in linux environment application whitelisting - fedoraby default (rhel/fedora) everything loaded...
TRANSCRIPT
![Page 1: In Linux Environment Application Whitelisting - FedoraBy default (RHEL/Fedora) everything loaded from rpmdb fapolicyd.trust is trusted The default set of rules ensures that trusted](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5d0b0a4df6ff0e6b4f0ae1/html5/thumbnails/1.jpg)
Application WhitelistingIn Linux Environment
Radovan Sroka | Software Engineer | Red Hat Czech
![Page 2: In Linux Environment Application Whitelisting - FedoraBy default (RHEL/Fedora) everything loaded from rpmdb fapolicyd.trust is trusted The default set of rules ensures that trusted](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5d0b0a4df6ff0e6b4f0ae1/html5/thumbnails/2.jpg)
What Is The Application Whitelisting?
● Security practise
● Ability to specify and run only trusted applications
● Admin defines what is allowed and what is not
![Page 3: In Linux Environment Application Whitelisting - FedoraBy default (RHEL/Fedora) everything loaded from rpmdb fapolicyd.trust is trusted The default set of rules ensures that trusted](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5d0b0a4df6ff0e6b4f0ae1/html5/thumbnails/3.jpg)
Why Is That So Important?
![Page 4: In Linux Environment Application Whitelisting - FedoraBy default (RHEL/Fedora) everything loaded from rpmdb fapolicyd.trust is trusted The default set of rules ensures that trusted](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5d0b0a4df6ff0e6b4f0ae1/html5/thumbnails/4.jpg)
Why Is That So Important?
● Another level of security
● Part of the certification schemes○ Common criteria○ And others..
![Page 5: In Linux Environment Application Whitelisting - FedoraBy default (RHEL/Fedora) everything loaded from rpmdb fapolicyd.trust is trusted The default set of rules ensures that trusted](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5d0b0a4df6ff0e6b4f0ae1/html5/thumbnails/5.jpg)
What About Red Hat?
![Page 6: In Linux Environment Application Whitelisting - FedoraBy default (RHEL/Fedora) everything loaded from rpmdb fapolicyd.trust is trusted The default set of rules ensures that trusted](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5d0b0a4df6ff0e6b4f0ae1/html5/thumbnails/6.jpg)
What About Red Hat?
● Introduced Fapolicyd Framework
![Page 7: In Linux Environment Application Whitelisting - FedoraBy default (RHEL/Fedora) everything loaded from rpmdb fapolicyd.trust is trusted The default set of rules ensures that trusted](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5d0b0a4df6ff0e6b4f0ae1/html5/thumbnails/7.jpg)
Fapolicyd Framework
● Lightweight solution
● RPM/DNF integration
● Audit support
● Relies on fanotify API
![Page 8: In Linux Environment Application Whitelisting - FedoraBy default (RHEL/Fedora) everything loaded from rpmdb fapolicyd.trust is trusted The default set of rules ensures that trusted](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5d0b0a4df6ff0e6b4f0ae1/html5/thumbnails/8.jpg)
Fanotify API
● Kernel API
● Similar to inotify
● Receiving events from open/exec system calls
● Blockable on system call side, waiting for response
![Page 9: In Linux Environment Application Whitelisting - FedoraBy default (RHEL/Fedora) everything loaded from rpmdb fapolicyd.trust is trusted The default set of rules ensures that trusted](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5d0b0a4df6ff0e6b4f0ae1/html5/thumbnails/9.jpg)
![Page 10: In Linux Environment Application Whitelisting - FedoraBy default (RHEL/Fedora) everything loaded from rpmdb fapolicyd.trust is trusted The default set of rules ensures that trusted](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5d0b0a4df6ff0e6b4f0ae1/html5/thumbnails/10.jpg)
![Page 11: In Linux Environment Application Whitelisting - FedoraBy default (RHEL/Fedora) everything loaded from rpmdb fapolicyd.trust is trusted The default set of rules ensures that trusted](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5d0b0a4df6ff0e6b4f0ae1/html5/thumbnails/11.jpg)
