Module insertion fails when the Secure Boot is enabled
Technical Articles ID:
KB90085
Last Modified: 2023-06-28 05:41:58 Etc/GMT
Last Modified: 2023-06-28 05:41:58 Etc/GMT
Environment
Endpoint Security for Linux Threat Prevention (ENSLTP) 10.x
Red Hat Enterprise Linux (RHEL) 7.x
Community Enterprise Operating System (CentOS) 7.x
Red Hat Enterprise Linux (RHEL) 7.x
Community Enterprise Operating System (CentOS) 7.x
Problem
The module insertion fails with the error required key isn't available (on-access scanning fails to start).
ENSLTP fails to start on-access scanning with the following errors inisectpd.log :
Nov 09 15:26:28 test.os.com ERROR FileAccessEventKernelImpl [1182] Module insertion Failed with errorRequired key not available
Nov 09 15:26:28 test.os.com ERROR FileAccessEventKernel [1182] Failed to initialize netlink socket in Kernel module
Nov 09 15:26:58 test.os.com ERROR AMOASBroker [1182] Failed to initialise file access library.
Nov 09 15:26:58 test.os.com ERROR Preference [1182] OAS could not be started due to an exception
The following Secure Boot related messages display in/var/log/messages :
Nov 9 10:19:29 test kernel: efi: EFI v2.40 by American Megatrends
Nov 9 10:19:29 test kernel: efi: ACPI=0xc9f2a000 ACPI 2.0=0xc9f2a000 SMBIOS=0xf0000
Nov 9 10:19:29 test kernel: efi: mem00: type=7, attr=0xf, range=[0x0000000000000000-0x000000000003f000) (0MB)
Nov 9 10:19:29 test kernel: efi: mem01: type=6, attr=0x800000000000000f, range=[0x000000000003f000-0x0000000000040000) (0MB)
Nov 9 10:19:29 test kernel: efi: mem02: type=2, attr=0xf, range=[0x0000000000040000-0x0000000000041000) (0MB)
Nov 9 10:19:29 test kernel: Secure boot enabled
ENSLTP fails to start on-access scanning with the following errors in
Nov 09 15:26:28 test.os.com ERROR FileAccessEventKernel [1182] Failed to initialize netlink socket in Kernel module
Nov 09 15:26:58 test.os.com ERROR AMOASBroker [1182] Failed to initialise file access library.
Nov 09 15:26:58 test.os.com ERROR Preference [1182] OAS could not be started due to an exception
The following Secure Boot related messages display in
Nov 9 10:19:29 test kernel: efi: ACPI=0xc9f2a000 ACPI 2.0=0xc9f2a000 SMBIOS=0xf0000
Nov 9 10:19:29 test kernel: efi: mem00: type=7, attr=0xf, range=[0x0000000000000000-0x000000000003f000) (0MB)
Nov 9 10:19:29 test kernel: efi: mem01: type=6, attr=0x800000000000000f, range=[0x000000000003f000-0x0000000000040000) (0MB)
Nov 9 10:19:29 test kernel: efi: mem02: type=2, attr=0xf, range=[0x0000000000040000-0x0000000000041000) (0MB)
Nov 9 10:19:29 test kernel: Secure boot enabled
Cause
By default, ENSLTP uses kernel modules to intercept file I/O for antimalware scanning. Currently, the kernel modules shipped with ENSLTP aren't signed for Secure Boot. On systems where Secure Boot is enabled or the module.sig_enforce kernel parameter is specified, the kernel doesn't allow the unsigned modules to load. As a result, on-access scanning fails to start.
Red Hat describes both of these scenarios as follows:
- "When Secure Boot is enabled, the EFI operating system boot loaders, the Red Hat Enterprise Linux kernel, and all kernel modules must be signed with a private key and authenticated with the corresponding public key."
- "If UEFI Secure Boot is enabled or if the
module.sig_enforce kernel parameter has been specified, only signed kernel modules that are authenticated using a key on the system keyring can be successfully loaded."
