The kernel integrity sub-system can be used to detect if a file has been altered (accidently or maliciously), both remotely and/or locally. It does that by appraising a file's measurement (its hash value) against a “good” value stored previously as an extended attribute (on file systems which support extended attributes like ext3, ext4. etc.). Similar, but complementary, mechanisms are provided by other security technologies like SELinux which depending on policy can attempt to protect file integrity.
The Linux IMA (Integrity Measurement Architecture) subsystem introduces hooks within the Linux kernel to support creating and collecting hashes of files when opened, before their contents are accessed for read or execute. The IMA measurement subsystem was added in linux-2.6.30 and is supported by Red Hat Enterprise Linux 8.
The kernel integrity subsystem consists of two major components. The Integrity Measurement Architecture (IMA) is responsible for collecting file hashes, placing them in kernel memory (where userland applications cannot access/modify it) and allows local and remote parties to verify the measured values. The Extended Verification Module (EVM) detects offline tampering (this could help mitigate evil-maid attacks) of the security extended attributes.
IMA maintains a runtime measurement list and, if anchored in a hardware Trusted Platform Module(TPM), an aggregate integrity value over this list. The benefit of anchoring the aggregate integrity value in the TPM is that the measurement list is difficult to compromise by a software attack, without it being detectable. Hence, on a trusted boot system, IMA-measurement can be used to attest to the system's runtime integrity.
Read more about optimizing performance for the open-hybrid enterprise.
Enabling IMA-measurement:
IMA-measurement can be enabled by adding the parameters “ima=on ima_policy=<policy>” to the kernel command line and rebooting the system. The policy parameter takes one of the below values:
-
tcb
- measures all executables run, all mmap'd files for execution (such as shared libraries), all kernel modules loaded, and all firmware loaded. Additionally, all files read by root are measured as well. -
appraise_tcb
- appraises all files owned by root. -
secure_boot
- appraises all loaded modules, firmware, kexec'd kernel, and IMA policies. It also requires them to have an IMA signature as well. This is normally used with the CONFIG_INTEGRITY_TRUSTED_KEYRING option in the kernel in "secure boot" scenario, with the public key obtained from the OEM in firmware or via the MOK (Machine Owner Key) in shim.
IMA-measurements maintains a runtime measurement list, which can be reviewed via the /sys/kernel/security/ima/ascii_runtime_measurements
file.
[root@kvm-05-guest13 ~]# head -5 /sys/kernel/security/ima/ascii_runtime_measurements 10 1d8d532d463c9f8c205d0df7787669a85f93e260 ima-ng sha1:ddee6004dc3bd4ee300406cd93181c5a2187b59b boot_aggregate 10 bfe074db49e639b3d65aff5d29714c0ada7584ae ima-ng sha1:b23cdfea2ad736ea9f2591270fe644d8052cc86f /usr/lib/systemd/systemd 10 63c80ba8646fb4d8a48e0b6baf38650fef1b3ffb ima-ng sha1:8c8d12052c4684e696da0bee28d7a2f3c4f408e4 /usr/lib64/ld-2.28.so 10 2a07e7f032ba91832d267e6c58437cec1dccf35d ima-ng sha1:381429f65d66187f866361e8dc19e96808f9424f /usr/lib/systemd/libsystemd-shared-239.so 10 a4c7964b6581dcf3aa5495dc94a17bb7ee82554c ima-ng sha1:1abcf3c99faad55856d49e3ds210abec56d95e4a51 /etc/ld.so.cache
The columns (from left to right) are:
-
PCR (Platform Configuration Register) in which the values are registered. This field is set correctly when the TPM chip is in use.
-
Template hash of the entry, which is a hash that combines the length and values of the file content hash and the pathname.
-
Template that registered the integrity value (ima-ng in this case).
-
File content, a hash generated from the contents of the file.
-
File Name The name of the file being monitored.
The default hash algorithm is SHA-1 and can be changed to SHA256 by booting with ima_hash=sha256.
