For the runtime attestation to work, you must record the current good state of your gateway. For this, you must run the ima_snapshot tool on the gateway.
- To generate
ima-policy, run the following script:/opt/vmware/iotc-agent/script/install-ima-policy.sh
The
ima-policyis generated and is placed in/etc/ima/ima-policy. - To generate
ima-snapshotfile, run the following script:/opt/vmware/iotc-agent/bin/ima_snapshot -o <<ima.json path>>
Note:- Add all the paths to be excluded in a file and provide the file path to
-eoption in the finalima.jsonfile. - Edit the
ima.jsonfile and delete all the /usr/lib and /usr/lib64 file paths.
- Add all the paths to be excluded in a file and provide the file path to
- Verify the file by running the following command:
cat ima.json
Note: The ima.json file must contain all the hashes. - Generate a fingerprint file. Run the following command:
/opt/vmware/iotc-agent/bin/fingerprint dev > fp.json
- Verify the fingerprint file:
cat fp.json
Using the ima.json and fp.json files, you can now create a runtime attestation profile from the VMware Pulse IoT Center console.