Solution 1
For ENSL 10.7.15 and later:
NOTE: For distributions that support the Secure Boot feature, see KB96586 - Supported distributions for the ENSL Secure Boot feature.
The following packages need to be installed.
Make sure that theshim , grub , and mokutil are up to date before you perform the steps below:
NOTE: For distributions that support the Secure Boot feature, see KB96586 - Supported distributions for the ENSL Secure Boot feature.
The following packages need to be installed.
| Tool | Provided by Package | Used On | Purpose |
| Target system | Manually enroll the public key | ||
| Target system | Optional; used to display public keys in the system keyring |
Make sure that the
- Download and extract the
KernelModuleSignKeyPub.zip file in the "Attachment" section of this article. - Copy the public key file to the target system.
- Import the public key into the BIOS using the command below:
[root@localhost ~]# mokutil --import <path>/KernelModuleSignKeyPub.der
input password:
input password again:
- Restart the system. The pending MOK enrollment request is identified by
shim.efi , which starts theMokManager.efi . To complete this process, perform the following steps:- On the Perform MOK management screen, select Enroll MOK to add the imported key to the system keyring.
- On the Enroll MOK screen, select View key to see the imported key details.
- On the Enroll MOK screen, select Continue to import the key.
- On the Enroll the key(s) screen, click Yes to enroll the key in the system keyring.
- Enter the same password entered while importing the key in step 3.
- On the Perform MOK management screen, select Reboot.
- Verify that the key has been added:
[root@localhost ~]# keyctl list %:.platform
6 keys in keyring:
807358922: ---lswrv 0 0 asymmetric: VMware, Inc.: 4ad8ba0472073d28127706ddc6ccb9050441bbc7
555208707: ---lswrv 0 0 asymmetric: Red Hat Secure Boot (CA key 1): 4016841644ce3a810408050766e8f8a29c65f85c
274135278: ---lswrv 0 0 asymmetric: MUSARUBRA US LLC: Musarubra US LLC: f2e3a47ee53989d2ebbc32abdea7d1d8bb556e3a
434549956: ---lswrv 0 0 asymmetric: Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53
156985236: ---lswrv 0 0 asymmetric: Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4
454359069: ---lswrv 0 0 asymmetric: VMware, Inc.: VMware Secure Boot Signing: 04597f3e1ffb240bba0ff0f05d5eb05f3e15f6d7
Solution 2
For ENSL 10.6.6 and later:
Follow the steps below to sign kernel modules for UEFI Secure Boot.
NOTE: Both the Build system and Target system should have the same kernel and operating system versions.
Use two systems as follows:
NOTE: Kernel signing can be done in one system and the public key and signed kernel modules can be added to other Target systems with UEFI Secured Boot.
On both the Build system and Target system, install ENSLTP with OAS disabled and Access Protection disabled:
[root@localhost ~]# bash install-mfetp.sh oasoff apoff
On the Build system, perform the following steps:
On the Target system, perform the following steps:
Follow the steps below to sign kernel modules for UEFI Secure Boot.
NOTE: Both the Build system and Target system should have the same kernel and operating system versions.
Use two systems as follows:
- One system to sign the modules (known as the Build system)
- One system with UEFI Secured Boot where the modules need to be deployed (known as the Target system)
| Tool | Provided by Package | Used On | Purpose |
| Build system | Generates public and private X.509 key pair | ||
| Build system | Perl script used to sign kernel modules | ||
| Target system | Manually enroll the public key | ||
| Target system | Optional, used to display public keys in the system keyring |
NOTE: Kernel signing can be done in one system and the public key and signed kernel modules can be added to other Target systems with UEFI Secured Boot.
