### Example /etc/fstab Entry with i_version Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/IMA-setup-RHEL8-example.md Illustrates an example /etc/fstab entry for an ext4 filesystem with the 'i_version' option enabled, which is required for IMA on certain filesystems. ```bash /dev/mapper/cl_awc--devel-root / ext4 defaults, iversion ai UUID=f26b7db8 -4935-4507-9722-79ad9eb5c55b /boot ext4 defaults 12 ``` -------------------------------- ### Custom Command Execution Example Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/src/tests/stress/README.md Example of specifying custom commands for the harness to execute instead of defaults. ```bash src/tests/stress/fapolicyd-stress --command /usr/bin/date \ --command /usr/bin/id --workload fork-exec ``` -------------------------------- ### Install RPM Development Tools Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/BUILD.md Installs the necessary tools for building RPM packages on your system. ```bash sudo dnf install -y rpmdevtools ``` -------------------------------- ### fapolicyd-stress Command Example Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/src/tests/stress/README.md A full example of the fapolicyd-stress command with common workload parameters. ```bash src/tests/stress/fapolicyd-stress --workload fork-exec --roots 32 \ --fanout 8 --depth 1 --iterations 0 --seconds 60 --timing ``` -------------------------------- ### Enable CodeReady Builder and Install EPEL Repositories Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/BUILD.md These commands are necessary for RHEL8 systems to enable the CodeReady Builder repository and install the EPEL repository, which provides additional packages required for building fapolicyd. ```bash sudo subscription-manager repos --enable codeready-builder-for-rhel-8-$(arch)-rpms sudo dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm ``` -------------------------------- ### Install Build Dependencies Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/BUILD.md Installs the essential development tools and libraries required to compile fapolicyd on Fedora and RHEL8 systems. ```bash sudo dnf install -y gcc autoconf automake libtool make libudev-devel kernel-headers systemd-devel libgcrypt-devel rpm-devel file file-devel libcap-ng-devel libseccomp-devel lmdb-devel uthash-devel python3-devel ``` -------------------------------- ### Start fapolicyd with Debugging Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/IMA-setup-RHEL8-example.md Starts the fapolicyd service in debug mode, specifically for denying actions. This helps in troubleshooting configuration issues and observing policy enforcement. ```bash # fapolicyd --debug-deny ``` -------------------------------- ### Execute a Program via ld.so Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/README.md Example command to test fapolicyd by executing 'ls' through the dynamic linker. This is often used in conjunction with permissive mode to observe policy decisions. ```bash /usr/lib64/ld-2.29.so /usr/bin/ls ``` -------------------------------- ### Run a Python File Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/README.md Example command to test fapolicyd by executing a Python script. This is relevant for policies that manage interpreted languages. ```bash run a python file in your home directory. ``` -------------------------------- ### Install fapolicyd Package Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/IMA-setup-RHEL8-example.md Installs the fapolicyd package using the dnf package manager. This is required to use fapolicyd for policy enforcement. ```bash # dnf install fapolicyd ``` -------------------------------- ### Run a Custom Executable Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/README.md Example command to test fapolicyd by executing a custom-named executable ('my-ls'). This helps verify how the daemon handles user-created binaries. ```bash my-ls ``` -------------------------------- ### fapolicyd Debug Log Example Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/README.md An example of a debug log message from fapolicyd, showing a 'deny' decision for an execute permission attempt. It details the rule, permission, user, process, executable, and target file. ```text rule:9 dec=deny_audit perm=execute auid=1001 pid=14137 exe=/usr/bin/bash : file=/home/joe/my-ls ftype=application/x-executable ``` -------------------------------- ### Start fapolicyd Timing Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/src/tests/stress/README.md Initiates timing collection for the fapolicyd daemon. This command should be run before the workload. ```bash fapolicyd-cli --timing-start ``` -------------------------------- ### Run a Program from /tmp Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/README.md Example command to test fapolicyd by executing a program located in the /tmp directory. This tests policies related to temporary file execution. ```bash run a program from /tmp ``` -------------------------------- ### Start and Stop Timing Collection Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/README.md Manually start and stop timing collection for latency investigations. This generates a report with aggregate queue, decision, and helper latency information. ```bash fapolicyd-cli --timing-start fapolicyd-cli --timing-stop ``` -------------------------------- ### Build Debian Package for fapolicyd Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/README.md This script builds a .deb package for Debian-based distributions, enabling the 'debdb' backend for fapolicyd. After installation, ensure rules are added to /etc/fapolicyd/rules.d/ and fapolicyd.conf is configured to use 'trust=debdb'. ```bash cd deb ./build_deb.sh ``` -------------------------------- ### Check