Whitelisting scanner

This section describes the methods to whitelist scanner services.

About this task

By default, fapolicyd (File Access Policy Daemon) blocks the scan. Below are the scenarios with error codes and error messages:
  1. Installation of the software scanner, Install or Upgrade Scanner fixlet fails with error code 1 and the installCITlog.txt file located at BES Client\LMT\CIT\ folder, displays code 32512.
    Exec '/opt/tivoli/cit/bin/wscancfg -s common_trace_path /usr/ibm/tivoli/common/CIT/logs >/dev/null 2>&1' returned 32512
Setting common trace path='/usr/ibm/tivoli/common/CIT/logs' result=32512
Installation failed, rolling back
  2. Initiate Software Scan fixlet completes, but all types of scan end with error code 57 in the <computer_id>_citlog.log file located in BESClient/LMT/CIT/ folder.
    Catalog scan failed: scanner finished with errors (57)
  3. Running capacity scanner Run Capacity Scan and Upload Results fails with error code 2.
Workaround
Add the scanner files to fapolicyd whitelist to allow their execution.
Note: If you install the scanner in an alternate directory <BES Client>/CITBin, edit the paths accordingly.
  • Install or Upgrade Scanner fails (RC 32512) with fapolicy enabled
    To whitelist shared libraries used during installation of the software scanner, modify the 41-shared-obj.rules file located in /etc/fapolicyd/rules.d/ folder. The following lines should precede the original rules:
    allow perm=open exe=/opt/tivoli/cit/bin/wscancfg trust=0 : path=/opt/tivoli/cit/bin/libCcLogWrapper.so ftype=application/x-sharedlib trust=0
allow perm=open exe=/opt/tivoli/cit/bin/wscancfg trust=0 : path=/opt/tivoli/cit/bin/libcitcfg.so ftype=application/x-sharedlib trust=0
allow perm=open exe=/opt/tivoli/cit/bin/wscancfg trust=0 : path=/opt/tivoli/cit/bin/libxmlproxy.so ftype=application/x-sharedlib trust=0
allow perm=open exe=/opt/tivoli/cit/bin/wscancfg trust=0 : path=/opt/tivoli/cit/bin/libbase.so ftype=application/x-sharedlib trust=0
allow perm=open exe=/opt/tivoli/cit/bin/wscancfg trust=0 : path=/opt/tivoli/cit/bin/libxerces-c-3.2.1.so ftype=application/x-sharedlib trust=0
    Then execute the fagenrules --load command to update the active rules and restart the fapolicyd service.
  • Software Scan fails (RC 57) with fapolicyd enabled
    The following rules should be placed in 41-shared-obj.rules file located in /etc/fapolicyd/rules.d/ folder, preceding the original rules:
    allow perm=open exe=/opt/tivoli/cit/bin/wscansw trust=0 : path=/opt/tivoli/cit/bin/wscansw.so ftype=application/x-sharedlib trust=0
allow perm=open exe=/opt/tivoli/cit/bin/wscansw trust=0 : path=/opt/tivoli/cit/bin/libxerces-c-3.2.1.so ftype=application/x-sharedlib trust=0
allow perm=open exe=/opt/tivoli/cit/bin/wscansw trust=0 : path=/opt/tivoli/cit/bin/libplugin.so ftype=application/x-sharedlib trust=0
allow perm=open exe=/opt/tivoli/cit/bin/wscansw trust=0 : path=/opt/tivoli/cit/bin/libcitcfg.so ftype=application/x-sharedlib trust=0
allow perm=open exe=/opt/tivoli/cit/bin/wscansw trust=0 : path=/opt/tivoli/cit/bin/libxmlproxy.so ftype=application/x-sharedlib trust=0
allow perm=open exe=/opt/tivoli/cit/bin/wscansw trust=0 : path=/opt/tivoli/cit/bin/libCcLogWrapper.so ftype=application/x-sharedlib trust=0
allow perm=open exe=/opt/tivoli/cit/bin/wscansw trust=0 : path=/opt/tivoli/cit/bin/libbase.so ftype=application/x-sharedlib trust=0
allow perm=open exe=/opt/tivoli/cit/bin/wscansw trust=0 : path=/opt/tivoli/cit/bin/libfs.so ftype=application/x-sharedlib trust=0
allow perm=open exe=/opt/tivoli/cit/bin/wscansw trust=0 : path=/opt/tivoli/cit/bin/plugins/libcoreplugin.so ftype=application/x-sharedlib trust=0
allow perm=open exe=/opt/tivoli/cit/bin/wscansw trust=0 : path=/opt/tivoli/cit/bin/plugins/libcsplugin.so ftype=application/x-sharedlib trust=0
allow perm=open exe=/opt/tivoli/cit/bin/wscansw trust=0 : path=/opt/tivoli/cit/bin/plugins/libfssplugin.so ftype=application/x-sharedlib trust=0
allow perm=open exe=/opt/tivoli/cit/bin/wscansw trust=0 : path=/opt/tivoli/cit/bin/plugins/libregplugin.so ftype=application/x-sharedlib trust=0
