maintains a runtime measurement list, which can be reviewed via the /sys/kernel/security/ima/ascii_runtime_measurements
file.
[root@kvm-05-guest13 ~]# head -5 /sys/kernel/security/ima/ascii_runtime_measurements 10 1d8d532d463c9f8c205d0df7787669a85f93e260 ima-ng sha1:ddee6004dc3bd4ee300406cd93181c5a2187b59b boot_aggregate 10 bfe074db49e639b3d65aff5d29714c0ada7584ae ima-ng sha1:b23cdfea2ad736ea9f2591270fe644d8052cc86f /usr/lib/systemd/systemd 10 63c80ba8646fb4d8a48e0b6baf38650fef1b3ffb ima-ng sha1:8c8d12052c4684e696da0bee28d7a2f3c4f408e4 /usr/lib64/ld-2.28.so 10 2a07e7f032ba91832d267e6c58437cec1dccf35d ima-ng sha1:381429f65d66187f866361e8dc19e96808f9424f /usr/lib/systemd/libsystemd-shared-239.so 10 a4c7964b6581dcf3aa5495dc94a17bb7ee82554c ima-ng sha1:1abcf3c99faad55856d49e3ds210abec56d95e4a51 /etc/ld.so.cache
The columns (from left to right) are:
-
PCR (Platform Configuration Register) in which the values are registered. This field is set correctly when the TPM chip is in use.
-
Template hash of the entry, which is a hash that combines the length and values of the file content hash and the pathname.
-
Template that registered the integrity value (ima-ng in this case).
-
File content, a hash generated from the contents of the file.
-
File Name The name of the file being monitored.
The default hash algorithm is SHA-1 and can be changed to SHA256 by booting with ima_hash=sha256.
IMA re-measurement:
If any of the monitored files change at any time, for example when the system is updated, IMA re-measurement can be done. For this the file system needs to be mounted with the i_version option. To re-measure a file after it has changed, the filesystem must support i_version. For example to enable i_version on root file system, one can edit the /etc/fstab
file as follows:
/dev/vda1 / ext4 noatime,iversion 1 2
Now the system can be updated, any changes to the files which are monitored will cause the hashes to be re-computed and stored.
IMA appraisal
The appraisal extension adds local integrity validation and enforcement of the measurement against a "good" value stored as an extended attribute security.ima
.
Enabling IMA appraisal is a two step process.
-
First reboot the kernel with the boot command line parameters
ima_appraise_tcb
andima_appraise='fix'
to relabel the file system. Next, all files that will be appraised need to be opened for reading. This process could take some time. To relabel the entire filesystem you can run the following command:
find / \\( -fstype rootfs -o ext4 -type f \\) -uid 0 -exec head -n 1 '{}' >/dev/null \\;
When done, the stored hash value should show as an extended attribute. For example
[root@kvm-05-guest13 ~]# getfattr -m - -d /sbin/init getfattr: Removing leading '/' from absolute path names # file: sbin/init security.ima=0sAbI83+oq1zbqnyWRJw/mRNgFLMhv security.selinux="system_u:object_r:init_exec_t:s0"
-
Now, reboot with
ima_appraise_tcp
andima_appraise=enforce
kernel command line parameters. The system should now run with appraisal enabled, causing the system to validate the hash against the stored value before using it. If it doesn't match, then the file is not loaded, any access towards it will be denied with a Permission denied error, and if audit is enabled, generates an audit event.
There are several other features which are available with IMA. For example, editing the default policy files for ima-appraisal, ima-audit, using digital signatures for immutable files, and storing the signing keys in the TPM chip, which are not covered in this blog. In conclusion IMA is a very powerful tool which can be used to enforce integrity of a system and detect any attempts to tamper with it. There are several comprehensive guides available which discuss various nuances of working with IMA.
Sobre el autor
Huzaifa Sidhpurwala is a Principal Product Security Engineer with Red Hat and part of a number of upstream security groups such as Mozilla, LibreOffice, Python, PHP and others. He speaks about security issues at open source conferences, and has been a Fedora contributor for more than 10 years.
Más similar
Navegar por canal
Automatización
Las últimas novedades en la automatización de la TI para los equipos, la tecnología y los entornos
Inteligencia artificial
Descubra las actualizaciones en las plataformas que permiten a los clientes ejecutar cargas de trabajo de inteligecia artificial en cualquier lugar
Nube híbrida abierta
Vea como construimos un futuro flexible con la nube híbrida
Seguridad
Vea las últimas novedades sobre cómo reducimos los riesgos en entornos y tecnologías
Edge computing
Conozca las actualizaciones en las plataformas que simplifican las operaciones en el edge
Infraestructura
Vea las últimas novedades sobre la plataforma Linux empresarial líder en el mundo
Aplicaciones
Conozca nuestras soluciones para abordar los desafíos más complejos de las aplicaciones
Programas originales
Vea historias divertidas de creadores y líderes en tecnología empresarial
Productos
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Servicios de nube
- Ver todos los productos
Herramientas
- Training y Certificación
- Mi cuenta
- Soporte al cliente
- Recursos para desarrolladores
- Busque un partner
- Red Hat Ecosystem Catalog
- Calculador de valor Red Hat
- Documentación
Realice pruebas, compras y ventas
Comunicarse
- Comuníquese con la oficina de ventas
- Comuníquese con el servicio al cliente
- Comuníquese con Red Hat Training
- Redes sociales
Acerca de Red Hat
Somos el proveedor líder a nivel mundial de soluciones empresariales de código abierto, incluyendo Linux, cloud, contenedores y Kubernetes. Ofrecemos soluciones reforzadas, las cuales permiten que las empresas trabajen en distintas plataformas y entornos con facilidad, desde el centro de datos principal hasta el extremo de la red.
Seleccionar idioma
Red Hat legal and privacy links
- Acerca de Red Hat
- Oportunidades de empleo
- Eventos
- Sedes
- Póngase en contacto con Red Hat
- Blog de Red Hat
- Diversidad, igualdad e inclusión
- Cool Stuff Store
- Red Hat Summit