On both the Build system and Target system, install ENSLTP with OAS disabled and Access Protection disabled:
On the Build system, perform the following steps:
- Run the following commands:
yum install openssl
yum install kernel-devel
- Create the configuration file below for generating a key:
[root@localhost ~]# cat << EOF > ensl_configuration_file.config
[ req ]
default_bits = 4096
distinguished_name = ensl
prompt = no
string_mask = utf8only
x509_extensions = myexts
[ ensl ]
O = Corporation
CN = Organization signing key
emailAddress = email_address@corporation.com
[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
EOF
- Create a public-private key:
[root@localhost ~]# openssl req -x509 -new -nodes -utf8 -sha256 -days 36500 -batch -config ensl_configuration_file.config -outform DER -out ensl_public_key.der -keyout ensl_private_key.priv
- Send the public key to the Target system:
[root@localhost ~]# scp ensl_public_key.der @ <target_system_IP_address>: <path>
- Find the path of the
FileAccess module and sign it:
[root@localhost ~]# ls -lrt /lib/modules/$(uname -r)/mfe_fileaccess
total 0
lrwxrwxrwx. 1 root root 86 May 17 11:28 mfe_fileaccess.ko -> /var/McAfee/ens/esp/fileaccess/kernel/3.10.0-862.el7.x86_64/mfe_fileaccess_100612126.ko
[root@localhost ~]# /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 <path>/ensl_private_key.priv <path>/ensl_public_key.der /var/McAfee/ens/esp/fileaccess/kernel/3.10.0-862.el7.x86_64/mfe_fileaccess_100612126.ko
NOTE: Other availableFileAccess modules for different kernel versions can be signed in the same manner.
- Send the signed
FileAccess kernel module to the Target system in the appropriate path:
NOTE: Stop the ENSLTP services before you perform this step.
[root@localhost ~]# /opt/McAfee/ens/tp/init/mfetpd-control.sh stop
[root@localhost]# scp /var/McAfee/ens/esp/fileaccess/kernel/3.10.0-862.el7.x86_64/mfe_fileaccess_100612126.ko <target_sytem_user>@ <target_system_IP_address>:/var/McAfee/ens/esp/fileaccess/kernel/3.10.0-862.el7.x86_64/mfe_fileaccess_100612126.ko
- Find the path of the
AACmodule and sign it:
[root@localhost ~]# ls -lrt /lib/modules/$(uname -r)/mfe_aac
total 0lrwxrwxrwx. 1 root root 80 May 17 11:28 mfe_aac.ko -> /var/McAfee/ens/esp/aac/kernel/3.10.0-862.el7.x86_64/mfe_aac_100612126.ko
[root@localhost ~]# /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 <path>/ensl_private_key.priv <path>/ensl_public_key.der /var/McAfee/ens/esp/aac/kernel/3.10.0-862.el7.x86_64/mfe_aac_100612126.ko
NOTE: Other availableAACmodules for different kernel versions can be signed in the same manner.
- Send the signed
AACkernel module to the Target system in the appropriate path:
NOTE: Stop the ENSLTP services before you perform this step.
[root@localhost ~]# /opt/McAfee/ens/tp/init/mfetpd-control.sh stop
[root@localhost TP]# scp /var/McAfee/ens/esp/aac/kernel/3.10.0-862.el7.x86_64/mfe_aac_100612126.ko <target_sytem_user>@<target_system_IP_address>:/var/McAfee/ens/esp/aac/kernel/3.10.0-862.el7.x86_64/mfe_aac_100612126.ko
On the Target system, perform the following steps:
- Run the following commands:
yum install mokutil
yum install keyutils
- Check the keys available in the system keyring:
[root@localhost ~]# keyctl list %:.system_keyring
7 keys in keyring:
184534242: --alswrv00 asymmetric: Red Hat Enterprise Linux Driver Update Program (key 3): bf57f3e87362bc7229d9f465321773dfd1f77a80416592595:
--alswrv00 asymmetric: Red Hat Secure Boot (CA key 1): 4016841644ce3a810408050766e8f8a29c65f85c775760976:
--alswrv00 asymmetric: Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53800716271:
--alswrv00 asymmetric: Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4517988567:
--alswrv00 asymmetric: VMware, Inc.: 4ad8ba0472073d28127706ddc6ccb9050441bbc71024395483:
--alswrv00 asymmetric: Red Hat Enterprise Linux kernel signing key: 5173023bf81637d7bf3c5150134eec841b96fd0b369251456:
--alswrv00 asymmetric: Red Hat Enterprise Linux kpatch signing key: 4d38fd864ebe18c5f0b72e3852e2014c3a676fc8
- Import the public key in the Target system:
[root@localhost ~]# mokutil --import <path>/ensl_public_key.der
input password:
input password again:
- Restart the system. The pending
MOK enrollment request is identified byshim.efi MokManager.efi - On the
Peform MOK management screen, select Enroll MOK to add the imported key to the system keyring. - On the Enroll MOK screen, select View key to see the imported key details.
