← Rules Catalog
mediumservicesverified rollback-safe

Configure fapolicyd to employ a deny-all allow-by-exception policy

fapolicyd-deny-all · RHEL ≥ 8 · 1 impl

Description

The fapolicyd daemon must be configured to employ a deny-all, allow-by-exception policy to prevent unauthorized application execution.

Rationale

An allow-all policy provides no protection against unauthorized applications. A deny-all policy ensures only explicitly permitted executables can run, significantly reducing the risk from malware and unauthorized software.

Check → Remediate

Checkcommand
grep -qE '^\s*deny_audit\s+perm=any\s+all\s*:\s*all\s*$' /etc/fapolicyd/fapolicyd.rules 2>/dev/null || grep -qE '^\s*deny\s+perm=any\s+all\s*:\s*all\s*$' /etc/fapolicyd/rules.d/*.rules 2>/dev/null
expected_exit:
0
Remediateconfig_append
path:
/etc/fapolicyd/fapolicyd.rules
line:
deny_audit perm=any all : all
restart:
fapolicyd

Framework references

STIG

V-270180 / RHEL-09-433016V-244546

NIST 800-53

CM-7SI-3

Live verification

rhel8:check
#fapolicyd#allow-by-exception#application-control