Help
FortiEDR
FortiEDR automates the protection against advanced threats, pre and post-execution, with real time orchestrated incident response functionality.
rduggal_FTNT
Staff
Staff

Created on ‎10-06-2023 06:01 AM

Article Id 277735

Technical Tip: Sign FortiEDR drivers when Linux Distro has secure boot enabled

Description This article describes how to sign FortiEDR drivers to run in Kernel space after installing FortiEDR Collector on a Linux endpoint running in user space mode due to secure boot enabled.
Scope Specific for Linux Distro: Ubuntu, RHEL and CentOS.
Solution

This method will only work when FortiEDR Linux Collector is successfully installed in Linux Distro User Space mode and Kernel versions are Supported by FortiEDR Collector Version. Please contact Fortinet Support to check the compatibility matrix.

 

  1. Install Keyutilis:

 

yum -y install  keyutils or sudo apt-get install -y keyutils   <----- command varies depending upon Linux Distro.

 

Execute command /opt/FortiEDRCollector/scripts/fortiedr_module_sb_signature.sh and follow the prompt below:

 

[root@Server FortiEDRCollector]# /opt/FortiEDRCollector/scripts/fortiedr_module_sb_signature.sh

FortiEdrCollector:  Kernel module signature process is running.

FortiEdrCollector:  operating system type: Red version: 8.

FortiEdrCollector:  Check for existence of utilities

FortiEdrCollector:  FortiEDR signing module

FortiEdrCollector:  Do you want to use existing keys (*.der, *.priv, *.cnf), (Y/N) Otherwise new keys are created           //Select N to generate new keys

N

FortiEdrCollector:  No files provided, script will produce them

FortiEdrCollector:  Configuration file successfully created. filename: openssl.cnf.

 

FortiEdrCollector:  Creating openssl keys

 

Generating a RSA private key

..........+++++

........................+++++

writing new private key to 'MOK_FTNT.priv'

-----

FortiEdrCollector:  openssl Openssl success

FortiEdrCollector:  All files created successfully.  openssl.cnf, MOK_FTNT.der, MOK_FTNT.priv

 

FortiEdrCollector:  Signing kernel modules

 

FortiEdrCollector:  /opt/FortiEDRCollector/module/fortiedr_4_18_0_147.ko sign with success.

FortiEdrCollector:  /opt/FortiEDRCollector/module/fortiedr_4_18_0_193.ko sign with success.

FortiEdrCollector:  /opt/FortiEDRCollector/module/fortiedr_4_18_0_240.ko sign with success.

FortiEdrCollector:  /opt/FortiEDRCollector/module/fortiedr_4_18_0_305.ko sign with success.

FortiEdrCollector:  /opt/FortiEDRCollector/module/fortiedr_4_18_0_348.ko sign with success.

FortiEdrCollector:  /opt/FortiEDRCollector/module/fortiedr_4_18_0_365.ko sign with success.

FortiEdrCollector:  /opt/FortiEDRCollector/module/fortiedr_4_18_0_383.ko sign with success.

FortiEdrCollector:  /opt/FortiEDRCollector/module/fortiedr_4_18_0_425.ko sign with success.

FortiEdrCollector:  /opt/FortiEDRCollector/module/fortiedr_4_18_0_80.ko sign with success.

FortiEdrCollector:  Finished signing kernel modules.

FortiEdrCollector:  FotriEDR file saving.

FortiEdrCollector:  Select an option of where to save the files.

FortiEdrCollector:  1. Suggested path to save newly generated files:  /root/.FTNT_KEYS/     <-----Select Option 1 for the default path or Option 2 and provide the path where the file containing the keys should be saved.

FortiEdrCollector:  2. Provide a secure path to which to save the files.

 

 

FortiEdrCollector:  Public Key Enrollment.

FortiEdrCollector:  ------------------------------------------------------------

 

  1. At this stage user is prompted to enter a password between 8-16 digits.

 

Note:

After the Successful insertion of the public key into the kernel key chain follow below steps:

 

FortiEdrCollector:  1. The public key is inserted into the kernel key chain.

FortiEdrCollector:  2. The user is prompted to enter a password between 8 - 16  digits.

FortiEdrCollector:     It is very important to remember this password because it is required in the next steps after reboot.

FortiEdrCollector:  3. The user is requested to reboot the machine and run the following command:  reboot -f.

FortiEdrCollector:  4. When the machine loads, the first screen to display is a blue screen (shim screen) asking to Hit Any Key to continue the process.

FortiEdrCollector:     This screen disappears quite quickly, so stay in front of the screen in order to press the key.

FortiEdrCollector:  5. While the shim screen is displayed, select 'Enroll Mok'.

FortiEdrCollector:  6. A new screen displays with two options:

FortiEdrCollector:     6.1 'View Key 0' Enables viewing the key you are about to enroll. Press enter to view the key and press enter again to go back to the previous screen.

FortiEdrCollector:     6.2 'Continue 1' Select 'Continue' and press enter to continue to the next step.

FortiEdrCollector:  7. A new screen displays asking for the password that was entered before the reboot (at step number 2). Enter the password.

FortiEdrCollector:  8. The machine now reboots with the key in the kernel key chain, and the modules signed with it such that the FortiEDR collector is loaded successfully.

FortiEdrCollector:  Press enters to continue.

 

If there are still any issues during the installation, open a new technical support ticket for further assistance:

https://support.fortinet.com/welcome/#/
280
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.