Changing Default Policy Logging

The default policy rules shipped with fapolicyd are configured to only log to the audit log for denials. This configuration is appropriate for production systems but the information stored in these logs might be limited for debugging purposes. If you need to track which rules are being used to make the final decision on an event, you can either run fapolicyd in debugging mode, or you could change rules to output information to the system log. For more information on running fapolicyd in debugging mode, see Debugging Interactively in Permissive Mode.

Policy rule decisions identify whether to log information and how that information must be logged. By default, for denial decisions, the rules that are included in the fapolicyd package use the deny_audit decision type. You can change all deny_audit decision type to deny_log to log information to both the audit log and to the system log.

To enhance logging:

  1. Update rule definitions.

    Update all rules in /etc/fapolicyd/rules.d to replace deny_audit with deny_log: 

    sudo bash -c 'for i in /etc/fapolicyd/rules.d/*; do sed -i "s/deny_audit/deny_log/g" $i; done'

    You can also enable logging for any allow rules, but doing so can result in verbose output and have a significant impact on performance.

  2. Check that the rules are updated.

    Run the following command to verify that the rules have been updated successfully:

    sudo fagenrules --check
  3. Load the new rules.

    Run the following command to load the new rules into fapolicyd:

    sudo fagenrules --load
  4. Review the rules.

    Check that the changes are loaded correctly into fapolicyd:

    sudo fapolicyd-cli  -l | grep 'deny_log'

When an event is denied by fapolicyd and the decision is set to deny_log, an entry appears in the system log, similar to the following: 

fapolicyd[1478]: rule=13 dec=deny_log perm=execute auid=1000 pid=5361 exe=/usr/bin/bash : 
   path=/home/user/demo.bin ftype=application/x-executable trust=0

Note that the output includes the rule number for the rule that fapolicyd used to make the final decision to deny the event.

To view system log entries for fapolicyd, run: 

sudo journalctl -S today -u fapolicyd