Provided by: fapolicyd_1.3.2+20231212+git973a86d1b4-1.1_amd64 bug

NAME

       fapolicyd.conf - fapolicyd configuration file

DESCRIPTION

       The   file   /etc/fapolicyd/fapolicyd.conf  contains  configuration  information  for  the
       application whitelisting daemon configuration. This file allows  the  admin  to  tune  the
       performance  and  actions  of  the  fapolicyd  during  runtime.  This  file  contains  one
       configuration  keyword  per  line,  an  equal  sign,  and  then  followed  by  appropriate
       configuration  information. All option names and values are case insensitive. The keywords
       recognized are listed and described below. Each line should be limited to  160  characters
       or  the line will be skipped. You may add comments to the file by starting the line with a
       '#' character.

       permissive
              This option is either a  0  to  mean  send  policy  decisions  to  the  kernel  for
              enforcement.  Or it can be a 1 to mean always allow the access even if policy would
              block it. This should only be used for policy testing and debug. The default  value
              is 0.

       nice_val
              This  option gives fapolicyd a scheduler boost. The number can be from 0 to 20. The
              default value is 10.

       q_size This option is used to control how big of an internal  queue  that  fapolicyd  will
              use.  If  requests  come  in  faster than fapolicyd can answer, the queue holds the
              pending requests. If the do_stat_report is enabled,  when  fapolicyd  shutsdown  it
              will  provide  some  statistics  which  includes  maximum  queue  depth  used. This
              information can be used to help tune performance. The default value  is  800.  Also
              note,  this value means that fapolicyd gets a file descriptor for that entry. There
              is an rlimit cap controlled by systemd's LimitNOFILE setting for the  service.  You
              may also need to adjust it if the q_size exceeds it's value.

       uid    This  can  be  a  number or an account name which fapolicyd should switch to during
              startup. The default value is 0 because it  is  guaranteed  to  exist.  But  it  is
              recommended to use the fapolicyd account if that exists.

       gid    This  can  be  a  number  or  an group name which fapolicyd should switch to during
              startup. The default value is 0 because it  is  guaranteed  to  exist.  But  it  is
              recommended to use the fapolicyd group if that exists.

       do_stat_report
              This  option  controls  whether  (1)  or  not  (0)  fapolicyd should create a usage
              statistics report  on  shutdown.  The  report  is  written  to  /var/log/fapolicyd-
              access.log.  This  report  gives  information  about number of allowed accesses and
              denials. Then for both the subject and object cache,  it  dumps  information  about
              size,  hits,  misses,  and evictions. The default value is 1 which means create the
              report.

       detailed_report
              This option controls whether (1) or not (0) fapolicyd should add subject and object
              information  to  the  usage  statistics report. This would be information about the
              exact process or file path in the cache from most recently used  to  last  recently
              used. This can be useful for forensics if an incident had occurred. But if the file
              names are sensitive then you may want to turn this off.  The  default  value  is  1
              meaning add the details.

       db_max_size
              This  option controls how many megabytes to allow the trust database to grow to. If
              you have lots of packages installed, then you want to make it bigger.  The  default
              value is 50 megabytes.

       subj_cache_size
              This option controls how many entries the subject cache holds. You want the size to
              be big enough that you are not getting too many evictions compared to hits. But you
              don't  want  to  waste  memory.  Whenever  there  is  an eviction, fapolicyd has to
              regenerate information about the subject and this slows performance. There are only
              64k  processes  allowed  at any time, so this would be the upper limit. The default
              value is 1549.

       obj_cache_size
              This option controls how many entries the object cache holds. You want the size  to
              be big enough that you are not getting too many evictions compared to hits. But you
              don't want to waste memory.  Whenever  there  is  an  eviction,  fapolicyd  has  to
              regenerate  information  about  the  object and this slows performance. The default
              value is 8191.

       watch_fs
              This is a comma separated list of file systems that should be  watched  for  access
              permission.  No  attempt  is  made  to validate the file systems names. They should
              exactly match the name presented in the first column of /proc/mounts.  If  this  is
              not configured, it will default to watching ext4, xfs, and tmpfs.

       trust  This  is  a  comma  separated  list  of trust back-ends. If this is not configured,
              'rpmdb,file' is default. Fapolicyd supports file back-end  that  reads  content  of
              /etc/fapolicyd/fapolicyd.trust  and  use  it as a list of trusted files. The second
              option is rpmdb backend that generates list of trusted files from rpmdb.

       integrity
              This option tells fapolicyd which integrity strategy it should use. It can  be  one
              of 4 values:

              none        This is the default and does no integrity checking.

              size        Selecting  this  option  will compare the size of the file with what it
                          was knows to be. This is  better  than  nothing  and  very  fast  since
                          fapolicyd  already  collects size information during normal processing.
                          However, an attacker could replace the file and as  long  as  the  size
                          matches, it will not be detected.

              ima         Selecting  this  option  will  use a SHA256 hash that the IMA subsystem
                          places in a file's extended attributes in addition to the  size  check.
                          This  means  that all file systems holding executable code must support
                          extended attributes.

              sha256      Selecting this option will calculate a  SHA256  hash  by  cryptographic
                          means. A size check will also be performed.

       syslog_format
              This  option  controls  how  the  output from the access decision is formatted. The
              format is a comma separated list of subject and object names  from  the  rules.  It
              does  not  allow  the  keyword  "all".  It also allows for rule, dec, and perm. The
              format must include a semi-colon to delineate subject  from  object  keywords.  The
              typical  use  is  to  place  information  about  the  access decision, then subject
              information, a colon, and the object information. Also note that  the  more  things
              being  logged,  the more it will impact system performance. Also, the event written
              is limited to 512 bytes.

              Example:
              syslog_format = rule,dec,perm,auid,pid,exe,:,path,ftype,trust

       rpm_sha256_only
              The option set to 1 forces the daemon to work only  with  SHA256  hashes.  This  is
              useful  on  the  systems  where the integrity is set to SHA256 or IMA and some rpms
              were originally built with e.g. SHA1. The daemon will  ignore  these  SHA1  entries
              therefore  they  can  be added manually via CLI with correct SHA256 to a trust file
              later. If set to 0 the daemon stores SHA1 in trustdb as well.  This  is  compatible
              with  older  behavior which works with the integrity set to NONE and SIZE. The NONE
              or SIZE integrity setting considers the files installed via rpm as trusted  and  it
              does  not  care  about  their hashes at all. On the other hand the integrity set to
              SHA256 or IMA will never consider a file with  SHA1  in  trustdb  as  trusted.  The
              default value is 0.

       allow_filesystem_mark
              When  this option is set to 1, it allows fapolicyd to monitor file access events on
              the underlying file system when they are bind mounted or are  overlayed  (e.g.  the
              overlayfs). Normally they block fapolicyd from seeing events on the underlying file
              systems. This may or may not be desirable. For  example,  you  might  start  seeing
              containers  accessing  things  outside  of  the container but there is no source of
              trust for the container. In that case you probably do not want to see  access  from
              the  container. Or maybe you do not use containers but want to control anything run
              by systemd-run when dynamic users are allowed. In that case you  probably  want  to
              turn it on. Not all kernel's support this option. Therefore the default value is 0.

SEE ALSO

       fapolicyd(8), fapolicyd-cli(8) and fapolicy.rules(5).

AUTHOR

       Steve Grubb