1FAPOLICYD.CONF:(5) System Administration Utilities FAPOLICYD.CONF:(5)
2
3
4
6 fapolicyd.conf - fapolicyd configuration file
7
9 The file /etc/fapolicyd/fapolicyd.conf contains configuration informa‐
10 tion for the application whitelisting daemon configuration. This file
11 allows the admin to tune the performance and actions of the fapolicyd
12 during runtime. This file contains one configuration keyword per line,
13 an equal sign, and then followed by appropriate configuration informa‐
14 tion. All option names and values are case insensitive. The keywords
15 recognized are listed and described below. Each line should be limited
16 to 160 characters or the line will be skipped. You may add comments to
17 the file by starting the line with a '#' character.
18
19
20 permissive
21 This option is either a 0 to mean send policy decisions to the
22 kernel for enforcement. Or it can be a 1 to mean always allow
23 the access even if policy would block it. This should only be
24 used for policy testing and debug. The default value is 0.
25
26
27 nice_val
28 This option gives fapolicyd a scheduler boost. The number can be
29 from 0 to 20. The default value is 10.
30
31
32 q_size This option is used to control how big of an internal queue that
33 fapolicyd will use. If requests come in faster than fapolicyd
34 can answer, the queue holds the pending requests. If the
35 do_stat_report is enabled, when fapolicyd shutsdown it will pro‐
36 vide some statistics which includes maximum queue depth used.
37 This information can be used to help tune performance. The de‐
38 fault value is 800. Also note, this value means that fapolicyd
39 gets a file descriptor for that entry. There is an rlimit cap
40 controlled by systemd's LimitNOFILE setting for the service. You
41 may also need to adjust it if the q_size exceeds it's value.
42
43
44 uid This can be a number or an account name which fapolicyd should
45 switch to during startup. The default value is 0 because it is
46 guaranteed to exist. But it is recommended to use the fapolicyd
47 account if that exists.
48
49
50 gid This can be a number or an group name which fapolicyd should
51 switch to during startup. The default value is 0 because it is
52 guaranteed to exist. But it is recommended to use the fapolicyd
53 group if that exists.
54
55
56 do_stat_report
57 This option controls whether (1) or not (0) fapolicyd should
58 create a usage statistics report on shutdown. The report is
59 written to /var/log/fapolicyd-access.log. This report gives in‐
60 formation about number of allowed accesses and denials. Then for
61 both the subject and object cache, it dumps information about
62 size, hits, misses, and evictions. The default value is 1 which
63 means create the report.
64
65
66 detailed_report
67 This option controls whether (1) or not (0) fapolicyd should add
68 subject and object information to the usage statistics report.
69 This would be information about the exact process or file path
70 in the cache from most recently used to last recently used. This
71 can be useful for forensics if an incident had occurred. But if
72 the file names are sensitive then you may want to turn this off.
73 The default value is 1 meaning add the details.
74
75
76 db_max_size
77 This option controls how many megabytes to allow the trust data‐
78 base to grow to. If you have lots of packages installed, then
79 you want to make it bigger. The default value is 50 megabytes.
80
81
82 subj_cache_size
83 This option controls how many entries the subject cache holds.
84 You want the size to be big enough that you are not getting too
85 many evictions compared to hits. But you don't want to waste
86 memory. Whenever there is an eviction, fapolicyd has to regener‐
87 ate information about the subject and this slows performance.
88 There are only 64k processes allowed at any time, so this would
89 be the upper limit. The default value is 1549.
90
91
92 obj_cache_size
93 This option controls how many entries the object cache holds.
94 You want the size to be big enough that you are not getting too
95 many evictions compared to hits. But you don't want to waste
96 memory. Whenever there is an eviction, fapolicyd has to regener‐
97 ate information about the object and this slows performance. The
98 default value is 8191.
99
100
101 watch_fs
102 This is a comma separated list of file systems that should be
103 watched for access permission. No attempt is made to validate
104 the file systems names. They should exactly match the name pre‐
105 sented in the first column of /proc/mounts. If this is not con‐
106 figured, it will default to watching ext4, xfs, and tmpfs.
107
108
109 trust This is a comma separated list of trust back-ends. If this is
110 not configured, 'rpmdb,file' is default. Fapolicyd supports file
111 back-end that reads content of /etc/fapolicyd/fapolicyd.trust
112 and use it as a list of trusted files. The second option is rp‐
113 mdb backend that generates list of trusted files from rpmdb.
114
115
116 integrity
117 This option tells fapolicyd which integrity strategy it should
118 use. It can be one of 4 values:
119
120 none This is the default and does no integrity checking.
121
122 size Selecting this option will compare the size of the
123 file with what it was knows to be. This is better
124 than nothing and very fast since fapolicyd already
125 collects size information during normal processing.
126 However, an attacker could replace the file and as
127 long as the size matches, it will not be detected.
128
129 ima Selecting this option will use a SHA256 hash that
130 the IMA subsystem places in a file's extended at‐
131 tributes in addition to the size check. This means
132 that all file systems holding executable code must
133 support extended attributes.
134
135 sha256 Selecting this option will calculate a SHA256 hash
136 by cryptographic means. A size check will also be
137 performed.
138
139
140 syslog_format
141 This option controls how the output from the access decision is
142 formatted. The format is a comma separated list of subject and
143 object names from the rules. It does not allow the keyword
144 "all". It also allows for rule, dec, and perm. The format must
145 include a semi-colon to delineate subject from object keywords.
146 The typical use is to place information about the access deci‐
147 sion, then subject information, a colon, and the object informa‐
148 tion. Also note that the more things being logged, the more it
149 will impact system performance. Also, the event written is lim‐
150 ited to 512 bytes.
151
152 Example:
153 syslog_format = rule,dec,perm,auid,pid,exe,:,path,ftype,trust
154
155
156 rpm_sha256_only
157 The option set to 1 forces the daemon to work only with SHA256
158 hashes. This is useful on the systems where the integrity is set
159 to SHA256 or IMA and some rpms were originally built with e.g.
160 SHA1. The daemon will ignore these SHA1 entries therefore they
161 can be added manually via CLI with correct SHA256 to a trust
162 file later. If set to 0 the daemon stores SHA1 in trustdb as
163 well. This is compatible with older behavior which works with
164 the integrity set to NONE and SIZE. The NONE or SIZE integrity
165 setting considers the files installed via rpm as trusted and it
166 does not care about their hashes at all. On the other hand the
167 integrity set to SHA256 or IMA will never consider a file with
168 SHA1 in trustdb as trusted. The default value is 0.
169
170
171 allow_filesystem_mark
172 When this option is set to 1, it allows fapolicyd to monitor
173 file access events on the underlying file system when they are
174 bind mounted or are overlayed (e.g. the overlayfs). Normally
175 they block fapolicyd from seeing events on the underlying file
176 systems. This may or may not be desirable. For example, you
177 might start seeing containers accessing things outside of the
178 container but there is no source of trust for the container. In
179 that case you probably do not want to see access from the con‐
180 tainer. Or maybe you do not use containers but want to control
181 anything run by systemd-run when dynamic users are allowed. In
182 that case you probably want to turn it on. Not all kernel's sup‐
183 port this option. Therefore the default value is 0.
184
185
187 fapolicyd(8), fapolicyd-cli(8) and fapolicy.rules(5).
188
189
191 Steve Grubb
192
193
194
195Red Hat September 2022 FAPOLICYD.CONF:(5)