SUMMARY Simple example of application whitelisting on RHEL 8
Hi from down-under (Australia).
Number of members of this forum seem to struggle with basics of implementing application whitelisting.
Here is one simple example to help everybody.
Let's assume we want to install Oracle JDK on RHEL 8 and not allow anyone to execute it initially.
Here are the full steps.
Install fapolicyd:
$ sudo dnf install fapolicyd
$ sudo mount | egrep '^tmpfs| ext4| ext3| xfs' | awk '{ printf "%s\n", $3 }' >> /etc/fapolicyd/fapolicyd.mounts
$ sudo echo "deny all all" >> /etc/fapolicyd/fapolicyd.rules
$ sudo systemctl enable fapolicyd
$ sudo systemctl start fapolicyd
The next step is to install Oracle JDK (since we also run FIPS we need to use RPM tool instead of dnf):
# sudo rpm -ivf --nodigest --nofiledigest jdk-11.0.10_linux-x64_bin.rpm
Java is, by default in /usr/bin/java. However, fapolicyd disables its running:
$ /usr/bin/java --version
/usr/bin/java: error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory
Resolution is to whitelist the executable:
$ sudo fapolicyd-cli --file add /usr/bin/java && systemctl restart fapolicyd
Verification:
$ sudo cat /etc/fapolicyd/fapolicyd.trust
# This file contains a list of trusted files
#
# FULL PATH SIZE SHA256
# /home/user/my-ls 157984 61a9960bf7d255a85811f4afcac51067b8f2e4c75e21cf4f2af95319d4ed1b87
/usr/bin/java 12848 6bab3f3fa3baabd38b9e8ba0330cde828c339a75fe7fc5e0cae5b2b15b162d06
Test again. This time success will follow:
$ /usr/bin/java --version
java 11.0.10 2021-01-19 LTS
Java(TM) SE Runtime Environment 18.9 (build 11.0.10+8-LTS-162)
Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.10+8-LTS-162, mixed mode)
Regards,
Dusan Baljevic ( amateur radio VK2COT)