Configuring the allow list

From the Security page, you can configure File Access Policy Daemon (fapolicyd) for a specific Red Hat Enterprise Linux® Server or SUSE Linux Enterprise Server endpoint.

fapolicyd is a user-space daemon that determines access rights for files based on a trust database and file or process attributes. It can be used to either allow list or deny list file access and execution.

fapolicyd is not included with PowerSC. You must first install it before you can use it with PowerSC GUI.

The three possible installation scenarios are described in Table 1.
Table 1. fapolicyd Installation Scenarios
fapolicyd status Procedure
fapolicyd is not already installed on the PowerSC GUI agent Install fapolicyd as described in this section.
fapolicyd is already running on the PowerSC GUI agent. You must configure fapolicyd to allow the PowerSC GUI agent to execute. To do this:
  1. Run the following fapolicyd commands as root on the agent:
    /usr/sbin/fapolicyd-cli -f add 
/path/to/install/script/powersc-pscxpert-<version>.<arch>.sh

/usr/sbin/fapolicyd-cli -f add 
/path/to/install/script/powersc-uiAgent-<version>.<arch>.sh

/usr/sbin/fapolicyd-cli -f add 
/opt/powersc/uiAgent/bin/uiAgent

/usr/sbin/fapolicyd-cli -u
  2. Restart the agent:
    systemctl restart powersc-uiAgent
fapolicyd is already running, and the system is both an PowerSC GUI agent and the PowerSC GUI server. This is a limited use case most often found in test environments. You must configure fapolicyd to allow the PowerSC GUI agent and PowerSC GUI server to execute. To do this:
  1. Run the following fapolicyd commands as root:
    /usr/sbin/fapolicyd-cli -f add 
/path/to/install/script/powersc-pscxpert-<version>.<arch>.sh

/usr/sbin/fapolicyd-cli -f add 
/path/to/install/script/powersc-uiAgent-<version>.<arch>.sh

/usr/sbin/fapolicyd-cli -f add 
/path/to/install/script/powersc-uiServer-<version>.<arch>.sh

/usr/sbin/fapolicyd-cli -f add 
/opt/powersc/uiAgent/bin/uiAgent

/usr/sbin/fapolicyd-cli -f add 
/opt/powersc/uiServer/bin/uiserver

/usr/sbin/fapolicyd-cli -u
  2. Restart the agent:
    systemctl restart powersc-uiAgent
  3. Restart the server:
    systemctl restart powersc-uiServer
You can use the PowerSC GUI to configure fapolicyd on PowerSC GUI agents that are running Red Hat Enterprise Linux Server or SUSE Linux Enterprise Server. When fapolicyd is configured, applications that are unknown by the reputation source are not allowed to execute.
Important: Keep the following points in mind if you use the PowerSC GUI to configure fapolicyd:
  • PowerSC GUI is not a replacement configuration tool for fapolicyd. See File Access Policy Daemon (fapolicyd) and the fapolicyd man page for complete information about fapolicyd.
  • fapolicyd is a powerful application. Although fapolicyd does not prevent root access to the system, it is possible to miss-configure fapolicyd in such a way as to leave the system inaccessible or unusable by other users. Therefore, it is recommended that you first implement and test fapolicyd on an PowerSC GUI agent that is not in production use.
  • By default, executable files that are included in the distribution are trusted through a rpmdb backend that generates a list of trusted files from the RPM databases.

To configure the allow list, perform the following steps:

  1. For Red Hat Enterprise Linux Server, install fapolicyd on the agent if it is not already installed. For example, with yum: 
    yum list fapolicyd
This system is receiving updates from Red Hat Satellite or Spacewalk server.
Last metadata expiration check: 0:01:09 ago on Tue 22 Jun 2021 07:39:25 AM MDT.
Available Packages
fapolicyd.ppc64le                   1.0-3.el8_3.4                    rhel8u3-server-appstream-ppc64le

sh-4.4# yum install fapolicyd
This system is receiving updates from Red Hat Satellite or Spacewalk server.
Last metadata expiration check: 0:05:03 ago on Tue 22 Jun 2021 07:39:25 AM MDT.
Dependencies resolved.
=====================================================================================================
 Package                Architecture Version             Repository                             Size
=====================================================================================================
Installing:
 fapolicyd              ppc64le      1.0-3.el8_3.4       rhel8u3-server-appstream-ppc64le      109 k
Installing dependencies:
 lmdb-libs              ppc64le      0.9.24-1.el8        rhel8u3-server-appstream-ppc64le       66 k
Installing weak dependencies:
 fapolicyd-selinux      noarch       1.0-3.el8_3.4       rhel8u3-server-appstream-ppc64le       24 k
:
:
  2. For SUSE Linux Enterprise Server, the fapolicyd RPMs are available in the RPMS directory. Perform the following steps as root:
    1. Add a group for fapolicyd: 
      ./groupadd fapolicyd
    2. Install fapolicyd on the agent from the PowerSC RPMS directory if it is not already installed. 
      rpm -i fapolicyd-latest-version.arch.rpm
    3. Create two needed symlinks: 
      ln -s /usr/sbin/fapolicyd /usr/bin/fapolicyd
ln -s /usr/sbin/fapolicyd-cli /usr/bin/fapolicyd-cli
    4. Edit the /etc/rsyslog.conf file: 
       vi /etc/rsyslog.conf
    5. Add *.debug; to the /var/log/messages line. The format of this file may differ based on your SUSE Linux Enterprise Server version. 
      *.debug;*.info;mail.none;authpriv.none;cron.none  /var/log/messages
    6. Save the change.
    7. Restart rsyslog: 
      systemctl restart rsyslog
  3. Sync the PowerSC GUI agent, as described in Syncing PowerSC endpoints from PowerSC GUI.
  4. Click the ellipse to the right of the Red Hat Enterprise Linux Server or SUSE Linux Enterprise Server endpoint for which you want to edit the fapolicyd configuration options.
  5. Click Allow List.
  6. Click Configure fapolicyd.
  7. Enable fapolicyd.
  8. The version and fapolicyd fapolicyd.conf configuration options are listed with an explanation. To change one or more of the fapolicyd configuration options, modify the entry.
    Note: No changes are required in the displayed rules file. If you do make changes to the rules file, see File Access Policy Daemon (fapolicyd) and the fapolicyd man page for complete configuration information.

    fapolicyd generates an event and restarts if you turn permissive on or off.

  9. Click Save.
    The PowerSC GUI agent recognizes that fapolicyd is installed and makes some initial configuration changes to enable fapolicyd and set the default logging option.
    Note: By default, the rules in /etc/fapolicyd/rules.d are configured with deny_audit. When you click Save, the rules are changed to deny_syslog so that the PowerSC GUI agent can detect them and generate the relevant event.
Important: If you receive unexpected fapolicyd events for executable files that should be allowed, edit the allowed file list as described in Editing the file list.

As an alternative, you can also use the fapolicyd-cli -f add file command to add the executable file to the trusted list, and run the fapolicyd-cli -u command to perform an update of the trust database.