RIMM Tools

Reference Integrity Measurement Manifest Tools

The Reference Integrity Measurement Manifest (RIMM) is a set of measurements that are generated at the time of a software release. It provides a reference point against which the processes executing on a client may be validated by a remote system to determine if those processes have been modified or tampered with since installation. This module provides a set of tools for building a RIMM files. Two of these tools are geared towards the use of RPMs, but the other tools can be used against any software release.

The RIMM file is organized as sorted list of RIMM entries. Because a RIMM is built for a specific version of the software, it is necessary to have a unique identifier for that specific version. This information is embodied in a structure that consists of a Major version number, a Major Revision version number, a Minor version number, and a Build number. The Build number is usually defined as the number of seconds from the Epoch (midnight, Jan 1 1970) that the build was created, but can e any number that can be used to uniquely identify the release being built.

Building the RIMM

The RIMM is usually built in three stages.
1. Build a representative file system.
2. Remove uninteresting files from the representative file system.
3. Creating the RIMM file.

The tools provided for the first stage are the ones geared for RPMs. There are two shell scripts provided - buildrpmlist and buildHostImage. The first will build a list of RPMS from the current installation, and the second will build a representative file system from that list of RPMs. It is at this stage that a new file called /etc/rimm-release is added to the file system. This file contains the unique identifier that is used to identify the build. It must also be installed on every system that will eventually attest. The format of the rimm-release file is a file containing the single line:
RIMM Version a.b.c.vxxxxxxxxxx
where a, b, and c are the Major version, the Major Revision version, and the Minor version of the release respectively. the xxxxxxxxxx is to be replaced by the build number.

The next stage is to remove uninteresting files from the file system. These are files that will not be measured or that are of no significance. Examples are man pages and log files. In addition, system directories such as /tmp, /proc, and /sys are removed at this stage. Provided is a shell script that performs this action on the representative file system. This program is called process_files, and utilizes two configuration files, excludelist and includelist. Excludelist is the list of files and directories that are to be removed from the representative file system. This latter action is why you should not build the RIMM on a running system. The removal of /sys and /proc is likely to have a deleterious effect of the viability of that file system.

The final stage is to walk though the constructed file system and generate a RIMM entry for every file and symlink in it. This entry will consist of the SHA1 hash of the file contents hashed together with the file name, and the file name itself. Provided in this module is the source for a program called buildrimm. It does use the [RIMM library] described elsewhere, and will name the RIMM file created at rimm-a.b.c.vxxxxxxxxx, where the a, b, c, and xxxxxxxxxx are as described above.

Once the RIMM is created, it must be moved tot he Policy Decision Point (PDP) so that when a client reports its measurement values, the initial measurement values are available for comparison.

This module is provided as a source rpm, and is designed to be run on the system building the release. It would normally not be installed on nor run on either the client system nor the Policy Decision Point.