Auditing Denial Events in Permissive Mode

To enable permissive mode by default, edit /etc/fapolicyd/fapolicyd.conf and set the permissive configuration option to 1. You must restart the fapolicyd service for the change to take effect. All denial events are then sent to the audit log and tracked using fanotify messages.

You must have at least one rule defined for auditd to start logging fapolicyd events. If you don't have any rules defined, no events appear in the audit log. You can create any rule for auditing to start working. For example, you can create a rule to audit changes to the configuration in /etc/fapolicyd as follows:

sudo tee /etc/audit/rules.d/40-fapolicyd.rules > /dev/null <<'EOF'
# This policy monitors /etc/fapolicyd/ for changes to configuration
# This rule is generated to ensure that events are logged to the audit log 
  for fapolicyd tracking                                  
-w /etc/fapolicyd/ -p wa -k fapolicyd_changes
EOF

You must restart the auditd service for this rule to take effect:

sudo service auditd restart

Note:

auditd can't be restarted by using the systemctl command.

Denial events are logged to the audit log. Review these by using the ausearch command. For example:

sudo ausearch --start today -m fanotify

Use aureport to create easier to read outputs. For example:

sudo ausearch --start today -m fanotify --raw | aureport --file