IMA re-measurement:
If any of the monitored files change at any time, for example when the system is updated, IMA re-measurement can be done. For this the file system needs to be mounted with the i_version option. To re-measure a file after it has changed, the filesystem must support i_version. For example to enable i_version on root file system, one can edit the /etc/fstab
file as follows:
/dev/vda1 / ext4 noatime,iversion 1 2
Now the system can be updated, any changes to the files which are monitored will cause the hashes to be re-computed and stored.
IMA appraisal
The appraisal extension adds local integrity validation and enforcement of the measurement against a "good" value stored as an extended attribute security.ima
.
Enabling IMA appraisal is a two step process.
-
First reboot the kernel with the boot command line parameters
ima_appraise_tcb
andima_appraise='fix'
to relabel the file system. Next, all files that will be appraised need to be opened for reading. This process could take some time. To relabel the entire filesystem you can run the following command:
find / \\( -fstype rootfs -o ext4 -type f \\) -uid 0 -exec head -n 1 '{}' >/dev/null \\;
When done, the stored hash value should show as an extended attribute. For example
[root@kvm-05-guest13 ~]# getfattr -m - -d /sbin/init getfattr: Removing leading '/' from absolute path names # file: sbin/init security.ima=0sAbI83+oq1zbqnyWRJw/mRNgFLMhv security.selinux="system_u:object_r:init_exec_t:s0"
-
Now, reboot with
ima_appraise_tcp
andima_appraise=enforce
kernel command line parameters. The system should now run with appraisal enabled, causing the system to validate the hash against the stored value before using it. If it doesn't match, then the file is not loaded, any access towards it will be denied with a Permission denied error, and if audit is enabled, generates an audit event.
There are several other features which are available with IMA. For example, editing the default policy files for ima-appraisal, ima-audit, using digital signatures for immutable files, and storing the signing keys in the TPM chip, which are not covered in this blog. In conclusion IMA is a very powerful tool which can be used to enforce integrity of a system and detect any attempts to tamper with it. There are several comprehensive guides available which discuss various nuances of working with IMA.
À propos de l'auteur
Huzaifa Sidhpurwala is a Principal Product Security Engineer with Red Hat and part of a number of upstream security groups such as Mozilla, LibreOffice, Python, PHP and others. He speaks about security issues at open source conferences, and has been a Fedora contributor for more than 10 years.
Parcourir par canal
Automatisation
Les dernières nouveautés en matière d'automatisation informatique pour les technologies, les équipes et les environnements
Intelligence artificielle
Actualité sur les plateformes qui permettent aux clients d'exécuter des charges de travail d'IA sur tout type d'environnement
Cloud hybride ouvert
Découvrez comment créer un avenir flexible grâce au cloud hybride
Sécurité
Les dernières actualités sur la façon dont nous réduisons les risques dans tous les environnements et technologies
Edge computing
Actualité sur les plateformes qui simplifient les opérations en périphérie
Infrastructure
Les dernières nouveautés sur la plateforme Linux d'entreprise leader au monde
Applications
À l’intérieur de nos solutions aux défis d’application les plus difficiles
Programmes originaux
Histoires passionnantes de créateurs et de leaders de technologies d'entreprise
Produits
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Services cloud
- Voir tous les produits
Outils
- Formation et certification
- Mon compte
- Assistance client
- Ressources développeurs
- Rechercher un partenaire
- Red Hat Ecosystem Catalog
- Calculateur de valeur Red Hat
- Documentation
Essayer, acheter et vendre
Communication
- Contacter le service commercial
- Contactez notre service clientèle
- Contacter le service de formation
- Réseaux sociaux
À propos de Red Hat
Premier éditeur mondial de solutions Open Source pour les entreprises, nous fournissons des technologies Linux, cloud, de conteneurs et Kubernetes. Nous proposons des solutions stables qui aident les entreprises à jongler avec les divers environnements et plateformes, du cœur du datacenter à la périphérie du réseau.
Sélectionner une langue
Red Hat legal and privacy links
- À propos de Red Hat
- Carrières
- Événements
- Bureaux
- Contacter Red Hat
- Lire le blog Red Hat
- Diversité, équité et inclusion
- Cool Stuff Store
- Red Hat Summit