Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy to Allow the Execution of Authorized Software Programs.

An XCCDF Rule

Description

The Fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs and to prevent unauthorized software from running.

Rationale

Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup. Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional. The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers.

ID: xccdf_org.ssgproject.content_rule_fapolicy_default_deny
Severity: Medium
References: CCI-001764

CM-6 b CM-7 (2) CM-7 (5) (b)

SRG-OS-000368-GPOS-00154 SRG-OS-000370-GPOS-00155 SRG-OS-000480-GPOS-00232
Updated: over 1 year ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-53-CM-6 b
  - NIST-800-53-CM-7 (2)  - NIST-800-53-CM-7 (5) (b)
  - fapolicy_default_deny
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy
    to Allow the Execution of Authorized Software Programs. - Ensure a Final Rule
    Denying Everything
  ansible.builtin.copy:
    content: |
      # Red Hat KCS 7003854 (https://access.redhat.com/solutions/7003854)
      deny perm=any all : all
    dest: /etc/fapolicyd/rules.d/99-deny-everything.rules
    owner: root
    group: fapolicyd
    mode: '0644'
  register: result_fapolicyd_final_rule
  when: '"kernel" in ansible_facts.packages'
  tags:
  - NIST-800-53-CM-6 b
  - NIST-800-53-CM-7 (2)
  - NIST-800-53-CM-7 (5) (b)
  - fapolicy_default_deny
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy
    to Allow the Execution of Authorized Software Programs. - Ensure fapolicyd is
    Not Permissive
  ansible.builtin.lineinfile:
    path: /etc/fapolicyd/fapolicyd.conf
    regexp: ^(permissive\s*=).*$
    line: \1 0
    backrefs: true
  register: result_fapolicyd_enforced
  when: '"kernel" in ansible_facts.packages'
  tags:
  - NIST-800-53-CM-6 b
  - NIST-800-53-CM-7 (2)
  - NIST-800-53-CM-7 (5) (b)
  - fapolicy_default_deny
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy
    to Allow the Execution of Authorized Software Programs. - Restart fapolicyd If
    Permissive Mode or Final Rule is Changed
  ansible.builtin.service:
    name: fapolicyd
    state: restarted
  when:
  - '"kernel" in ansible_facts.packages'
  - result_fapolicyd_final_rule is changed or result_fapolicyd_enforced is changed
  tags:
  - NIST-800-53-CM-6 b
  - NIST-800-53-CM-7 (2)
  - NIST-800-53-CM-7 (5) (b)
  - fapolicy_default_deny
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then

cat > /etc/fapolicyd/rules.d/99-deny-everything.rules << EOF
# Red Hat KCS 7003854 (https://access.redhat.com/solutions/7003854)
deny perm=any all : allEOF

chmod 644 /etc/fapolicyd/rules.d/99-deny-everything.rules
chgrp fapolicyd /etc/fapolicyd/rules.d/99-deny-everything.rules

if [ -e "/etc/fapolicyd/fapolicyd.conf" ] ; then
    
    LC_ALL=C sed -i "/^\s*permissive\s*=\s*/Id" "/etc/fapolicyd/fapolicyd.conf"
else
    touch "/etc/fapolicyd/fapolicyd.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/fapolicyd/fapolicyd.conf"

cp "/etc/fapolicyd/fapolicyd.conf" "/etc/fapolicyd/fapolicyd.conf.bak"
# Insert at the end of the file
printf '%s\n' "permissive = 0" >> "/etc/fapolicyd/fapolicyd.conf"
# Clean up after ourselves.
rm "/etc/fapolicyd/fapolicyd.conf.bak"

systemctl restart fapolicyd

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy to Allow the Execution of Authorized Software Programs.

Description

Rationale

Remediation - Ansible

Remediation - Shell Script