Fapolicyd Configuration
● /etc/fapolicyd/○ fapolicyd.rules○ fapolicyd.conf○ fapolicyd.trust
![Page 12: In Linux Environment Application Whitelisting - FedoraBy default (RHEL/Fedora) everything loaded from rpmdb fapolicyd.trust is trusted The default set of rules ensures that trusted](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5d0b0a4df6ff0e6b4f0ae1/html5/thumbnails/12.jpg)
Fapolicyd Trust Philosophy
● Optional backends
● By default (RHEL/Fedora) everything loaded from ○ rpmdb○ fapolicyd.trust
● is trusted
● The default set of rules ensures that trusted application is allowed to run
![Page 13: In Linux Environment Application Whitelisting - FedoraBy default (RHEL/Fedora) everything loaded from rpmdb fapolicyd.trust is trusted The default set of rules ensures that trusted](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5d0b0a4df6ff0e6b4f0ae1/html5/thumbnails/13.jpg)
Rule language
● Subject/Object notation
![Page 14: In Linux Environment Application Whitelisting - FedoraBy default (RHEL/Fedora) everything loaded from rpmdb fapolicyd.trust is trusted The default set of rules ensures that trusted](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5d0b0a4df6ff0e6b4f0ae1/html5/thumbnails/14.jpg)
Simple format
DECISION PERM SUBJECT : OBJECT
![Page 15: In Linux Environment Application Whitelisting - FedoraBy default (RHEL/Fedora) everything loaded from rpmdb fapolicyd.trust is trusted The default set of rules ensures that trusted](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5d0b0a4df6ff0e6b4f0ae1/html5/thumbnails/15.jpg)
Decision
● allow
● allow_audit
● deny
● deny_audit
![Page 16: In Linux Environment Application Whitelisting - FedoraBy default (RHEL/Fedora) everything loaded from rpmdb fapolicyd.trust is trusted The default set of rules ensures that trusted](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5d0b0a4df6ff0e6b4f0ae1/html5/thumbnails/16.jpg)
Permission
● open
● execute
● any
![Page 17: In Linux Environment Application Whitelisting - FedoraBy default (RHEL/Fedora) everything loaded from rpmdb fapolicyd.trust is trusted The default set of rules ensures that trusted](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5d0b0a4df6ff0e6b4f0ae1/html5/thumbnails/17.jpg)
Simple format
DECISION PERM SUBJECT : OBJECT
![Page 18: In Linux Environment Application Whitelisting - FedoraBy default (RHEL/Fedora) everything loaded from rpmdb fapolicyd.trust is trusted The default set of rules ensures that trusted](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5d0b0a4df6ff0e6b4f0ae1/html5/thumbnails/18.jpg)
Install Fapolicyd Framework
[root@Axis ~] dnf install fapolicyd
![Page 19: In Linux Environment Application Whitelisting - FedoraBy default (RHEL/Fedora) everything loaded from rpmdb fapolicyd.trust is trusted The default set of rules ensures that trusted](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5d0b0a4df6ff0e6b4f0ae1/html5/thumbnails/19.jpg)
Enable Apps In Home Directory
Problem:
● Regular user would like to run his software in ~/bin○ Enable binary○ Enable python script
![Page 20: In Linux Environment Application Whitelisting - FedoraBy default (RHEL/Fedora) everything loaded from rpmdb fapolicyd.trust is trusted The default set of rules ensures that trusted](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5d0b0a4df6ff0e6b4f0ae1/html5/thumbnails/20.jpg)
Enable Specific Binary
● ~/bin/my-bin
~/bin >> lsmy-bin my-app.py
~/bin >> ./my-binmy-bin my-app.py
![Page 21: In Linux Environment Application Whitelisting - FedoraBy default (RHEL/Fedora) everything loaded from rpmdb fapolicyd.trust is trusted The default set of rules ensures that trusted](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5d0b0a4df6ff0e6b4f0ae1/html5/thumbnails/21.jpg)
Running Daemon In Debug Mode
[root@Axis ~]# fapolicyd --debug 2>&1 | tee outLoaded 24 rulesChanged to uid 980Initializing the databaseLoading rpmdb backendLoading file backendChecking database...Starting to listen for events...