fapolicyd Rules Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/README.md Validate the syntax and policy of fapolicyd rules before installation or reload. If no path is specified, the currently active rules are checked. ```bash fapolicyd-cli --check-rules [path] ``` -------------------------------- ### Start fapolicyd in Permissive Debug Mode Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/README.md Run the fapolicyd daemon in permissive mode with debug logging enabled. This allows testing policy changes without enforcing them, and provides detailed event information. ```bash /usr/sbin/fapolicyd --permissive --debug ``` -------------------------------- ### fapolicyd Performance Statistics Report Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/README.md Example of performance statistics logged by fapolicyd upon program termination. This report provides insights into queue depth, access counts, and cache utilization. ```text Permissive: false q_size: 640 Inter-thread max queue depth 7 Allowed accesses: 70397 Denied accesses: 4 Trust database max pages: 14848 Trust database pages in use: 10792 (72%) Subject cache size: 1549 Subject slots in use: 369 (23%) Subject hits: 70032 Subject misses: 455 Subject evictions: 86 (0%) Object cache size: 8191 Object slots in use: 6936 (84%) Object hits: 63465 Object misses: 17964 Object evictions: 11028 (17%) ``` -------------------------------- ### Disable IPE Integrity Subsystem Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/README.md This command can be used to turn off the IPE integrity subsystem. This is an example of how administrative actions can disable security features. ```bash echo -n 0 > "/sys/kernel/security/ipe/Ex Policy/active" ``` -------------------------------- ### Bootstrap and Build Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/RELEASE_PROCESS.md Initializes the build system and compiles the application. Ensure autogen.sh and configure scripts are run before make. ```bash ./autogen.sh ./configure --with-audit --with-rpm --disable-shared make ``` -------------------------------- ### Create Runtime Directories and Copy Configuration Files Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/BUILD.md Sets up the necessary directory structure and copies configuration files, service units, and other necessary components for the fapolicyd runtime environment. ```bash mkdir -p /etc/fapolicyd/{rules.d,trust.d} mkdir -p /var/lib/fapolicyd/ mkdir --mode=0755 -p /usr/share/fapolicyd/ mkdir -p /usr/lib/tmpfiles.d/ mkdir --mode=0755 -p /run/fapolicyd/ cd init cp fapolicyd.bash_completion /etc/bash_completion.d/ cp fapolicyd.conf /etc/fapolicyd/ cp fapolicyd-magic /usr/share/fapolicyd/ cp fapolicyd-magic.mgc /usr/share/fapolicyd/ cp fapolicyd.service /usr/lib/systemd/system/ cp fapolicyd-tmpfiles.conf /usr/lib/tmpfiles.d/fapolicyd.conf cp fapolicyd.trust /etc/fapolicyd/trust.d/ ``` -------------------------------- ### Backup GRUB Configuration Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/IMA-setup-RHEL8-example.md Creates a backup of the current GRUB configuration file before making modifications. This is a safety measure. ```bash cp /etc/default/grub /etc/default/grub.orig ``` -------------------------------- ### Prepare Rules for Runtime Environment Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/BUILD.md These commands use sed to replace placeholders in the rules files with system-specific paths for Python 2, Python 3, and the dynamic linker. ```bash 1) sed -i "s/%python2_path%/`readlink -f /bin/python2 | sed 's/\//\\\\\\//g'`/g" rules.d/*.rules 2) sed -i "s/%python2_path%/`readlink -f /bin/python3 | sed 's/\//\\\\\\//g'`/g" rules.d/*.rules 3) interpret=`readelf -e /usr/bin/bash \ | grep Requesting \ | sed 's/.$//' \ | rev | cut -d" " -f1 \ | rev` 4) sed -i "s|%ld_so_path%|`realpath $interpret`|g" rules.d/*.rules ``` -------------------------------- ### Check i_version Mount Option Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/IMA-setup-RHEL8-example.md Verifies if the 'i_version' mount option is active for a filesystem. This confirms that the filesystem is configured correctly for IMA. ```bash mount -l | grep version ``` -------------------------------- ### Run Test Suite Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/RELEASE_PROCESS.md Executes the test suite to ensure the application's integrity. This command should be run after building. ```bash make check ``` -------------------------------- ### Local Build and Test Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/AGENTS.md Standard procedure for building the fapolicyd project locally. Ensure autotools are present and configure with desired options. ```sh ./autogen.sh ./configure --with-audit --disable-shared make -j$(nproc) ``` -------------------------------- ### Create and Configure fapolicyd User and Permissions Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/BUILD.md Creates a dedicated system user for fapolicyd and sets appropriate ownership and permissions for configuration and data directories. ```bash useradd -r -M -d /var/lib/fapolicyd -s /sbin/nologin -c "Application Whitelisting Daemon" fapolicyd chown root:fapolicyd /etc/fapolicyd/ chown root:fapolicyd /etc/fapolicyd/rules.d/ chown root:fapolicyd /etc/fapolicyd/trust.d/ chown root:fapolicyd /var/lib/fapolicyd/ ``` -------------------------------- ### Enable Stress Build Option Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/src/tests/stress/README.md Configure the build to include the stress harness by enabling the --enable-stress option. ```bash ./configure --enable-stress ``` -------------------------------- ### Build and Run Local Smoke Test Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/src/tests/stress/README.md