Chapter 9. Restricting the execution of applications by using the fapolicyd RHEL system role

Procedure

1. Create a playbook file, for example ~/playbook.yml, with the following content:

   ---
   - name: Configuring fapolicyd
     hosts: managed-node-01.example.com
     tasks:
       - name: Allow only executables installed from RPM database and specific files
         ansible.builtin.include_role:
           name: redhat.rhel_system_roles.fapolicyd
         vars:
           fapolicyd_setup_permissive: false
           fapolicyd_setup_integrity: sha256
           fapolicyd_setup_trust: rpmdb,file
           fapolicyd_add_trusted_file:
             - <path_to_allowed_command>
             - <path_to_allowed_service>

   The settings specified in the example playbook include the following:

   fapolicyd_setup_permissive: <true|false>

   Enables or disables sending policy decisions to the kernel for enforcement. Set this variable for debugging and testing purposes to false.

   fapolicyd_setup_integrity: <type_type>

   Defines the integrity checking method. You can set one of the following values:

   • none (default): Disables integrity checking.
   • size: The service compares only the file sizes of allowed applications.
   • ima: The service checks the SHA-256 hash that the kernel’s Integrity Measurement Architecture (IMA) stored in a file’s extended attribute. Additionally, the service performs a size check. Note that the role does not configure the IMA kernel subsystem. To use this option, you must manually configure the IMA subsystem.
   • sha256: The service compares the SHA-256 hash of allowed applications.

   fapolicyd_setup_trust: <trust_backends>

   Defines the list of trust backends. If you include the file backend, specify the allowed executable files in the fapolicyd_add_trusted_file list.

   For details about all variables used in the playbook, see the /usr/share/ansible/roles/rhel-system-roles.fapolicyd.README.md file on the control node.

2. Validate the playbook syntax:

   $ ansible-playbook ~/playbook.yml --syntax-check

   Note that this command only validates the syntax and does not protect against a wrong but valid configuration.

3. Run the playbook:

   $ ansible-playbook ~/playbook.yml