![Page 22: In Linux Environment Application Whitelisting - FedoraBy default (RHEL/Fedora) everything loaded from rpmdb fapolicyd.trust is trusted The default set of rules ensures that trusted](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5d0b0a4df6ff0e6b4f0ae1/html5/thumbnails/22.jpg)
Enable Specific Binary
● ~/bin/my-bin
~/bin >> lsmy-bin my-app.py
~/bin >> ./my-binZsh: operation not permitted: ./my-bin
![Page 23: In Linux Environment Application Whitelisting - FedoraBy default (RHEL/Fedora) everything loaded from rpmdb fapolicyd.trust is trusted The default set of rules ensures that trusted](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5d0b0a4df6ff0e6b4f0ae1/html5/thumbnails/23.jpg)
Output Investigation
[root@Axis ~]# less out
Loaded 24 rulesChanged to uid 980Initializing the databaseLoading rpmdb backendLoading file backendChecking database…Starting to listen for events/my-bin
![Page 24: In Linux Environment Application Whitelisting - FedoraBy default (RHEL/Fedora) everything loaded from rpmdb fapolicyd.trust is trusted The default set of rules ensures that trusted](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5d0b0a4df6ff0e6b4f0ae1/html5/thumbnails/24.jpg)
Output Investigation
rule:9 dec=deny_audit perm=execute auid=1000 pid=600 exe=/usr/bin/zsh : file=/home/rsroka/bin/my-bin ftype=application/x-executable
![Page 25: In Linux Environment Application Whitelisting - FedoraBy default (RHEL/Fedora) everything loaded from rpmdb fapolicyd.trust is trusted The default set of rules ensures that trusted](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5d0b0a4df6ff0e6b4f0ae1/html5/thumbnails/25.jpg)
Output Investigation
rule:9 dec=deny_audit perm=execute auid=1000 pid=600 exe=/usr/bin/zsh : file=/home/rsroka/bin/my-bin ftype=application/x-executable
allow perm=execute exe=/usr/bin/zsh trust=1: file=/home/rsroka/bin/my-bin ftype=application/x-executable trust=0
Rule:
![Page 26: In Linux Environment Application Whitelisting - FedoraBy default (RHEL/Fedora) everything loaded from rpmdb fapolicyd.trust is trusted The default set of rules ensures that trusted](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5d0b0a4df6ff0e6b4f0ae1/html5/thumbnails/26.jpg)
Enable Specific Binary
● ~/bin/my-bin
~/bin >> lsmy-bin my-app.py
~/bin >> ./my-binmy-bin my-app.py
![Page 27: In Linux Environment Application Whitelisting - FedoraBy default (RHEL/Fedora) everything loaded from rpmdb fapolicyd.trust is trusted The default set of rules ensures that trusted](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5d0b0a4df6ff0e6b4f0ae1/html5/thumbnails/27.jpg)
Enable Python Script
● ~/bin/my-app.py
~/bin >> lsmy-bin my-app.py
~/bin >> ./my-app.pyHello World from Python Script
![Page 28: In Linux Environment Application Whitelisting - FedoraBy default (RHEL/Fedora) everything loaded from rpmdb fapolicyd.trust is trusted The default set of rules ensures that trusted](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5d0b0a4df6ff0e6b4f0ae1/html5/thumbnails/28.jpg)
Running Daemon In Debug Mode
[root@Axis ~]# fapolicyd --debug 2>&1 | tee outLoaded 24 rulesChanged to uid 980Initializing the databaseLoading rpmdb backendLoading file backendChecking database...Starting to listen for events...
![Page 29: In Linux Environment Application Whitelisting - FedoraBy default (RHEL/Fedora) everything loaded from rpmdb fapolicyd.trust is trusted The default set of rules ensures that trusted](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5d0b0a4df6ff0e6b4f0ae1/html5/thumbnails/29.jpg)
Enable Python Script
● ~/bin/my-app.py
~/bin >> lsmy-bin my-app.py
~/bin >> ./my-app.pyzsh: operation not permitted: my-app.py
![Page 30: In Linux Environment Application Whitelisting - FedoraBy default (RHEL/Fedora) everything loaded from rpmdb fapolicyd.trust is trusted The default set of rules ensures that trusted](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5d0b0a4df6ff0e6b4f0ae1/html5/thumbnails/30.jpg)
Output Investigation
[root@Axis ~]# less out
Loaded 24 rulesChanged to uid 980Initializing the databaseLoading rpmdb backendLoading file backendChecking database…Starting to listen for events/my-app
![Page 31: In Linux Environment Application Whitelisting - FedoraBy default (RHEL/Fedora) everything loaded from rpmdb fapolicyd.trust is trusted The default set of rules ensures that trusted](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5d0b0a4df6ff0e6b4f0ae1/html5/thumbnails/31.jpg)
Output Investigation
rule:9 dec=deny_audit perm=execute auid=1000 pid=600 exe=/usr/bin/zsh : file=/home/rsroka/bin/my-app.py ftype=text/x-python
![Page 32: In Linux Environment Application Whitelisting - FedoraBy default (RHEL/Fedora) everything loaded from rpmdb fapolicyd.trust is trusted The default set of rules ensures that trusted](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5d0b0a4df6ff0e6b4f0ae1/html5/thumbnails/32.jpg)
Output Investigation
rule:9 dec=deny_audit perm=execute auid=1000 pid=600 exe=/usr/bin/zsh : file=/home/rsroka/bin/my-app.py ftype=text/x-python
allow perm=execute exe=/usr/bin/zsh trust=1: file=/home/rsroka/bin/my-app.py ftype=text/x-python trust=0
Rule:
![Page 33: In Linux Environment Application Whitelisting - FedoraBy default (RHEL/Fedora) everything loaded from rpmdb fapolicyd.trust is trusted The default set of rules ensures that trusted](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5d0b0a4df6ff0e6b4f0ae1/html5/thumbnails/33.jpg)
Enable Python Script
● ~/bin/my-app.py
~/bin >> lsmy-bin my-app.py
~/bin >> ./my-app.pyzsh: operation not permitted: my-app.py Wait...What?
