SUMMARY Simple example of application whitelisting on RHEL 8

Latest response

Hi from down-under (Australia).

Number of members of this forum seem to struggle with basics of implementing application whitelisting.

Here is one simple example to help everybody.

Let's assume we want to install Oracle JDK on RHEL 8 and not allow anyone to execute it initially.

Here are the full steps.

Install fapolicyd:

$ sudo dnf install fapolicyd

$ sudo mount | egrep '^tmpfs| ext4| ext3| xfs' | awk '{ printf "%s\n", $3 }' >> /etc/fapolicyd/fapolicyd.mounts

$ sudo echo "deny all all" >> /etc/fapolicyd/fapolicyd.rules

$ sudo systemctl enable fapolicyd

$ sudo systemctl start fapolicyd

The next step is to install Oracle JDK (since we also run FIPS we need to use RPM tool instead of dnf):

# sudo rpm -ivf --nodigest --nofiledigest jdk-11.0.10_linux-x64_bin.rpm

Java is, by default in /usr/bin/java. However, fapolicyd disables its running:

$ /usr/bin/java --version
/usr/bin/java: error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory

Resolution is to whitelist the executable:

$ sudo fapolicyd-cli --file add /usr/bin/java && systemctl restart fapolicyd

Verification:

$ sudo cat /etc/fapolicyd/fapolicyd.trust
# This file contains a list of trusted files
#
# FULL PATH SIZE SHA256
# /home/user/my-ls 157984 61a9960bf7d255a85811f4afcac51067b8f2e4c75e21cf4f2af95319d4ed1b87
/usr/bin/java 12848 6bab3f3fa3baabd38b9e8ba0330cde828c339a75fe7fc5e0cae5b2b15b162d06

Test again. This time success will follow:

$ /usr/bin/java --version
java 11.0.10 2021-01-19 LTS
Java(TM) SE Runtime Environment 18.9 (build 11.0.10+8-LTS-162)
Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.10+8-LTS-162, mixed mode)

Regards,

Dusan Baljevic ( amateur radio VK2COT)

Dusan Baljevic's picture

Responses