Skip to Content

Deploying and Using fapolicy on RHEL

In the realm of Linux system security, controlling which applications can execute is a critical aspect of maintaining a secure environment.

fapolicyd is a powerful tool designed for Red Hat Enterprise Linux (RHEL) that allows administrators to define and enforce policies governing application execution.

This article delves into the capabilities of fapolicyd, its components, and how it can be deployed and utilized to enhance system security.

Introduction to fapolicy

fapolicyd is a powerful tool that allows system administrators to define policies for application execution.

It can be used to allow or deny the running of applications based on rules that consider factors such as the application’s path, hash, MIME type, or trust status. The framework includes a service, command-line utilities, an RPM plugin, a rule language, and a script to generate rules.

Components of fapolicy

  • fapolicyd Service: Monitors and enforces policy rules.
  • Command-Line Utilities: Allow administrators to manage policies and trust levels.
  • RPM Plugin: Integrates with the YUM package manager and RPM Package Manager to maintain a list of trusted binaries.
  • Rule Language: Enables the creation of custom rules for application execution.
  • fagenrules Script: Compiles individual rule files into a compiled rules file for the service.

Trust Concept in fapolicy

An application is considered trusted if it is installed via the system’s package manager and is registered in the RPM database. The fapolicyd daemon uses this database to determine which applications are trusted.

Configuration Files

  • Lists trusted files.
  • rules.d/ Directory: Contains rule files with allow and deny execution rules.
  • compiled.rules: The merged rules file generated by fagenrules.
  • fapolicyd.conf: Configuration options for the fapolicyd daemon.

Deploying fapolicyd

To deploy fapolicyd on RHEL 8, you need to install the package, enable, and start the service. Verification can be done by checking the service status and attempting to execute a disallowed binary.

Marking Files as Trusted

Files can be marked as trusted by adding entries to the file or to the trust.d/ directory. The fapolicyd-cli tool can be used to manage trust entries and update the trust database.

Adding Custom Rules

For custom scenarios, such as when binaries are stored in non-standard directories, you can add custom allow or deny rules to the rules.d/ directory. The article provides a step-by-step guide on how to add a new rule, including stopping the fapolicyd service, identifying the rule that caused denial, adding a new rule, and updating the compiled rules file.

Enabling Integrity Checks

fapolicyd can perform integrity checks by comparing file sizes or SHA-256 hashes. The article explains how to enable these checks via the fapolicyd.conf file and the implications for system performance.

Troubleshooting fapolicyd

The article offers troubleshooting tips, including how to install applications with rpm, check service status, use fapolicyd-cli for various checks, enable debug mode, and remove or dump the fapolicyd database.

Managing Trust Entries with fapolicyd-cli

The fapolicyd-cli tool is a command-line utility used to manage trust entries and perform various operations related to the fapolicyd framework. Here’s an example of how to use fapolicyd-cli to manage trust entries:

  1. Adding a Trust Entry for a Specific File:

    If you have a custom binary that you want to trust, you can add it to the trusted list using the fapolicyd-cli tool. For example, if you have a binary at /tmp/my_custom_binary, you can add it as follows:

    sudo fapolicyd-cli --file add /tmp/my_custom_binary --trust-file myapp

    This command will add the file to a trust file named myapp in the /etc/fapolicyd/trust.d/ directory. If you omit the –trust-file option, the entry will be added to the /etc/fapolicyd/ file.

  2. Marking All Files in a Directory as Trusted:

    To trust all files within a directory, you can specify the directory path:

    sudo fapolicyd-cli --file add /tmp/my_bin_dir/ --trust-file myapp
  3. Updating the Trust Database:

    After adding new trust entries, you need to update the fapolicyd database for the changes to take effect:

    sudo fapolicyd-cli --update

    If a file’s content changes, its checksum will change, and fapolicyd will no longer consider it trusted. To re-establish trust with the new content, you can refresh the trust database as shown above.