![Page 34: In Linux Environment Application Whitelisting - FedoraBy default (RHEL/Fedora) everything loaded from rpmdb fapolicyd.trust is trusted The default set of rules ensures that trusted](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5d0b0a4df6ff0e6b4f0ae1/html5/thumbnails/34.jpg)
Output Investigation - The Second Round
rule:2 dec=allowed perm=execute auid=1000 pid=600 exe=/usr/bin/zsh : file=/home/rsroka/bin/my-app.py ftype=text/x-python
rule:18 dec=deny_audit perm=open auid=1000 pid=600 exe=/usr/bin/zsh : file=/home/rsroka/bin/my-app.py ftype=text/x-python
![Page 35: In Linux Environment Application Whitelisting - FedoraBy default (RHEL/Fedora) everything loaded from rpmdb fapolicyd.trust is trusted The default set of rules ensures that trusted](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5d0b0a4df6ff0e6b4f0ae1/html5/thumbnails/35.jpg)
Output Investigation - The Second Round
rule:2 dec=allowed perm=execute auid=1000 pid=600 exe=/usr/bin/zsh : file=/home/rsroka/bin/my-app.py ftype=text/x-python
rule:18 dec=deny_audit perm=open auid=1000 pid=600 exe=/usr/bin/zsh : file=/home/rsroka/bin/my-app.py ftype=text/x-python
allow perm=any exe=/usr/bin/zsh trust=1: file=/home/rsroka/bin/my-app.py ftype=text/x-python trust=0
Rule:
![Page 36: In Linux Environment Application Whitelisting - FedoraBy default (RHEL/Fedora) everything loaded from rpmdb fapolicyd.trust is trusted The default set of rules ensures that trusted](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5d0b0a4df6ff0e6b4f0ae1/html5/thumbnails/36.jpg)
Enable Python Script
● ~/bin/my-app.py
~/bin >> lsmy-bin my-app.py
~/bin >> ./my-app.pyHello World from Python Script
~/bin >> python3 my-app.pyHello World from Python Script
![Page 37: In Linux Environment Application Whitelisting - FedoraBy default (RHEL/Fedora) everything loaded from rpmdb fapolicyd.trust is trusted The default set of rules ensures that trusted](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5d0b0a4df6ff0e6b4f0ae1/html5/thumbnails/37.jpg)
rule:2 dec=allowed perm=execute exe=/usr/bin/zsh : file=/home/rsroka/bin/my-app.py ftype=text/x-python
rule:2 dec=allowed perm=execute exe=/usr/bin/python3.7 : file=/home/rsroka/bin/my-app.py ftype=text/x-python
allow perm=any all trust=1: file=/home/rsroka/bin/my-app.py ftype=text/x-python trust=0
Rule:
![Page 38: In Linux Environment Application Whitelisting - FedoraBy default (RHEL/Fedora) everything loaded from rpmdb fapolicyd.trust is trusted The default set of rules ensures that trusted](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5d0b0a4df6ff0e6b4f0ae1/html5/thumbnails/38.jpg)
Enable Directory
allow perm=any all trust=1 : dir=/home/rsroka/bin/ trust=0
![Page 39: In Linux Environment Application Whitelisting - FedoraBy default (RHEL/Fedora) everything loaded from rpmdb fapolicyd.trust is trusted The default set of rules ensures that trusted](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5d0b0a4df6ff0e6b4f0ae1/html5/thumbnails/39.jpg)
Mark Files As Trusted
● Add files to fapolicyd.trust
# FULL PATH SIZE SHA256/home/rsroka/bin/my-bin 15523 61a9960bf7d255a85811f4afcac51062e.../home/rsroka/bin/my-app.py 153 e49f0c887cf5fd41d4d49808fc8042fc...
![Page 40: In Linux Environment Application Whitelisting - FedoraBy default (RHEL/Fedora) everything loaded from rpmdb fapolicyd.trust is trusted The default set of rules ensures that trusted](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5d0b0a4df6ff0e6b4f0ae1/html5/thumbnails/40.jpg)
Enable Fapolicyd Framework
[root@Axis ~] systemctl enable --now fapolicyd
![Page 41: In Linux Environment Application Whitelisting - FedoraBy default (RHEL/Fedora) everything loaded from rpmdb fapolicyd.trust is trusted The default set of rules ensures that trusted](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5d0b0a4df6ff0e6b4f0ae1/html5/thumbnails/41.jpg)
Thank You!
● https://github.com/radosroka
● https://twitter.com/RadovanSroka
● https://github.com/linux-application-whitelisting/fapolicyd