Environment

• App Control Linux Agent: All Supported Versions

Objective

Resolution

1. Reboot the computer > Enter into the UEFI firmware / BIOS configuration
2. Find the secure boot option (possibly under the security menu) and set it to disabled
3. Save the change and reboot

1. Install the kernel-devel RPM matching the kernel version of the system where App Control will be installed
2. Generate a public private key pair for signing the App Control kernel modules
   • This Red Hat article provides steps to generate a public private key pair
   • Store the key pair in some directory e.g.

      /var/tmp/signing/my_signing_keys

3.  Sign the App Control kernel modules using the keys generated in the above step.
   • Take backup of all the file from "/opt/bit9/bin/kernel” directory
   • Sign both the App C kernel modules with the following commands:

     # uname -r
     4.18.0-80.el8.x86_64
     
     # cd /opt/bit9/bin/kernel
     # pwd
     /opt/bit9/bin/kernel
     
     # /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 /var/tmp/signing/my_signing_key.priv /var/tmp/signing/my_signing_key_pub.der b9k_87611.ko.4.18.0-80
     
     # /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 /var/tmp/signing/my_signing_key.priv  /var/tmp/signing/my_signing_key_pub.der cbproxy_cbp_876_20211111.ko.4.18.0-80
     
     # chmod +x b9k_87611.ko.4.18.0-80
     
     # chmod +x cbproxy_cbp_876_20211111.ko.4.18.0-80

   • Sign all the cbproxy and b9k kernel modules present in the "/opt/bit9/bin/kernel” directory
   • This will ensure that the App C agent works with secure boot enabled even if the system is upgraded/downgraded to newer/older kernel version
   
   
    
4. Register the public key on the App C endpoint:

• This Red Hat article provides steps to do so (Step 3.8), it requires a reboot

Additional Notes

Related Content