  4. Listing Current Trust Entries:

    To view the current list of trusted files and their associated trust levels:

    sudo fapolicyd-cli --list
  5. Checking the Trust Database:

    You can check the trust database for any issues, such as syntax errors or file mismatches:

    sudo fapolicyd-cli --check-trustdb
  6. Deleting the Trust Database:

    If you need to reset the trust database, you can delete it and fapolicyd will automatically recreate it:

    sudo systemctl stop fapolicyd
    sudo fapolicyd-cli --delete-db

    Note that you should not remove the /var/lib/fapolicyd/ directory, as the database file within this directory is restored by fapolicyd.

  7. Dumping the Trust Database:

    To view the contents of the trust database:

    sudo fapolicyd-cli --dump-db
  8. Troubleshooting with Debug Mode:

    If you’re troubleshooting issues with fapolicyd, you can enable debug mode to get more detailed output:

    sudo fapolicyd-cli --debug

    You can also limit the output to access denials:

    sudo fapolicyd-cli --debug-deny
  9. Checking Configuration:

    To check for any syntax errors in the fapolicyd configuration:

    sudo fapolicyd-cli --check-config
  10. Checking File System Watchers:

    To ensure that fapolicyd is watching the expected file systems:

    sudo fapolicyd-cli --check-watch_fs

These are some of the key operations you can perform using the fapolicyd-cli tool to manage trust entries and troubleshoot potential issues with the fapolicyd framework.

Best Practices for Maintaining and Updating the Trusted Applications List in fapolicyd

Maintaining and updating the trusted applications list in fapolicyd is a critical aspect of system security, as it directly impacts which software is allowed to execute on your Linux system. Here are some best practices to ensure the integrity and security of your trusted applications list:

  1. Use Strong Authentication

    Ensure that only authorized users with strong authentication mechanisms, such as SSH keys or smart cards, can update the trusted applications list.

  2. Regular Audits

    Periodically audit the list of trusted applications to ensure that only software that is necessary and secure is included. Remove any outdated or unused applications.

  3. Leverage Package Managers

    Use your system’s package manager to install and update software whenever possible, as fapolicyd trusts applications installed through the package manager and registers them automatically.

  4. Custom Rules with Caution

    When creating custom rules for applications not managed by the package manager, be cautious and ensure that the applications come from reputable sources. Use checksums or hashes to verify the integrity of the applications.

  5. Update Database After Changes

    After making changes to the trusted applications list or the rules, always update the fapolicyd database using the fapolicyd-cli –update command to ensure that the changes are reflected in the enforcement policy.

  6. Integrity Checking

    Enable integrity checking using SHA-256 hashes or the Integrity Measurement Architecture (IMA) subsystem to ensure that the trusted applications have not been tampered with.

  7. Use fapolicyd-cli for Management

    Utilize the fapolicyd-cli tool for managing trust entries, as it provides a structured way to add, remove, and list trusted applications.

  8. Protect the Configuration

    Secure the fapolicyd configuration files and directories, such as /etc/fapolicyd/, by setting appropriate file permissions and ownership to prevent unauthorized modifications.

  9. Monitor and Log

    Monitor fapolicyd activity and log events, such as attempts to execute untrusted applications, to detect and respond to potential security incidents.

  10. Backup Trust Database

    Regularly back up the trust database so that you can restore it in case of accidental deletion or corruption.

  11. Educate Users

    Educate system administrators and users about the importance of the trusted applications list and the security policies enforced by fapolicyd.

  12. Keep fapolicyd Updated

    Ensure that the fapolicyd software itself is kept up to date with the latest security patches and updates.

  13. Document Changes

    Maintain documentation of changes made to the trusted applications list and the reasons behind them for traceability and accountability.

  14. Test Changes in a Controlled Environment

    Before applying changes to production systems, test them in a controlled environment to ensure that they do not introduce unforeseen issues.

By following these best practices, you can maintain a secure and manageable trusted applications list in fapolicyd, contributing to the overall security posture of your Linux systems.