- On the Enroll the key(s) screen, click Yes to enroll the key in the system keyring.
- Enter the same password entered while importing the key in step 3.
- On the
Peform MOK management screen, select Reboot.
- On the
- Verify that the key has been added:
[root@localhost ~]# keyctl list %:.system_keyring
8 keys in keyring:
41273182: --alswrv0 0 asymmetric: Red Hat Enterprise Linux Driver Update Program (key 3): bf57f3e87362bc7229d9f465321773dfd1f77a8025238101:
--alswrv 0 0 asymmetric: Red Hat Secure Boot (CA key 1): 4016841644ce3a810408050766e8f8a29c65f85c1057481158:
--alswrv 0 0 asymmetric: Corporation: Organization signing key: 079b377b69818d219480d1a8247d00bb44ac99e5302746409:
--alswrv 0 0 asymmetric: Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53781519189:
--alswrv 0 0 asymmetric: Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4371559668:
--alswrv 0 0 asymmetric: VMware, Inc.: 4ad8ba0472073d28127706ddc6ccb9050441bbc7757185255:
--alswrv 0 0 asymmetric: Red Hat Enterprise Linux kernel signing key: 5173023bf81637d7bf3c5150134eec841b96fd0b877420410:
--alswrv 0 0 asymmetric: Red Hat Enterprise Linux kpatch signing key: 4d38fd864ebe18c5f0b72e3852e2014c3a676fc8
- Enable OAS:
[root@localhost ~]#/opt/McAfee/ens/tp/bin/mfetpcli --setoasglobalconfig --oas on
OAS Enabled Successfully
- Verify that the
FileAccess module is loaded:
[root@localhost ~]# lsmod | grep mfe
mfe_fileaccess_100602103 77171 2
- Enable Access Protection:
[root@localhost ~]# /opt/McAfee/ens/tp/bin/mfetpcli --setapstatus enable
AP Enabled Successfully
- Verify that the
AACmodule is loaded:
[root@localhost ~]# lsmod | grep aac
mfe_aac_100602103 127171 2
- If the kernel modules aren't loaded:
Check the imported key in the system keyring and the module information for the signed key. Make sure that the module is signed with the same key that's imported in the system.[root@localhost ~]# modinfo /var/McAfee/ens/esp/fileaccess/kernel/3.10.0-862.el7.x86_64/mfe_fileaccess_100612126.ko
filename: /var/McAfee/ens/esp/fileaccess/kernel/3.10.0-862.el7.x86_64/mfe_fileaccess_100612126.ko
license: GPL
description: File system hooking module
author: McAfee LLC
retpoline: Y
rhelversion: 7.4
srcversion: CE04C45CC3C0C81E18D6378
depends:
vermagic: 3.10.0-693.21.1.el7.x86_64 SMP mod_unload modversions
signer: Corporation: Organization signing key
sig_key: 07:9B:37:7B:69:81:8D:21:94:80:D1:A8:24:7D:00:BB:44:AC:99:E5
sig_hashalgo: sha256
parm: sys_call_table_str:Address of syscall table (charp)
parm: kallsyms_lookup_name_str:Address of kallsyms_lookup_name api (charp)
parm: netlinkRequestSocket:Netlink Request Socket Number (int)
parm: netlinkResponseSocket:Netlink Response Socket Number (int)
[root@localhost ~]# keyctl list %:.system_keyring
8 keys in keyring:
41273182: --alswrv 0 0 asymmetric: Red Hat Enterprise Linux Driver Update Program (key 3): bf57f3e87362bc7229d9f465321773dfd1f77a8025238101:
--alswrv 0 0 asymmetric: Red Hat Secure Boot (CA key 1): 4016841644ce3a810408050766e8f8a29c65f85c1057481158:
--alswrv 0 0 asymmetric: Corporation: Organization signing key: 079b377b69818d219480d1a8247d00bb44ac99e5302746409:
--alswrv 0 0 asymmetric: Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53781519189:
--alswrv 0 0 asymmetric: Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4371559668:
--alswrv 0 0 asymmetric: VMware, Inc.: 4ad8ba0472073d28127706ddc6ccb9050441bbc7757185255:
--alswrv 0 0 asymmetric: Red Hat Enterprise Linux kernel signing key: 5173023bf81637d7bf3c5150134eec841b96fd0b877420410:
--alswrv 0 0 asymmetric: Red Hat Enterprise Linux kpatch signing key: 4d38fd864ebe18c5f0b72e3852e2014c3a676fc8
