1FAPOLICYD.CONF:(6) System Administration Utilities FAPOLICYD.CONF:(6)
2
3
4
6 fapolicyd.conf - fapolicyd configuration file
7
9 The file /etc/fapolicyd/fapolicyd.conf contains configuration informa‐
10 tion for the application whitelisting daemon configuration. This file
11 allows the admin to tune the performance and actions of the fapolicyd
12 during runtime. This file contains one configuration keyword per line,
13 an equal sign, and then followed by appropriate configuration informa‐
14 tion. All option names and values are case insensitive. The keywords
15 recognized are listed and described below. Each line should be limited
16 to 160 characters or the line will be skipped. You may add comments to
17 the file by starting the line with a '#' character.
18
19
20 permissive
21 This option is either a 0 to mean send policy decisions to the
22 kernel for enforcement. Or it can be a 1 to mean always allow
23 the access even if policy would block it. This should only be
24 used for policy testing and debug. The default value is 0.
25
26
27 nice_val
28 This option gives fapolicyd a scheduler boost. The number can be
29 from 0 to 20. The default value is 10.
30
31
32 q_size This option is used to control how big of an internal queue that
33 fapolicyd will use. If requests come in faster than fapolicyd
34 can answer, the queue holds the pending requests. If the
35 do_stat_report is enabled, when fapolicyd shutsdown it will pro‐
36 vide some statistics which includes maximum queue depth used.
37 This information can be used to help tune performance. The de‐
38 fault value is 1024.
39
40
41 uid This can be a number or an account name which fapolicyd should
42 switch to during startup. The default value is 0 because it is
43 guaranteed to exist. But it is recommended to use the fapolicyd
44 account if that exists.
45
46
47 gid This can be a number or an group name which fapolicyd should
48 switch to during startup. The default value is 0 because it is
49 guaranteed to exist. But it is recommended to use the fapolicyd
50 group if that exists.
51
52
53 do_stat_report
54 This option controls whether (1) or not (0) fapolicyd should
55 create a usage statistics report on shutdown. The report is
56 written to /var/log/fapolicyd-access.log. This report gives in‐
57 formation about number of allowed accesses and denials. Then for
58 both the subject and object cache, it dumps information about
59 size, hits, misses, and evictions. The default value is 1 which
60 means create the report.
61
62
63 detailed_report
64 This option controls whether (1) or not (0) fapolicyd should add
65 subject and object information to the usage statistics report.
66 This would be information about the exact process or file path
67 in the cache from most recently used to last recently used. This
68 can be useful for forensics if an incident had occurred. But if
69 the file names are sensitive then you may want to turn this off.
70 The default value is 1 meaning add the details.
71
72
73 db_max_size
74 This option controls how many megabytes to allow the trust data‐
75 base to grow to. If you have lots of packages installed, then
76 you want to make it bigger. The default value is 50 megabytes.
77
78
79 subj_cache_size
80 This option controls how many entries the subject cache holds.
81 You want the size to be big enough that you are not getting too
82 many evictions compared to hits. But you don't want to waste
83 memory. Whenever there is an eviction, fapolicyd has to regener‐
84 ate information about the subject and this slows performance.
85 There are only 64k processes allowed at any time, so this would
86 be the upper limit. The default value is 1024.
87
88
89 obj_cache_size
90 This option controls how many entries the object cache holds.
91 You want the size to be big enough that you are not getting too
92 many evictions compared to hits. But you don't want to waste
93 memory. Whenever there is an eviction, fapolicyd has to regener‐
94 ate information about the subject and this slows performance.
95 The default value is 4096.
96
97
98 watch_fs
99 This is a comma separated list of file systems that should be
100 watched for access permission. No attempt is made to validate
101 the file systems names. They should exactly match the name pre‐
102 sented in the first column of /proc/mounts. If this is not con‐
103 figured, it will default to watching ext4, xfs, and tmpfs.
104
105
106 trust This is a comma separated list of trust back-ends. If this is
107 not configured, 'rpmdb,file' is default. Fapolicyd supports file
108 back-end that reads content of /etc/fapolicyd/fapolicyd.trust
109 and use it as a list of trusted files. The second option is rp‐
110 mdb backend that generates list of trusted files from rpmdb.
111
112
113 integrity
114 This option tells fapolicyd which integrity strategy it should
115 use. It can be one of 4 values:
116
117 none This is the default and does no integrity checking.
118
119 size Selecting this option will compare the size of the
120 file with what it was knows to be. This is better
121 than nothing and very fast since fapolicyd already
122 collects size information during normal processing.
123 However, an attacker could replace the file and as
124 long as the size matches, it will not be detected.
125
126 ima Selecting this option will use a SHA256 hash that
127 the IMA subsystem places in a file's extended at‐
128 tributes in addition to the size check. This means
129 that all file systems holding executable code must
130 support extended attributes.
131
132 sha256 Selecting this option will calculate a SHA256 hash
133 by cryptographic means. A size check will also be
134 performed.
135
136
137 syslog_format
138 This option controls how the output from the access decision is
139 formatted. The format is a comma separated list of subject and
140 object names from the rules. It does not allow the keyword
141 "all". It also allows for rule, dec, and perm. The format must
142 include a semi-colon to delineate subject from object keywords.
143 The typical use is to place information about the access deci‐
144 sion, then subject information, a colon, and the object informa‐
145 tion. Also note that the more things being logged, the more it
146 will impact system performance. Also, the event written is lim‐
147 ited to 512 bytes.
148
149 Example:
150 syslog_format = rule,dec,perm,auid,pid,exe,:,path,ftype,trust
151
152
153 rpm_sha256_only
154 The option set to 1 forces the daemon to work only with SHA256
155 hashes. This is useful on the systems where the integrity is set
156 to SHA256 or IMA and some rpms were originally built with e.g.
157 SHA1. The daemon will ingore these SHA1 entries therefore they
158 can be added manually via CLI with correct SHA256 to a trust
159 file later. If set to 0 the daemon stores SHA1 in trustdb as
160 well. This is compatible with older behavior which works with
161 the integrity set to NONE and SIZE. The NONE or SIZE integrity
162 setting considers the files installed via rpm as trusted and it
163 does not care about their hashes at all. On the other hand the
164 integrity set to SHA256 or IMA will never consider a file with
165 SHA1 in trustdb as trusted. The default value is 0.
166
167
168 allow_filesystem_mark
169 When this option is set to 1, it allows fapolicyd to monitor
170 file access events on the underlying file system when they are
171 bind mounted or are overlayed (e.g. the overlayfs). Normally
172 they block fapolicyd from seeing events on the underlying file
173 systems. This may or may not be desirable. For example, you
174 might start seeing containers accessing things outside of the
175 container but there is no source of trust for the container. In
176 that case you probably do not want to see access from the con‐
177 tainer. Or maybe you do not use containers but want to control
178 anything run by systemd-run when dynamic users are allowed. In
179 that case you probably want to turn it on. Not all kernel's
180 supoport this option. Therefore the default value is 0.
181
182
184 fapolicyd(8), fapolicyd-cli(1) and fapolicy.rules(5).
185
186
188 Steve Grubb
189
190
191
192Red Hat September 2022 FAPOLICYD.CONF:(6)