← Rules Catalog
mediumservicesunverified

Ensure fapolicyd enforces a deny-all, permit-by-exception policy

fapolicyd-enforcing-deny-all · RHEL ≥ 10 · 1 impl

Description

RHEL 10 must employ a deny-all, permit-by-exception application allowlisting policy with fapolicyd. This requires both that fapolicyd runs in enforcement mode (permissive = 0) and that a deny-all rule terminates the policy.

Rationale

In permissive mode fapolicyd logs but does not block, so an allowlist provides no protection; and without a terminating deny-all rule, unlisted applications are permitted by default. Both conditions are required for permit-by-exception enforcement.

Check → Remediate

Checkcommand
if ! grep -qE '^[[:space:]]*permissive[[:space:]]*=[[:space:]]*0([[:space:]]|$)' \
     /etc/fapolicyd/fapolicyd.conf 2>/dev/null; then
  echo "FAIL: fapolicyd is not in enforcement mode (permissive must be 0)"
  exit 1
fi
if grep -qE '^[[:space:]]*deny(_audit|_log|_syslog)?[[:space:]]+perm=any[[:space:]]+all[[:space:]]*:[[:space:]]*all' \
     /etc/fapolicyd/fapolicyd.rules /etc/fapolicyd/rules.d/*.rules \
     /etc/fapolicyd/compiled.rules 2>/dev/null; then
  echo "OK: fapolicyd is enforcing (permissive=0) and employs a deny-all policy"
  exit 0
fi
echo "FAIL: fapolicyd does not employ a terminating deny-all (permit-by-exception) rule"
exit 1
expected_exit:
0
Remediatemanual
note:
Set "permissive = 0" in /etc/fapolicyd/fapolicyd.conf and ensure the policy ends with a deny-all rule (e.g. "deny_audit perm=any all : all"), then restart fapolicyd.

Framework references

STIG

V-280971 / RHEL-10-200602

NIST 800-53

CM-7(2)CM-7(5)
#fapolicyd#allowlisting#deny-all#enforcement#stig