If the key hasn't been imported in the system and module insertion is tried, the following error displays in/var/log/messages
May 20 15:27:02 localhost kernel: Request for unknown module key 'Corporation: Organization signing key: 079b377b69818d219480d1a8247d00bb44ac99e5' err -11
Import the appropriate public key in the system and reinsert the module.
- If the signed kernel module fails to get inserted in the system with the proper key in its system keyring:
Check/var/log/messages and/var/McAfee/ens/log/tp/mfetpd.log
Solution 3
For ENSL 10.6.5 and earlier:
Follow the steps below to sign kernel modules for UEFI Secure Boot.
NOTE: Both the Build system and the Target system should have the same kernel and operating system versions.
Use two systems as follows:
NOTE: Kernel signing can be done in one system and the public key and signed kernel modules can be added to other Target systems with UEFI Secured Boot.
On both the Build system and Target system, install ENSLTP with on-access scan (OAS) disabled and Access Protection disabled:
[root@localhost ~]# bash install-isectp.sh oasoff apoff
On the Build system, perform the following steps:
On the Target system, perform the following steps:
Follow the steps below to sign kernel modules for UEFI Secure Boot.
NOTE: Both the Build system and the Target system should have the same kernel and operating system versions.
Use two systems as follows:
- One system to sign the modules (known as the Build system)
- One system with UEFI Secured Boot where the modules need to be deployed (known as the Target system)
| Tool | Provided by Package | Used On | Purpose |
| Build system | Generates public and private X.509 key pair | ||
| Build system | Perl script used to sign kernel modules | ||
| Target system | Manually enroll the public key | ||
| Target system | Optional, used to display public keys in the system keyring |
NOTE: Kernel signing can be done in one system and the public key and signed kernel modules can be added to other Target systems with UEFI Secured Boot.
On both the Build system and Target system, install ENSLTP with on-access scan (OAS) disabled and Access Protection disabled:
On the Build system, perform the following steps:
- Run the following commands:
yum install openssl
yum install kernel-devel
- Create the configuration file below for generating a key:
[root@localhost ~]# cat << EOF > ensl_configuration_file.config
[ req ]
default_bits = 4096
distinguished_name = ensl
prompt = no
string_mask = utf8only
x509_extensions = myexts
[ ensl ]
O = Corporation
CN = Organization signing key
emailAddress = email_address@corporation.com
[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
EOF
- Create a public-private key:
[root@localhost ~]# openssl req -x509 -new -nodes -utf8 -sha256 -days 36500 -batch -config ensl_configuration_file.config -outform DER -out ensl_public_key.der -keyout ensl_private_key.priv
- Send the public key to the Target system:
[root@localhost ~]# scp ensl_public_key.der <target_sytem_user>@ <target_system_IP_address>: <path>
- Find the path of the
FileAccess module and sign it:
[root@localhost ~]# ls -lrt /lib/modules/$(uname -r)/fileaccess
total 0
lrwxrwxrwx. 1 root root 86 May 17 11:28 fileaccess_mod.ko -> /opt/isec/ens/esp/modules/fileaccess/3.10.0-862.el7.x86_64-fileaccess_mod_100602103.ko
[root@localhost ~]# perl /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 <path>/ensl_private_key.priv <path>/ensl_public_key.der /opt/isec/ens/esp/modules/fileaccess/$(uname -r)*.ko
NOTE: Other availableFileAccess modules for different kernel versions can be signed in the same manner.
