Ansible Keylime
Ansible role to deploy Keylime with the rust implementation of the keylime agent against a Hardware TPM.
The role is currently configured to work with Fedora 35.
Contributions are welcome, should anyone wish to have this role provision other Linux distributions.
For details on using Keylime, please consult the project documentation
Usage
Run the example playbook against your target remote host(s).
ansible-playbook -i your_hosts playbook.yml
Get started with Keylime
The best way to get started is to read the Keylime Documentation, however if you're keen to get started right away, follow these steps.
You first need to decide on if you will use the revocation framework, if
so you will need to install golang and set the following value in
/etc/keylime.conf
ca_implementation = cfssl
Alternately you can set openssl
which has no other dependencies.
You now need to start the following services.
# keylime_verifier
# keylime_registrar
To run the agent, navigate to the rust-keylime directory and start the agent.
# RUST_LOG=keylime_agent=trace cargo run --bin keylime_agent
Note: Keylime Agent requires a TPM active that the agent can take ownership on |
---|
You can now set up a use case, a good first scenario to try out would be IMA Integrity Monitoring
For more detailed set up scenarios, see the Keylime documentation
License
Apache 2.0
Contribute
Please do! Pull requests are welcome.
Please ensure CI tests pass!
Contributors
- Luke Hinds (lhinds@redhat.com)
- Leo Jia (ljia@redhat.com )