Builds and runs a short local smoke test without daemon reports. Ensure you have configured with '--enable-stress' and '--without-deb'. ```bash ./configure --enable-stress --without-deb make -j32 src/tests/stress/fapolicyd-stress --no-status --workload fork-exec \ --roots 2 --iterations 10 ``` -------------------------------- ### Summarize Fanotify Events by Executable Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/README.md This command searches for fanotify events related to a specific file and provides a summary report of the executables involved. ```bash ausearch --start today -m fanotify -f /sbin/ldconfig --raw | aureport -x --summary ``` -------------------------------- ### Aggregate trust database by file extension Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/README.md This command provides an aggregate summary of the trust database, showing counts for each file extension present. ```bash fapolicyd-cli -D | \ awk '{split($2, a, "."); print a[length(a)]}' | \ sort | uniq -c | sort -nr | less ``` -------------------------------- ### Run Early Subject Eviction Preset Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/src/tests/stress/README.md Executes the 'early-evict' preset for stress testing. This preset is designed to test early subject eviction scenarios. ```bash src/tests/stress/fapolicyd-stress --preset early-evict --timing ``` -------------------------------- ### Build with Address Sanitizer Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/RELEASE_PROCESS.md Reconfigures the build to include the Address Sanitizer (ASan) for detecting memory errors. It then rebuilds and runs the daemon and CLI client to check for ASan failures. ```bash ./configure --with-audit --with-rpm --disable-shared --with-asan make sudo ./src/fapolicyd --debug-deny sudo ./src/fapolicyd-cli --dump-db ``` -------------------------------- ### Run ld_so Regression Stress Test Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/src/tests/stress/README.md This command initiates the ld-so regression workload, which uses a high-concurrency fork/exec pattern. Use it to compare builds with and without subject deferral enabled. ```bash src/tests/stress/fapolicyd-stress --preset ld-so-regression --timing ``` -------------------------------- ### Check ignore_mounts Configuration Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/README.md Perform an advisory pre-check on mount points before configuring ignore_mounts. This verifies mount properties, scans for executable files, and reports risks. ```bash fapolicyd-cli --check-ignore_mounts[=MOUNT] [--verbose] ``` -------------------------------- ### Compact fapolicyd Trust Database Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/README.md When the status report suggests that compaction is recommended, use this command to rebuild and validate the LMDB environment, then swap it into place. ```bash sudo fapolicyd-cli --compact-trustdb ``` -------------------------------- ### Configure and Compile fapolicyd Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/BUILD.md Steps to configure the build with audit support and disable shared libraries, followed by compilation and creation of a distributable tarball. ```bash cd fapolicyd ./autogen.sh ./configure --with-audit --disable-shared make make dist ``` -------------------------------- ### Rebuild GRUB Configuration (UEFI) Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/IMA-setup-RHEL8-example.md Regenerates the GRUB configuration file for UEFI-based systems after modifying /etc/default/grub. This applies the new kernel parameters. ```bash grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg ``` -------------------------------- ### Build fapolicyd RPMs Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/BUILD.md Uses rpmbuild to create an RPM package from the fapolicyd source tarball. The resulting RPMs will be located in ~/rpmbuild/RPMS/$(arch). ```bash rpmbuild -ta fapolicyd-*.tar.gz ``` -------------------------------- ### Clean Repository Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/RELEASE_PROCESS.md Cleans the repository by removing untracked files and directories. This is the first step in the release process. ```bash git clean -xfd ``` -------------------------------- ### Label Files for IMA Measurement Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/IMA-setup-RHEL8-example.md This command triggers a read operation on all regular files owned by root on ext4 filesystems, which helps in generating initial IMA measurements and populating extended attributes. ```bash find / -fstype ext4 -type f -uid 0 -exec dd if='{}' of=/dev/null count=0 status=none \; ``` -------------------------------- ### fapolicyd Workload Preset: early-evict Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/src/tests/stress/README.md Expands to an aggressive fork/exec collision workload configuration. Use this for testing daemon behavior under high process creation and collision scenarios. ```bash --workload fork-exec --roots 32 --fanout 8 --depth 1 --iterations 0 --seconds 60 ``` -------------------------------- ### Add application files to fapolicyd trust database Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/README.md This command adds all files within a specified directory to the fapolicyd trust database by calculating their SHA256 hashes. ```bash fapolicyd-cli --file add /opt/my-app/ ``` -------------------------------- ### Configure fapolicyd Database Size Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/README.md If the status report indicates that resizing the trust database is recommended, you can manually set `db_max_size` to at least the reported target or migrate to 'auto' for automatic management. ```text db_max_size = auto ``` -------------------------------- ### Create Source Tarball Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/RELEASE_PROCESS.md Generates a source tarball for distribution. This involves running autogen.sh, configure, and then make dist. ```bash ./autogen.sh ./configure --with-audit --with-rpm --disable-shared make dist ``` -------------------------------- ### Verify securityfs Mount Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/IMA-setup-RHEL8-example.md Checks if the securityfs filesystem is mounted on the system. This is a prerequisite for IMA. ```bash mount -l | grep securityfs ``` -------------------------------- ### Display trusted files and extensions Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/README.md This command filters and displays the types of files present in the fapolicyd trust database, showing directories and file extensions with their counts. ```bash fapolicyd-cli -D | awk '{print $2}' | awk -F/ '{ base=$NF ext="*" if (base !~ /^\./ && base ~ /\./) { n=split(base,a,"."); ext="*."a[n] } path="" for(i=1;i/dev/null ``` -------------------------------- ### Shell Script without Shebang Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/src/tests/stress/README.md This script lacks a shebang line and accepts a data file path as an argument, performing a 'test -r' operation. ```shell test -r "$data" ``` -------------------------------- ### fapolicyd CLI Check Metrics Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/src/tests/stress/README.md Used to retrieve detailed metrics from the fapolicyd daemon. This command is part of the metrics collection process. ```bash fapolicyd-cli --check-metrics ``` -------------------------------- ### Update fapolicyd Trust Database Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/README.md This command is used for normal package and trust file updates. ```bash fapolicyd-cli --update ``` -------------------------------- ### Verbose Output for Status Failures Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/src/tests/stress/README.md Enables verbose logging to diagnose failures during fapolicyd status capture. Use this when encountering issues with metrics collection. ```bash fapolicyd-cli --verbose ``` -------------------------------- ### Override Mounts for Debugging Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/README.md Use this snippet to specify an alternative mounts file for fapolicyd during debugging. This allows for fine-grained control over event notifications by filtering specific mount points. ```bash mount -t tmpfs tmpfs /tmp/my-test-dir grep my-test-dir /proc/mounts > /tmp/my-test-mounts fapolicyd --debug --mounts=/tmp/my-test-mounts ``` -------------------------------- ### Remove application files from fapolicyd trust database Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/README.md This command removes all files matching a specified directory from the fapolicyd trust database, cleaning up entries for uninstalled applications. ```bash fapolicyd-cli --file delete /opt/my-app/ ``` -------------------------------- ### Update file trust information in fapolicyd Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/README.md This command updates the size and hash information for files in the trust database to reflect their current state on disk. ```bash fapolicyd-cli --file update ``` -------------------------------- ### Allow Admins Ping Access Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/README.md This rule set allows members of the 'wheel' group to ping, while denying execute permission for ping to all others, with an audit event. ```fapolicyd allow perm=any gid=wheel : trust=1 path=/usr/bin/ping deny_audit perm=execute all : trust=1 path=/usr/bin/ping ``` -------------------------------- ### Configure fapolicyd for IMA Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/IMA-setup-RHEL8-example.md Edits the fapolicyd configuration file to enable IMA integrity checking. This involves setting the 'integrity' option to 'ima'. ```bash # vim /etc/fapolicyd/fapolicyd.conf ... integrity = ima ... ``` -------------------------------- ### Sign Tarball Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/RELEASE_PROCESS.md Creates checksums and detached GPG signatures for the release tarball. This ensures the integrity and authenticity of the distributed files. ```bash sha256sum fapolicyd-X.Y.Z.tar.gz > fapolicyd-X.Y.Z.tar.gz.sum gpg --armor --detach-sign fapolicyd-X.Y.Z.tar.gz gpg --clearsign fapolicyd-X.Y.Z.tar.gz.sum ``` -------------------------------- ### fapolicyd CLI Check Status Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/src/tests/stress/README.md Used to check the current status of the fapolicyd daemon. This command is part of the metrics collection process. ```bash fapolicyd-cli --check-status ``` -------------------------------- ### fapolicyd Trust Database Status Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/README.md These are status indicators for the fapolicyd trust database. They help in understanding the database's footprint, allocation, and whether maintenance like resizing or compaction is recommended. ```text Trust database max pages Trust database pages in use Trust database allocated high-water pages Retired trust database generations Trust database resize recommended Trust database resize target Trust database compaction recommended Trust database compaction target ``` -------------------------------- ### Stop fapolicyd Timing Source: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/src/tests/stress/README.md Stops timing collection for the fapolicyd daemon and generates a timing report. This command should be run after the workload. ```bash fapolicyd-cli --timing-stop ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.