- Send the signed
FileAccess kernel module to the Target system in the appropriate path:
NOTE: Stop the ENSLTP services before performing this step.
[root@localhost ~]# /opt/isec/ens/threatprevention/bin/isectpdControl.sh stop <target_sytem_user>
[root@localhost]# scp /opt/isec/ens/esp/modules/fileaccess/$(uname -r)*.ko@ <target_system_IP_address>:/opt/isec/ens/esp/modules/fileaccess/$(uname -r)*.ko
- Find the path of the
AACmodule and sign it:
[root@localhost ~]# ls -lrt /lib/modules/$(uname -r)/mfeaack
total 0lrwxrwxrwx. 1 root root 80 May 17 11:28 mfeaack.ko -> /opt/isec/ens/esp/modules/aac//kernel/3.10.0-862.el7.x86_64/mfeaack_100602103.ko
[root@localhost ~]# perl /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 <path>/ensl_private_key.priv <path>/ensl_public_key.der /opt/isec/ens/esp/modules/aac/kernel/$(uname -r)/*.ko
NOTE: Other availableAACmodules for different kernel versions can be signed in the same manner.
- Send the signed
AACkernel module to the Target system in the appropriate path:
NOTE: Stop the ENSLTP services before you perform this step.
[root@localhost ~]# /opt/isec/ens/threatprevention/bin/isectpdControl.sh stop <target_sytem_user>
[root@localhost TP]# scp /opt/isec/ens/esp/modules/aac/kernel/$(uname -r)/*.ko@ <target_system_IP_address>:/opt/isec/ens/esp/modules/aac/kernel/$(uname -r)/*.ko
On the Target system, perform the following steps:
- Run the following commands:
yum install mokutil
yum install keyutils
- Import the public key in the Target system:
[root@localhost ~]# mokutil --import <path>/ensl_public_key.der
input password:
input password again:
- Restart the system. The pending
Machine Owner Key (MOK) enrollment request is identified byshim.efi , which starts theMokManager.efi . To complete this process, perform the following steps:- On the
Peform MOK management screen, select Enroll MOK to add the imported key to the system keyring. - On the Enroll MOK screen, select View key to see the imported key details.
- On the Enroll the key(s) screen, click Yes to enroll the key in the system keyring.
- Enter the same password entered while importing the key in step 3.
- On the
Peform MOK management screen, select Reboot.
