The kernel integrity sub-system can be used to detect if a file has been altered (accidently or maliciously), both remotely and/or locally. It does that by appraising a file's measurement (its hash value) against a “good” value stored previously as an extended attribute (on file systems which support extended attributes like ext3, ext4. etc.). Similar, but complementary, mechanisms are provided by other security technologies like SELinux which depending on policy can attempt to protect file integrity.
The Linux IMA (Integrity Measurement Architecture) subsystem introduces hooks within the Linux kernel to support creating and collecting hashes of files when opened, before their contents are accessed for read or execute. The IMA measurement subsystem was added in linux-2.6.30 and is supported by Red Hat Enterprise Linux 8.
The kernel integrity subsystem consists of two major components. The Integrity Measurement Architecture (IMA) is responsible for collecting file hashes, placing them in kernel memory (where userland applications cannot access/modify it) and allows local and remote parties to verify the measured values. The Extended Verification Module (EVM) detects offline tampering (this could help mitigate evil-maid attacks) of the security extended attributes.
IMA maintains a runtime measurement list and, if anchored in a hardware Trusted Platform Module(TPM), an aggregate integrity value over this list. The benefit of anchoring the aggregate integrity value in the TPM is that the measurement list is difficult to compromise by a software attack, without it being detectable. Hence, on a trusted boot system, IMA-measurement can be used to attest to the system's runtime integrity.
Read more about optimizing performance for the open-hybrid enterprise.
Enabling IMA-measurement:
IMA-measurement can be enabled by adding the parameters “ima=on ima_policy=<policy>” to the kernel command line and rebooting the system. The policy parameter takes one of the below values:
-
tcb
- measures all executables run, all mmap'd files for execution (such as shared libraries), all kernel modules loaded, and all firmware loaded. Additionally, all files read by root are measured as well. -
appraise_tcb
- appraises all files owned by root. -
secure_boot
- appraises all loaded modules, firmware, kexec'd kernel, and IMA policies. It also requires them to have an IMA signature as well. This is normally used with the CONFIG_INTEGRITY_TRUSTED_KEYRING option in the kernel in "secure boot" scenario, with the public key obtained from the OEM in firmware or via the MOK (Machine Owner Key) in shim.
IMA-measurements maintains a runtime measurement list, which can be reviewed via the /sys/kernel/security/ima/ascii_runtime_measurements
file.
[root@kvm-05-guest13 ~]# head -5 /sys/kernel/security/ima/ascii_runtime_measurements 10 1d8d532d463c9f8c205d0df7787669a85f93e260 ima-ng sha1:ddee6004dc3bd4ee300406cd93181c5a2187b59b boot_aggregate 10 bfe074db49e639b3d65aff5d29714c0ada7584ae ima-ng sha1:b23cdfea2ad736ea9f2591270fe644d8052cc86f /usr/lib/systemd/systemd 10 63c80ba8646fb4d8a48e0b6baf38650fef1b3ffb ima-ng sha1:8c8d12052c4684e696da0bee28d7a2f3c4f408e4 /usr/lib64/ld-2.28.so 10 2a07e7f032ba91832d267e6c58437cec1dccf35d ima-ng sha1:381429f65d66187f866361e8dc19e96808f9424f /usr/lib/systemd/libsystemd-shared-239.so 10 a4c7964b6581dcf3aa5495dc94a17bb7ee82554c ima-ng sha1:1abcf3c99faad55856d49e3ds210abec56d95e4a51 /etc/ld.so.cache
The columns (from left to right) are:
-
PCR (Platform Configuration Register) in which the values are registered. This field is set correctly when the TPM chip is in use.
-
Template hash of the entry, which is a hash that combines the length and values of the file content hash and the pathname.
-
Template that registered the integrity value (ima-ng in this case).
-
File content, a hash generated from the contents of the file.
-
File Name The name of the file being monitored.
The default hash algorithm is SHA-1 and can be changed to SHA256 by booting with ima_hash=sha256.
