For a presentation I am doing, I am trying to find out if there is a Linux based open source application whitelisting service for Linux, Similar to software restriction policies in Windows since 2002. It seems there are some commercial ones (e.g. McAfee application control), but my googling has so far failed to turn up an equivalent open source one.
I know you can sort of achieve something similar with SE Linux, especially now the likes of redhat and centos come with decent policies for popular services. But it seems there is nothing that can say, "these users can execute these programs identified by these hashes".
Am I wrong?
Best Answer
That's not the approach that Linux world takes, as this is very difficult to maintain sanely. An updated version of appX with a different hash would require adjusting the policies, and if you have to support multiple versions for different users, this just balloons out of proportions. This is particularly tricky with any unix-based system because the OS depends so much on being able to execute a ton of small utilities, such as found in /usr/bin -- keeping track of all those hashes is just not worth the trouble. The general approach on Linux is to sandbox each process sufficiently so that it cannot do much damage even if it's malicious -- both via kernel protections and via tools such as SELinux, AppArmour, and gr_security.
Under SELinux, most installed non-generic software receives its own domain type, so you can write user policies to restrict which domains users are allowed to execute. If you want an example, here's a policy that allows a user to log in, run most generic commandline tools (ls, find, etc), and execute an IRC client. But, for example, it can't start the graphical interface, send mail, or do a whole bunch of other things:
Then you just need to compile, install it, and assign to the user you want to restrict.