{"id":26906941,"url":"https://github.com/adrianlshaw/lightverifier","last_synced_at":"2025-04-01T11:21:18.711Z","repository":{"id":48362373,"uuid":"78643469","full_name":"adrianlshaw/LightVerifier","owner":"adrianlshaw","description":"Simple and scalable Linux tools for verifying TPM-based remote attestations 🔬⚖️🔐⛓📏📜 ","archived":false,"fork":false,"pushed_at":"2021-08-01T00:13:27.000Z","size":224,"stargazers_count":18,"open_issues_count":4,"forks_count":3,"subscribers_count":4,"default_branch":"master","last_synced_at":"2023-03-22T13:56:33.955Z","etag":null,"topics":["attestation","hacktoberfest","ima","security","security-audit","tcg","tpm","tpm-quote"],"latest_commit_sha":null,"homepage":"https://adrianlshaw.github.io/LightVerifier/","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/adrianlshaw.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-01-11T13:51:44.000Z","updated_at":"2021-11-19T13:32:17.000Z","dependencies_parsed_at":"2022-07-29T01:39:03.618Z","dependency_job_id":null,"html_url":"https://github.com/adrianlshaw/LightVerifier","commit_stats":null,"previous_names":[],"tags_count":null,"template":null,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adrianlshaw%2FLightVerifier","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adrianlshaw%2FLightVerifier/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adrianlshaw%2FLightVerifier/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adrianlshaw%2FLightVerifier/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/adrianlshaw","download_url":"https://codeload.github.com/adrianlshaw/LightVerifier/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246628220,"owners_count":20808107,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["attestation","hacktoberfest","ima","security","security-audit","tcg","tpm","tpm-quote"],"created_at":"2025-04-01T11:21:17.960Z","updated_at":"2025-04-01T11:21:18.702Z","avatar_url":"https://github.com/adrianlshaw.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# LightVerifier [![Build Status](https://travis-ci.org/adrianlshaw/LightVerifier.svg?branch=master)](https://travis-ci.org/adrianlshaw/LightVerifier)\n\nLightVerifier is a small set of tools to remotely verify the integrity of Linux systems. \nIn essence, it uses a computer’s Trusted Platform Module (TPM) and some Linux kernel features to track what programs execute, \nin such a way that the software on the machine cannot lie about what’s running. Through cryptography, a measurement list is \nsigned by the TPM and checked against a database of known good software measurements. \nThis is known as a hardware-based remote attestation. \nTherefore, unauthorised software modifications or execution can be detected.\n\nThis project consists of a client (ra-agent) and server (verifier).\n**Important note**:\nThis project currently only works with TPM 1.2, but 2.0 should be easy to incorporate.\n\n```bash\n$ apt-get install tpm-quote-tools netcat-traditional tpm-tools redis-tools \\\n\t\tlibtspi-dev autoconf make gcc\n```\n\nOnce this depedency is installed on both client and server, \nyou can start to install the LightVerifier tools.\n\n\n## Setting up the verifier database\n\nChoose a trusted and secure server for deploying the verifier. \nInstall the dependencies for Debian:\n\n```bash\n$ apt-get install redis-server redis-tools debmirror parallel rpm2cpio\n```\n\nThe measurementDB currently supports the creation of reference \nmeasurements for a few Linux distributions, including:\n\n* Debian\n* Ubuntu \n* CentOS 7\n\nIt would be nice to support a few LTS distributions, including \nRH-like distributions like CentOS. Pull requests are welcome. \n\nYou can then run the builder for the reference database\n(note: it could take a day to download packages from scratch):\n```bash\n$ cd measurementDB \u0026\u0026 ./buildStore.sh\n```\n\nCVE reports for Debian are supported by LightVerifier. \nYou can make the CVE updater run frequently (e.g. every hour):\n```bash\n$ cp cve/* /etc/cron.hourly/\n```\n\n**Optional**: you can replicate an existing measurementDB database to another\nverifier's Redis instance by performing the following instructions.\n\nIn **/etc/redis/redis.conf** on the main server add the following line to allow\nreplication on all interfaces:\n```\nbind 0.0.0.0\n```\n\nIn **/etc/redis/redis.conf** on the new slave add the hostname and port of the\nmaster database, e.g.:\n\n```\nslaveof \u003cyour_master_ip_or_hostname\u003e 6379\n```\n\n**Important note:** the database can only be set to one distro at a time.\nThe current default is Debian. To change this to another distro, change the\n\"DISTRO\" variable in **downloadDeb.sh** and rerun the **buildstore.sh** script.\n\n### Installing the remote attestation client\n\nIf you haven't already, then enable the TPM in the BIOS of the device\nand then take ownership using **tpm_takeownership**.\nThen proceed to make the Attestation Identity Key (AIK)\nusing the following commands from the included tpm-quote-tools package:\n\n```bash\n$ tpm_mkuuid aik.uuid\n$ tpm_mkaik aik.blob aik.pub\n$ tpm_loadkey aik.blob aik.uuid\n```\n\nMake sure the verifier database has been deployed (see README in measurementDB\n  directory) and then run the \"register.sh\" script on each machine that\nneeds to be registered:\n\n```bash\n$ ./register.sh \u003caik.pub\u003e \u003caik.uuid\u003e \u003cverifier_db_host_ip\u003e\n```\nThis will connect to the verifier database and record the necessary machine\ninformation (DNS hostname, AIK public cert, the corresponding hash,\n  and the boot aggregate digest).\n**Importantly**, you must register before installing the IMA policy.\nNote, that when you run the verify script in the next section, you should use\nthe hostname rather than the IP address.\n\nFinally, we can set up the required integrity measurement policy.\nThe policy checks loaded executable files (programs,\nshared libraries and executable files).\nThis should typically be written to ```/etc/ima/ima-policy```,\nbut it depends on your platform.\nThe systemd init system should load it automatically if it exists.\n\n```\nmeasure func=BPRM_CHECK\nmeasure func=FILE_MMAP mask=MAY_EXEC\n```\nThis example policy is known as a binary attestation policy, but \nother types of policy are possible to some degree.\n\n## Remote Attestation Scripts\n\n* verify.sh is the requester; its job is to fetch and analyse quotes and\nlogs to attest that a platform is trustworthy. You can run it with:\n```bash\n$ ./verify.sh \u003chostname\u003e \u003cport\u003e\n```\nIf successful, it will generate a file called report.log.\n\n* ra-agent.sh is run on the machine to be monitored; \nit waits for a request from the verifier and sends both the log and TPM quote.\nYou can run it with:\n```bash\n$ ./ra-agent.sh \u003caik.pub\u003e \u003caik.uuid\u003e \u003cport\u003e 10\n```\n\n## How does it work\n\nThe aim of the project is to use both binary attestation and CVE databases to\nevaluate trust for a given machine.\n\nThere are two parties:\n* The **verifier** - this machine runs _verify.sh_ and contains the database\n* The **attestor** - this machine runs _ra-agent.sh_ and logs activity with IMA\n\nFirst, the verifier should build the database from the measurementDB.\nThis will store the SHA-1 hash of every ELF file in the\npackages in a Redis database. We are working to add support \nfor newer hash algorithms.\n\nSecondly, the machine to verify should have IMA running and launch **ra-agent.sh**. \nThis script will then wait for a request from the verifier and a new\ninstance will be created for each request.\n\nWhen the machine needs to be verified, the verifier sends a nonce/challenge for freshness.\nThe sender will then create a quote (with the nonce used to prevent replay\nattacks) and sends it along with the IMA log (unencrypted)\n\nThe verifier, using the IMA log, will recompute the value of the PCR for each\nentry, and will check if the quote contains that same value. Once the right line\n has been reached, the verifier stops and returns that the distant server is the\n  right one (verified by the AIK) and that the log provided is\n   correct up to that line.\n\nWe can then use the database to check if the binaries that run on the machine\nare genuine, and we can also check their potential vulnerabilities with the\nCVE database.\n\nIn the event of the verifier never reaching the line confirming the quote,\nthe requester would deem the machine as untrustworthy,\nand simply stop the process.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadrianlshaw%2Flightverifier","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fadrianlshaw%2Flightverifier","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadrianlshaw%2Flightverifier/lists"}