IMA re-measurement:
If any of the monitored files change at any time, for example when the system is updated, IMA re-measurement can be done. For this the file system needs to be mounted with the i_version option. To re-measure a file after it has changed, the filesystem must support i_version. For example to enable i_version on root file system, one can edit the /etc/fstab
file as follows:
/dev/vda1 / ext4 noatime,iversion 1 2
Now the system can be updated, any changes to the files which are monitored will cause the hashes to be re-computed and stored.
IMA appraisal
The appraisal extension adds local integrity validation and enforcement of the measurement against a "good" value stored as an extended attribute security.ima
.
Enabling IMA appraisal is a two step process.
-
First reboot the kernel with the boot command line parameters
ima_appraise_tcb
andima_appraise='fix'
to relabel the file system. Next, all files that will be appraised need to be opened for reading. This process could take some time. To relabel the entire filesystem you can run the following command:
find / \\( -fstype rootfs -o ext4 -type f \\) -uid 0 -exec head -n 1 '{}' >/dev/null \\;
When done, the stored hash value should show as an extended attribute. For example
[root@kvm-05-guest13 ~]# getfattr -m - -d /sbin/init getfattr: Removing leading '/' from absolute path names # file: sbin/init security.ima=0sAbI83+oq1zbqnyWRJw/mRNgFLMhv security.selinux="system_u:object_r:init_exec_t:s0"
-
Now, reboot with
ima_appraise_tcp
andima_appraise=enforce
kernel command line parameters. The system should now run with appraisal enabled, causing the system to validate the hash against the stored value before using it. If it doesn't match, then the file is not loaded, any access towards it will be denied with a Permission denied error, and if audit is enabled, generates an audit event.
There are several other features which are available with IMA. For example, editing the default policy files for ima-appraisal, ima-audit, using digital signatures for immutable files, and storing the signing keys in the TPM chip, which are not covered in this blog. In conclusion IMA is a very powerful tool which can be used to enforce integrity of a system and detect any attempts to tamper with it. There are several comprehensive guides available which discuss various nuances of working with IMA.
저자 소개
Huzaifa Sidhpurwala is a Principal Product Security Engineer with Red Hat and part of a number of upstream security groups such as Mozilla, LibreOffice, Python, PHP and others. He speaks about security issues at open source conferences, and has been a Fedora contributor for more than 10 years.
채널별 검색
오토메이션
기술, 팀, 인프라를 위한 IT 자동화 최신 동향
인공지능
고객이 어디서나 AI 워크로드를 실행할 수 있도록 지원하는 플랫폼 업데이트
오픈 하이브리드 클라우드
하이브리드 클라우드로 더욱 유연한 미래를 구축하는 방법을 알아보세요
보안
환경과 기술 전반에 걸쳐 리스크를 감소하는 방법에 대한 최신 정보
엣지 컴퓨팅
엣지에서의 운영을 단순화하는 플랫폼 업데이트
인프라
세계적으로 인정받은 기업용 Linux 플랫폼에 대한 최신 정보
애플리케이션
복잡한 애플리케이션에 대한 솔루션 더 보기
오리지널 쇼
엔터프라이즈 기술 분야의 제작자와 리더가 전하는 흥미로운 스토리
제품
- Red Hat Enterprise Linux
- Red Hat OpenShift Enterprise
- Red Hat Ansible Automation Platform
- 클라우드 서비스
- 모든 제품 보기
툴
체험, 구매 & 영업
커뮤니케이션
Red Hat 소개
Red Hat은 Linux, 클라우드, 컨테이너, 쿠버네티스 등을 포함한 글로벌 엔터프라이즈 오픈소스 솔루션 공급업체입니다. Red Hat은 코어 데이터센터에서 네트워크 엣지에 이르기까지 다양한 플랫폼과 환경에서 기업의 업무 편의성을 높여 주는 강화된 기능의 솔루션을 제공합니다.