mediumservicesverified ✓rollback-safe
Configure fapolicyd to employ a deny-all allow-by-exception policy
fapolicyd-deny-all · RHEL ≥ 8 · 1 impl
Description
The fapolicyd daemon must be configured to employ a deny-all, allow-by-exception policy to prevent unauthorized application execution.
Rationale
An allow-all policy provides no protection against unauthorized applications. A deny-all policy ensures only explicitly permitted executables can run, significantly reducing the risk from malware and unauthorized software.
Check → Remediate
Checkcommand
grep -qE '^\s*deny_audit\s+perm=any\s+all\s*:\s*all\s*$' /etc/fapolicyd/fapolicyd.rules 2>/dev/null || grep -qE '^\s*deny\s+perm=any\s+all\s*:\s*all\s*$' /etc/fapolicyd/rules.d/*.rules 2>/dev/null
- expected_exit:
- 0
Remediateconfig_append
- path:
- /etc/fapolicyd/fapolicyd.rules
- line:
- deny_audit perm=any all : all
- restart:
- fapolicyd
Framework references
STIG
V-270180 / RHEL-09-433016V-244546
NIST 800-53
CM-7SI-3
Live verification
rhel8:check
#fapolicyd#allow-by-exception#application-control