Open
Description
Since the installation only supports tgz, systems running fapolicyd (such as DISA STIG-compliant RHEL8+ servers) block splunk from executing. Below is a snippet of the rules preventing execution after running fapolicyd --debug-deny:
rule=11 dec=deny_audit perm=open auid=-1 pid=29811 exe=/opt/splunk/bin/python3.7m : path=/opt/splunk/lib/python3.7/encodings/__pycache__/__init__.cpython-37.pyc ftype=application/x-bytecode.python trust=0
rule=8 dec=deny_audit perm=open auid=-1 pid=29812 exe=/opt/splunk/bin/python3.7m : path=/opt/splunk/lib/libdlwrapper.so.1.0.0 ftype=application/x-sharedlib trust=0
rule=13 dec=deny_audit perm=execute auid=-1 pid=29813 exe=/usr/bin/bash : path=/opt/splunk/bin/python3.7m ftype=application/x-executable trust=0
Some options are:
- Add a task to create the fapolicyd rules.d files and update the fapolicyd database.
- Add a task to create the fapolicd trusted.d files to whitelist specific directories (only works if directories don't change because of SHA-256 hashing).
- Support RPM-based installation (Enhancement: Install/upgrade from RPM/deb OS packages when compatible with target OS #7), since applications registered in the system RPM database are automatically trusted.
References:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/assembly_blocking-and-allowing-applications-using-fapolicyd_security-hardening
https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/2020-11-25/finding/V-230523