1FAPOLICYD.CONF:(5)      System Administration Utilities     FAPOLICYD.CONF:(5)
2
3
4

NAME

6       fapolicyd.conf - fapolicyd configuration file
7

DESCRIPTION

9       The  file /etc/fapolicyd/fapolicyd.conf contains configuration informa‐
10       tion for the application whitelisting daemon configuration.  This  file
11       allows  the  admin to tune the performance and actions of the fapolicyd
12       during runtime. This file contains one configuration keyword per  line,
13       an  equal sign, and then followed by appropriate configuration informa‐
14       tion. All option names and values are case  insensitive.  The  keywords
15       recognized  are listed and described below. Each line should be limited
16       to 160 characters or the line will be skipped. You may add comments  to
17       the file by starting the line with a '#' character.
18
19
20       permissive
21              This  option  is either a 0 to mean send policy decisions to the
22              kernel for enforcement. Or it can be a 1 to  mean  always  allow
23              the  access  even  if policy would block it. This should only be
24              used for policy testing and debug. The default value is 0.
25
26
27       nice_val
28              This option gives fapolicyd a scheduler boost. The number can be
29              from 0 to 20. The default value is 10.
30
31
32       q_size This option is used to control how big of an internal queue that
33              fapolicyd will use. If requests come in  faster  than  fapolicyd
34              can  answer,  the  queue  holds  the  pending  requests.  If the
35              do_stat_report is enabled, when fapolicyd shutsdown it will pro‐
36              vide  some  statistics  which includes maximum queue depth used.
37              This information can be  used  to  help  tune  performance.  The
38              default value is 1024.
39
40
41       uid    This  can  be a number or an account name which fapolicyd should
42              switch to during startup. The default value is 0 because  it  is
43              guaranteed  to exist. But it is recommended to use the fapolicyd
44              account if that exists.
45
46
47       gid    This can be a number or an group  name  which  fapolicyd  should
48              switch  to  during startup. The default value is 0 because it is
49              guaranteed to exist. But it is recommended to use the  fapolicyd
50              group if that exists.
51
52
53       do_stat_report
54              This  option  controls  whether  (1) or not (0) fapolicyd should
55              create a usage statistics report  on  shutdown.  The  report  is
56              written  to  /var/log/fapolicyd-access.log.  This  report  gives
57              information about number of allowed accesses and  denials.  Then
58              for  both  the  subject  and  object cache, it dumps information
59              about size, hits, misses, and evictions. The default value is  1
60              which means create the report.
61
62
63       detailed_report
64              This option controls whether (1) or not (0) fapolicyd should add
65              subject and object information to the usage  statistics  report.
66              This  would  be information about the exact process or file path
67              in the cache from most recently used to last recently used. This
68              can  be useful for forensics if an incident had occurred. But if
69              the file names are sensitive then you may want to turn this off.
70              The default value is 1 meaning add the details.
71
72
73       db_max_size
74              This option controls how many megabytes to allow the trust data‐
75              base to grow to. If you have lots of  packages  installed,  then
76              you want to make it bigger. The default value is 100 megabytes.
77
78
79       subj_cache_size
80              This  option  controls how many entries the subject cache holds.
81              You want the size to be big enough that you are not getting  too
82              many  evictions  compared  to  hits. But you don't want to waste
83              memory. Whenever there is an eviction, fapolicyd has to regener‐
84              ate  information  about  the subject and this slows performance.
85              There are only 64k processes allowed at any time, so this  would
86              be the upper limit. The default value is 1024.
87
88
89       obj_cache_size
90              This  option  controls  how many entries the object cache holds.
91              You want the size to be big enough that you are not getting  too
92              many  evictions  compared  to  hits. But you don't want to waste
93              memory. Whenever there is an eviction, fapolicyd has to regener‐
94              ate  information  about  the subject and this slows performance.
95              The default value is 4096.
96
97
98       watch_fs
99              This is a comma separated list of file systems  that  should  be
100              watched  for  access  permission. No attempt is made to validate
101              the file systems names. They should exactly match the name  pre‐
102              sented  in the first column of /proc/mounts. If this is not con‐
103              figured, it will default to watching ext4, xfs, and tmpfs.
104
105
106       trust  This is a comma separated list of trust back-ends.  If  this  is
107              not configured, 'rpmdb,file' is default. Fapolicyd supports file
108              back-end that reads  content  of  /etc/fapolicyd/fapolicyd.trust
109              and  use  it  as  a  list of trusted files. The second option is
110              rpmdb backend that generates list of trusted files from rpmdb.
111
112
113       integrity
114              This option tells fapolicyd which integrity strategy  it  should
115              use. It can be one of 4 values:
116
117              none        This is the default and does no integrity checking.
118
119              size        Selecting  this  option will compare the size of the
120                          file with what it was knows to be.  This  is  better
121                          than  nothing  and very fast since fapolicyd already
122                          collects size information during normal  processing.
123                          However,  an  attacker could replace the file and as
124                          long as the size matches, it will not be detected.
125
126              ima         Selecting this option will use a  SHA256  hash  that
127                          the  IMA  subsystem  places  in  a  file's  extended
128                          attributes in addition to the size check. This means
129                          that  all  file systems holding executable code must
130                          support extended attributes.
131
132              sha256      Selecting this option will calculate a  SHA256  hash
133                          by  cryptographic  means.  A size check will also be
134                          performed.
135
136
137       syslog_format
138              This option controls how the output from the access decision  is
139              formatted.  The  format is a comma separated list of subject and
140              object names from the rules.  It  does  not  allow  the  keyword
141              "all".  It  also allows for rule, dec, and perm. The format must
142              include a semi-colon to deliniate subject from object  keywords.
143              The  typical  use is to place information about the access deci‐
144              sion, then subject information, a colon, and the object informa‐
145              tion.  Also  note that the more things being logged, the more it
146              will impact system performance. Also, the event written is  lim‐
147              ited to 512 bytes.
148
149

SEE ALSO

151       fapolicyd(8), fapolicyd-cli(1) and fapolicy.rules(5).
152
153

AUTHOR

155       Steve Grubb
156
157
158
159Red Hat                            May 2020                 FAPOLICYD.CONF:(5)
Impressum