fapolicyd.conf - fapolicyd configuration file
The file /etc/fapolicyd/fapolicyd.conf contains
configuration information for the application whitelisting daemon
configuration. This file allows the admin to tune the performance and
actions of the fapolicyd during runtime. This file contains one
configuration keyword per line, an equal sign, and then followed by
appropriate configuration information. All option names and values are case
insensitive. The keywords recognized are listed and described below. Each
line should be limited to 160 characters or the line will be skipped. You
may add comments to the file by starting the line with a '#' character.
- permissive
- This option is either a 0 to mean send policy decisions to the kernel for
enforcement. Or it can be a 1 to mean always allow the access even if
policy would block it. This should only be used for policy testing and
debug. The default value is 0.
- nice_val
- This option gives fapolicyd a scheduler boost. The number can be from 0 to
20. The default value is 10.
- q_size
- This option is used to control how big of an internal queue that fapolicyd
will use. If requests come in faster than fapolicyd can answer, the queue
holds the pending requests. If the do_stat_report is enabled, when
fapolicyd shutsdown it will provide some statistics which includes maximum
queue depth used. This information can be used to help tune performance.
The default value is 1024.
- uid
- This can be a number or an account name which fapolicyd should switch to
during startup. The default value is 0 because it is guaranteed to exist.
But it is recommended to use the fapolicyd account if that exists.
- gid
- This can be a number or an group name which fapolicyd should switch to
during startup. The default value is 0 because it is guaranteed to exist.
But it is recommended to use the fapolicyd group if that exists.
- do_stat_report
- This option controls whether (1) or not (0) fapolicyd should create a
usage statistics report on shutdown. The report is written to
/var/log/fapolicyd-access.log. This report gives information about number
of allowed accesses and denials. Then for both the subject and object
cache, it dumps information about size, hits, misses, and evictions. The
default value is 1 which means create the report.
- detailed_report
- This option controls whether (1) or not (0) fapolicyd should add subject
and object information to the usage statistics report. This would be
information about the exact process or file path in the cache from most
recently used to last recently used. This can be useful for forensics if
an incident had occurred. But if the file names are sensitive then you may
want to turn this off. The default value is 1 meaning add the details.
- db_max_size
- This option controls how many megabytes to allow the trust database to
grow to. If you have lots of packages installed, then you want to make it
bigger. The default value is 50 megabytes.
- subj_cache_size
- This option controls how many entries the subject cache holds. You want
the size to be big enough that you are not getting too many evictions
compared to hits. But you don't want to waste memory. Whenever there is an
eviction, fapolicyd has to regenerate information about the subject and
this slows performance. There are only 64k processes allowed at any time,
so this would be the upper limit. The default value is 1024.
- obj_cache_size
- This option controls how many entries the object cache holds. You want the
size to be big enough that you are not getting too many evictions compared
to hits. But you don't want to waste memory. Whenever there is an
eviction, fapolicyd has to regenerate information about the subject and
this slows performance. The default value is 4096.
- watch_fs
- This is a comma separated list of file systems that should be watched for
access permission. No attempt is made to validate the file systems names.
They should exactly match the name presented in the first column of
/proc/mounts. If this is not configured, it will default to watching ext4,
xfs, and tmpfs.
- trust
- This is a comma separated list of trust back-ends. If this is not
configured, 'rpmdb,file' is default. Fapolicyd supports file
back-end that reads content of /etc/fapolicyd/fapolicyd.trust and use it
as a list of trusted files. The second option is rpmdb backend that
generates list of trusted files from rpmdb.
- integrity
- This option tells fapolicyd which integrity strategy it should use. It can
be one of 4 values:
- none
- This is the default and does no integrity checking.
- size
- Selecting this option will compare the size of the file with what it was
knows to be. This is better than nothing and very fast since fapolicyd
already collects size information during normal processing. However, an
attacker could replace the file and as long as the size matches, it will
not be detected.
- ima
- Selecting this option will use a SHA256 hash that the IMA subsystem places
in a file's extended attributes in addition to the size check. This means
that all file systems holding executable code must support extended
attributes.
- sha256
- Selecting this option will calculate a SHA256 hash by cryptographic means.
A size check will also be performed.
- syslog_format
- This option controls how the output from the access decision is formatted.
The format is a comma separated list of subject and object names from the
rules. It does not allow the keyword "all". It also allows for
rule, dec, and perm. The format must include a semi-colon to delineate
subject from object keywords. The typical use is to place information
about the access decision, then subject information, a colon, and the
object information. Also note that the more things being logged, the more
it will impact system performance. Also, the event written is limited to
512 bytes.
Example:
syslog_format = rule,dec,perm,auid,pid,exe,:,path,ftype,trust
- rpm_sha256_only
- The option set to 1 forces the daemon to work only with SHA256 hashes.
This is useful on the systems where the integrity is set to SHA256 or IMA
and some rpms were originally built with e.g. SHA1. The daemon will ignore
these SHA1 entries therefore they can be added manually via CLI with
correct SHA256 to a trust file later. If set to 0 the daemon stores SHA1
in trustdb as well. This is compatible with older behavior which works
with the integrity set to NONE and SIZE. The NONE or SIZE integrity
setting considers the files installed via rpm as trusted and it does not
care about their hashes at all. On the other hand the integrity set to
SHA256 or IMA will never consider a file with SHA1 in trustdb as trusted.
The default value is 0.
- allow_filesystem_mark
- When this option is set to 1, it allows fapolicyd to monitor file access
events on the underlying file system when they are bind mounted or are
overlayed (e.g. the overlayfs). Normally they block fapolicyd from seeing
events on the underlying file systems. This may or may not be desirable.
For example, you might start seeing containers accessing things outside of
the container but there is no source of trust for the container. In that
case you probably do not want to see access from the container. Or maybe
you do not use containers but want to control anything run by systemd-run
when dynamic users are allowed. In that case you probably want to turn it
on. Not all kernel's supoport this option. Therefore the default value is
0.