Solutions

Application whitelisting in RHEL

by ,


We have by far the largest RPM repository with NGINX module packages and VMODs for Varnish. If you want to install NGINX, Varnish, and lots of useful performance/security software with smooth yum upgrades for production use, this is the repository for you.
Active subscription is required.

Operating System and Software

  • Rocky Linux (RHEL)
    • 7.x
    • 8.x

Problem

  • We are looking to apply an application whitelisting mechanism in RHEL workstations, where users are allowed to run certain binaries, while running anything else is not allowed. For example, trusted applications, let’s say gedit, is allowed, while running applications/scripts that are not whitelisted will be rejected. SELinux is a behavioral whitelisting, not sure if Application whitelisting is feasible.
  • Is there any mechanism to apply such thing in RHEL? and products in the market you’re aware of that performs something similar?
  • Restrict the execution of executable and script.
  • Does application server whitelist or control executable and script executor such as Microsoft Applocker, CLI setups to restrict the execution of executable and script to an approved set and authorised individuals?

How to Fix

There is no such mechanism available in RHEL 6 or 7 for application whitelisting, but there is a new mechanism available for Rocky Linux 8.

For CentOS 7, SELinux is there. Users can write own policy or can use a third-party application and to reach out to the application vendor for supportability.

For Rocky Linux 8 as well SELinux is there and users can write own policy. Or fapolicyd which is the best option and it’s a new feature added in Rocky Linux 8. For more information refer to Blocking and allowing applications using fapolicyd in RHEL chapter.

However, there are so many third-party solutions providing such features for RHEL systems such as antivirus solutions. This link states that the McAfee Application Control is certified with Red Hat but for any support, costumers need to contact the application vendor. As it is third-party it will not be supported by Red Hat.

Although, users can use the third-party applications but Red Hat do not recommend any specific application nor support such applications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: