Software allow lists I’m only going to mention system wide since stopping user space installs or chroots would be your software detection tool that I would be clueless on. System wide I’d look at sudo where you can control exactly what root level commands different users/groups can run.