mediumservicesunverified
Ensure fapolicyd enforces a deny-all, permit-by-exception policy
fapolicyd-enforcing-deny-all · RHEL ≥ 10 · 1 impl
Description
RHEL 10 must employ a deny-all, permit-by-exception application allowlisting policy with fapolicyd. This requires both that fapolicyd runs in enforcement mode (permissive = 0) and that a deny-all rule terminates the policy.
Rationale
In permissive mode fapolicyd logs but does not block, so an allowlist provides no protection; and without a terminating deny-all rule, unlisted applications are permitted by default. Both conditions are required for permit-by-exception enforcement.
Check → Remediate
Checkcommand
if ! grep -qE '^[[:space:]]*permissive[[:space:]]*=[[:space:]]*0([[:space:]]|$)' \
/etc/fapolicyd/fapolicyd.conf 2>/dev/null; then
echo "FAIL: fapolicyd is not in enforcement mode (permissive must be 0)"
exit 1
fi
if grep -qE '^[[:space:]]*deny(_audit|_log|_syslog)?[[:space:]]+perm=any[[:space:]]+all[[:space:]]*:[[:space:]]*all' \
/etc/fapolicyd/fapolicyd.rules /etc/fapolicyd/rules.d/*.rules \
/etc/fapolicyd/compiled.rules 2>/dev/null; then
echo "OK: fapolicyd is enforcing (permissive=0) and employs a deny-all policy"
exit 0
fi
echo "FAIL: fapolicyd does not employ a terminating deny-all (permit-by-exception) rule"
exit 1
- expected_exit:
- 0
Remediatemanual
- note:
- Set "permissive = 0" in /etc/fapolicyd/fapolicyd.conf and ensure the policy ends with a deny-all rule (e.g. "deny_audit perm=any all : all"), then restart fapolicyd.
Framework references
STIG
V-280971 / RHEL-10-200602
NIST 800-53
CM-7(2)CM-7(5)
#fapolicyd#allowlisting#deny-all#enforcement#stig