Enable the File Access Policy Service
An XCCDF Rule
Description
The File Access Policy service should be enabled. Thefapolicyd service can be enabled with the following command:
$ sudo systemctl enable fapolicyd.service
Rationale
The fapolicyd service (File Access Policy Daemon)
implements application whitelisting to decide file access rights.
- ID
- xccdf_org.ssgproject.content_rule_service_fapolicyd_enabled
- Severity
- Medium
- References
- Updated
Remediation Templates
An Ansible Snippet
- name: Gather the package facts
package_facts:
manager: auto
tags:
- NIST-800-53-CM-6(a)
- NIST-800-53-SI-4(22)A Puppet Snippet
include enable_fapolicyd
class enable_fapolicyd {
service {'fapolicyd':
enable => true,
ensure => 'running',
}
}
script:kickstart
service enable fapolicyd
OS Build Blueprint
[customizations.services]
enabled = ["fapolicyd"]
A Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" unmask 'fapolicyd.service'
"$SYSTEMCTL_EXEC" start 'fapolicyd.service'
"$SYSTEMCTL_EXEC" enable 'fapolicyd.service'