- On the
- Verify that the key has been added:
[root@localhost ~]# keyctl list %:.system_keyring
8 keys in keyring:
41273182: --alswrv0 0 asymmetric: Red Hat Enterprise Linux Driver Update Program (key 3): bf57f3e87362bc7229d9f465321773dfd1f77a8025238101:
--alswrv 0 0 asymmetric: Red Hat Secure Boot (CA key 1): 4016841644ce3a810408050766e8f8a29c65f85c1057481158:
--alswrv 0 0 asymmetric: Corporation: Organization signing key: 079b377b69818d219480d1a8247d00bb44ac99e5302746409:
--alswrv 0 0 asymmetric: Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53781519189:
--alswrv 0 0 asymmetric: Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4371559668:
--alswrv 0 0 asymmetric: VMware, Inc.: 4ad8ba0472073d28127706ddc6ccb9050441bbc7757185255:
--alswrv 0 0 asymmetric: Red Hat Enterprise Linux kernel signing key: 5173023bf81637d7bf3c5150134eec841b96fd0b877420410:
--alswrv 0 0 asymmetric: Red Hat Enterprise Linux kpatch signing key: 4d38fd864ebe18c5f0b72e3852e2014c3a676fc8
- Enable OAS:
[root@localhost ~]#/opt/isec/ens/threatprevention/bin/isecav --setoasglobalconfig --oas on
OAS Enabled Successfully
- Verify that the
FileAccess module is loaded:
[root@localhost ~]# lsmod | grep file
fileaccess_mod_100602103 77171 2
- Enable Access Protection:
[root@localhost ~]# /opt/isec/ens/threatprevention/bin/isecav --setapstatus enable
AP Enabled Successfully
- Verify that the
AACmodule is loaded:
[root@localhost ~]# lsmod | grep aac
mfeaack_100602103 127171 2
- If the kernel modules aren't loaded:
Check the imported key in the system keyring and the module information for the signed key. Make sure that the module is signed with the same key that's imported in the system.[root@localhost ~]# modinfo /opt/isec/ens/esp/modules/fileaccess/$(uname -r)*.ko
filename: /opt/isec/ens/esp/modules/fileaccess/3.10.0-862.el7.x86_64-
fileaccess_mod_100602103.ko
license: GPL
description: File system hooking module
author: McAfee LLC
retpoline: Y
rhelversion: 7.4
srcversion: CE04C45CC3C0C81E18D6378
depends:
vermagic: 3.10.0-693.21.1.el7.x86_64 SMP mod_unload modversions
signer: Corporation: Organization signing key
sig_key: 07:9B:37:7B:69:81:8D:21:94:80:D1:A8:24:7D:00:BB:44:AC:99:E5
sig_hashalgo: sha256
parm: sys_call_table_str:Address of syscall table (charp)
parm: kallsyms_lookup_name_str:Address of kallsyms_lookup_name api (charp)
parm: netlinkRequestSocket:Netlink Request Socket Number (int)
parm: netlinkResponseSocket:Netlink Response Socket Number (int)
[root@localhost ~]# keyctl list %:.system_keyring
8 keys in keyring:
41273182: --alswrv 0 0 asymmetric: Red Hat Enterprise Linux Driver Update Program (key 3): bf57f3e87362bc7229d9f465321773dfd1f77a8025238101:
--alswrv 0 0 asymmetric: Red Hat Secure Boot (CA key 1): 4016841644ce3a810408050766e8f8a29c65f85c1057481158:
--alswrv 0 0 asymmetric: Corporation: Organization signing key: 079b377b69818d219480d1a8247d00bb44ac99e5302746409:
--alswrv 0 0 asymmetric: Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53781519189:
--alswrv 0 0 asymmetric: Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4371559668:
--alswrv 0 0 asymmetric: VMware, Inc.: 4ad8ba0472073d28127706ddc6ccb9050441bbc7757185255:
--alswrv 0 0 asymmetric: Red Hat Enterprise Linux kernel signing key: 5173023bf81637d7bf3c5150134eec841b96fd0b877420410:
--alswrv 0 0 asymmetric: Red Hat Enterprise Linux kpatch signing key: 4d38fd864ebe18c5f0b72e3852e2014c3a676fc8
If the key hasn't been imported in the system and module insertion is tried, the following error displays in/var/log/messages :
May 20 15:27:02 localhost kernel: Request for unknown module key 'Corporation: Organization signing key: 079b377b69818d219480d1a8247d00bb44ac99e5' err -11
Import the appropriate public key in the system and reinsert the module.
- If the signed kernel module fails to get inserted in the system with the proper key in its system keyring:
Check/var/log/messages and /opt/isec/ens/threatprevention/var/isectpd.log for further information.
Attachment
Affected Products
Languages:
This article is available in the following languages:
