Published on

Linux Application Whitelisting

Authors
  • Name
    Jackson Chen

What is fapolicyd?

The “File Access Policy Daemon” The fapolicyd software framework controls the execution of applications based on a user-defined policy. Allow or Deny execution rules can be defined based on a

. path
. hash
. MIME type
. or trust

The fapolicyd framework is made up of the following components

. fapolicyd service
. fapolicyd command-line utilities
. fapolicyd RPM plugin
. fapolicyd rule language

The fapolicyd service configuration is located in the /etc/fapolicyd/ directory with the following structure

● The fapolicyd.rules file contains allow and deny execution rules. 
● The fapolicyd.conf file contains daemon’s configuration options. 
    This file is useful primarily for performance-tuning purposes. 
● The fapolicyd.trust file contains list of trusted files/binaries for the application whitelisting daemon.

Generate rules - Enable Debug and Troubleshooting

You can test by starting the daemon from the command line. Before starting the daemon

cp /usr/bin/ls /usr/bin/my-ls

just to setup for testing. When testing new policy, its highly recommended to use the permissive mode to make sure nothing bad happens. It really is not too hard to deadlock your system.

# How to debug application whitelisting
1. Run as root
2. Start the daemon as follows: 
    /usr/sbin/fapolicyd --permissive --debug

3. Root terminal
    date && tail -n1 /var/log/audit/audit.log

4 User terminal:
    $ date && /usr/local/bin/xz --version

Note:
     If I change the rule from deny_audit, to deny_log, 
     I get an entry in /var/log/messages, but still no entry in /var/log/audit/audit.log.

Note
    auditctl -s

In permissive + debug mode you will see dec=deny which means "decision is to deny". But the program will actually be allowed to run.

fapolicyd commands

# To list the rules
    fapolicyd-cli --list  

# systemctl status fapolicyd 

# Verify event log - Verify events that are written to audit.log
tail /var/log/audit/audit.log

# Enable debug
/usr/sbin/fapolicyd --permissive --debug
Installation
# yum install fapolicyd 
# systemctl enable - - now fapolicyd
Configuration

The fapolicyd service configuration is located in the /etc/fapolicyd/ directory with the following structure: 

● The fapolicyd.rules file contains allow and deny execution rules. 
● The fapolicyd.conf file contains daemon’s configuration options. 
    This file is useful primarily for performance-tuning purposes.
Writing rules

You can use one of the ways for fapolicyd integrity checking: 

 ● file-size checking 
 ● comparing SHA-256 hashes 
 ● Integrity Measurement Architecture (IMA) subsystem

By default, fapolicyd does no integrity checking. Integrity checking based on the file size is fast, but an attacker can replace the content of the file and preserve its byte size. Computing and checking SHA-256 checksums is more secure, but it affects the performance of the system. The integrity = ima option in fapolicyd.conf requires support for files extended attributes (also known as xattr) on all file systems containing executable files.

Access control policy
● Current policy is in the following format 
    ○ decision subject= object= 
    ○ decision pattern= 
    ○ Decision 
        ■ allow, allow_audit, deny, deny_audit 
    ○ Subject attributes 
        ■ All, auid, uid, sessionid, pid, comm, exe, exe_dir, exe_type, exe_device, pattern 
    ○ Object attributes 
        ■ All, path, dir, device, ftype, sha256hash 
● Can have multiple subject and objects, they are “anded”
Subject statements
● all – no args 
● auid = number or name 
● uid = number or name 
● sessionid = number 
● pid = number 
● comm = string up to 15 characters 
● exe = full path to executable 
● exe_dir = full path to directory or execdirs, 
    systemdirs, untrusted ● exe_type = mime type (file --mime-type /path-to-file) 
● exe_device – full path to device (/dev/sr0)
object statements
● all – no args 
● path = string, full path 
● dir = full path to directory or execdirs, systemdirs, unpackaged 
● device = /dev/something 
● ftype = mime type 
● Sha256hash = hex number 

execdirs: /usr, /bin, /sbin, /lib, /lib64, /usr/libexec 
systemdirs: execdirs + /etc
enable fapolicyd integrity checks
1. Open the /etc/fapolicyd/fapolicyd.conf file in a text editor of your choice, 
    for example: # vi /etc/fapolicyd/fapolicyd.conf 

2. Change the value of the integrity option from none to sha256, save the file, and exit the editor: 
    integrity = sha256 

3. Restart the fapolicyd service: 
    # systemctl restart fapolicyd

Example

To block execution of xz, you probably want 
    deny_audit perm=execute all : path=/usr/local/bin/xz
Discuss on TwitterView on GitHub