allow perm=open exe=/opt/tivoli/cit/bin/wscansw trust=0 : path=/opt/tivoli/cit/bin/plugins/libxmlplugin.so ftype=application/x-sharedlib trust=0
allow perm=open exe=/opt/tivoli/cit/bin/wscansw trust=0 : path=/opt/tivoli/cit/bin/provider_cache.so ftype=application/x-sharedlib trust=0
allow perm=open exe=/opt/tivoli/cit/bin/wscansw trust=0 : path=/opt/tivoli/cit/bin/provider_cache2.so ftype=application/x-sharedlib trust=0
allow perm=open exe=/opt/tivoli/cit/bin/wscansw trust=0 : path=/opt/tivoli/cit/bin/provider_cache3.so ftype=application/x-sharedlib trust=0
allow perm=open exe=/opt/tivoli/cit/bin/wscanfs trust=0 : path=/opt/tivoli/cit/bin/wscanfs.so ftype=application/x-sharedlib trust=0
allow perm=open exe=/opt/tivoli/cit/bin/wscanfs trust=0 : path=/opt/tivoli/cit/bin/libfs.so ftype=application/x-sharedlib trust=0
allow perm=open exe=/opt/tivoli/cit/bin/wscanfs trust=0 : path=/opt/tivoli/cit/bin/libCcLogWrapper.so ftype=application/x-sharedlib trust=0
allow perm=open exe=/opt/tivoli/cit/bin/wscanfs trust=0 : path=/opt/tivoli/cit/bin/libcitcfg.so ftype=application/x-sharedlib trust=0
allow perm=open exe=/opt/tivoli/cit/bin/wscanfs trust=0 : path=/opt/tivoli/cit/bin/libxmlproxy.so ftype=application/x-sharedlib trust=0
allow perm=open exe=/opt/tivoli/cit/bin/wscanfs trust=0 : path=/opt/tivoli/cit/bin/libbase.so ftype=application/x-sharedlib trust=0
allow perm=open exe=/opt/tivoli/cit/bin/wscanfs trust=0 : path=/opt/tivoli/cit/bin/libxerces-c-3.2.1.so ftype=application/x-sharedlib trust=0
allow perm=open exe=/opt/tivoli/cit/bin/wscanfs trust=0 : path=/opt/tivoli/cit/bin/provider_cache.so ftype=application/x-sharedlib trust=0
allow perm=open exe=/opt/tivoli/cit/bin/wscanfs trust=0 : path=/opt/tivoli/cit/bin/provider_cache2.so ftype=application/x-sharedlib trust=0
allow perm=open exe=/opt/tivoli/cit/bin/wscanfs trust=0 : path=/opt/tivoli/cit/bin/provider_cache3.so ftype=application/x-sharedlib trust=0
    Then execute the fagenrules --load command to update the active rules and restart the fapolicyd service.
  • Run Capacity Scan and Upload Results fails (RC 2) with fapolicy enabled
    The following rules should be placed in 41-shared-obj.rules file located in /etc/fapolicyd/rules.d/ folder, preceding the original rules:
    allow perm=open exe=/opt/tivoli/cit/bin/wscanhw trust=0 : path=/opt/tivoli/cit/bin/wscanhw.so ftype=application/x-sharedlib trust=0
allow perm=open exe=/opt/tivoli/cit/bin/wscanhw trust=0 : path=/opt/tivoli/cit/bin/libCcLogWrapper.so ftype=application/x-sharedlib trust=0
allow perm=open exe=/opt/tivoli/cit/bin/wscanhw trust=0 : path=/opt/tivoli/cit/bin/libcitcfg.so ftype=application/x-sharedlib trust=0
allow perm=open exe=/opt/tivoli/cit/bin/wscanhw trust=0 : path=/opt/tivoli/cit/bin/libxmlproxy.so ftype=application/x-sharedlib trust=0
allow perm=open exe=/opt/tivoli/cit/bin/wscanhw trust=0 : path=/opt/tivoli/cit/bin/libxerces-c-3.2.1.so ftype=application/x-sharedlib trust=0
allow perm=open exe=/opt/tivoli/cit/bin/wscanhw trust=0 : path=/opt/tivoli/cit/bin/libbase.so ftype=application/x-sharedlib trust=0
allow perm=open exe=/opt/tivoli/cit/bin/wscanhw trust=0 : path=/opt/tivoli/cit/bin/libInvHW.so ftype=application/x-sharedlib trust=0
allow perm=open exe=/opt/tivoli/cit/bin/cpuid trust=0 : path=/opt/tivoli/cit/bin/libbase.so ftype=application/x-sharedlib trust=0
allow perm=open exe=/opt/tivoli/cit/bin/wscanhw trust=0 : path=/opt/tivoli/cit/bin/libbase.so ftype=application/x-sharedlib trust=0
    Additionally, the following rule should be placed in 90-deny-execute.rules file, preceding the original rules:
    allow perm=execute exe=/opt/tivoli/cit/bin/wscanhw trust=0 : path=/opt/tivoli/cit/bin/cpuid ftype=application/x-executable trust=0
    Then execute the fagenrules --load command to update the active rules and restart the fapolicyd service.
Note: For more information on fapolicyd, refer to the Red Hat document if your are using Red Hat. For other Linux distributions, refer to https://github.com/linux-application-whitelisting/fapolicyd.