Changing Runtime Configuration
Runtime configuration options are set in /etc/fapolicyd/fapolicyd.conf.
The options are described in detail in the fapolicyd.conf(6) manual page. For
more information, see also https://github.com/linux-application-whitelisting/fapolicyd/blob/main/README.md.
Configuring Runtime Statistics Reporting
By default, fapolicyd generates a runtime statistics report that provides useful information about accesses, denials, and cache performance. Use the information in the report to fine-tune configuration options or diagnose file access issues.
Configuration options that can be set to control this report include:
- do_stat_report
-
Controls whether the statistics report is generated. Change this value from the default of
1to0to disable statistics reporting. - detailed_report
-
Controls whether fapolicyd adds subject and object information to the usage statistics report, indicating the number of times particular subject-object events occur. This content can be useful when debugging but can be disabled to reduce the size of the log. The default value for this option is set to 1 to indicate that the option is enabled.
The report is generated at /var/log/fapolicyd-access.log when the
fapolicyd service is stopped. The report content is similar to the following:
Permissive: false
q_size: 640
Inter-thread max queue depth 6
Allowed accesses: 668513
Denied accesses: 0
Trust database max pages: 25600
Trust database pages in use: 7567 (29%)
File access attempts from oldest to newest as of Wed Nov 15 16:46:59 2023
FILE ATTEMPTS
---------------------------------------------------------------------------
/var/tmp/dracut.kZVhRg/initramfs/usr/lib/kbd/keymaps/xkb/tr-alt.map.gz 1
/var/tmp/dracut.kZVhRg/initramfs/usr/lib/kbd/unimaps/koi8u.uni 1
/var/tmp/dracut.kZVhRg/initramfs/usr/bin/stgTP4DF 1
...
/usr/bin/mandb (?) 1
/usr/bin/mandb (?) 264
---
Subject cache size: 1549
Subject slots in use: 1549 (100%)
Subject hits: 666964
Subject misses: 46044
Subject evictions: 44495 (6%)
Logging Controls
Audit logging is mostly handled using fanotify events in the audit log, but you can also configure the policy to log to the system log. See Changing Default Policy Logging, Debugging Interactively in Permissive Mode and Auditing Denial Events in Permissive Mode.
When logging to the system log or running fapolicyd in debugging mode, you can control the
content of the log output from access decisions by configuring the syslog_format
option. The format is a comma separated list of the different values to indicate rule
information with subject and object information delineated by use of a colon character. Note
that system performance is affected by the amount of content that you log. The default value
is: rule,dec,perm,auid,pid,exe,:,path,ftype,trust.
rule: The rule number from the compiled policy rules. See Listing Policy Rules.dec: The decision that fapolicyd takes for the rule.perm: The permission that's applied in the rule.- Any of the subject options.
:: The separator to delineate between subject and object options.- Any of the object options.
Performance Controls
Performance control options can help improve memory usage and processing.
The following options are available to control the size of the caches that are used by fapolicyd to improve performance:
- subj_cache_size
- Controls how many entries the subject cache holds. The default value is 1549.
- obj_cache_size
- Controls how many entries the object cache holds. The default value is 8191.
For both options, aim to keep the allocated memory as small as feasibly possible, while ensuring that enough memory is allocated to the cache to maximize the ratio of hits to evictions. This ratio can be calculated from the statistics report.
To avoid cache churn resulting from collisions, consider setting cache size values to prime numbers.