- Shane Boulden
It's time for YAACA - Yet Another Application Control Article! Yes, once again I'm writing on the topic of application control. You can see some previous articles here:
Hands on with application control - an overview of labs available to get hands-on with Linux application control frameworks and tools.
Application control for everyone - a look at how application control is supported across different platforms, like Linux and Kubernetes, and an introduction to the File Access Policy Daemon (fapolicyd).
Application control and integrity checks - a practical look at file integrity controls supported by fapolicyd, and how you can configure one of these.
Automating application control - automating application control state across many systems, using Ansible
Application control is important, though can be difficult to implement. I've spoken with several organisations recently who have invested significant time and money on application control programs. In this article, I'll take a look at an open source tool that can make application control easier to implement - the File Access Policy Analyzer.
The File Access Policy Analyzer, or fapolicy-analyzer, is a set of tools to help with the configuration and maintenance of fapolicyd. It can help to better understand why policies are failing, and create fapolicyd exceptions and rules files.
The File Access Policy Analyzer needs a graphical environment, so if you haven't already, let's install Gnome
sudo dnf install @GNOME
You can then access the graphical environment
sudo systemctl isolate graphical.target
Before we can run the fapolicy-analyzer, we should ensure that fapolicyd is enabled and configured in permissive mode.
/etc/fapolicyd/fapolicyd.conf and make the following changes:
permissive = 1 ... syslog_format = rule,dec,perm,uid,gid,pid,exe,:,path,ftype,trust ...
sudo systemctl restart fapolicyd
For this write-up I'm going to install the latest version of
fapolicy-analyzer from source on Fedora 36. Firstly, we need some dependencies:
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh dnf install -y python-devel # python 3.9.+ is the default dnf install -y cairo cairo-devel python3-wheel gcc zlib-devel bzip2 bzip2-devel \ readline-devel sqlite sqlite-devel openssl-devel tk-devel git python3-cairo-devel \ cairo-gobject-devel gobject-introspection-devel dbus-devel gtksourceview3 Xvfb pip install pipenv --user
Now we can clone, build and run the latest source:
git clone https://github.com/ctc-oss/fapolicy-analyzer.git cd fapolicy-analyzer make run
Profiling an executable
When you first start
fapolicy-analyzer you'll be shown this screen.
This allows us to see the existing trusted applications in the system trust database (backed by the RPM database), and explore the file-backed ancillary trust database.
Let's try profiling an application. I've created a new user on the system and pulled down a binary
cowsay we can run locally. If you navigate to 'Tool -> Profile Executable' you can specify these parameters:
Once the analysis completes, you'll be able to see the results. Here, we can see that the
cowsay binary is not trusted by the system database.
We can select 'Trust' to add the binary to the ancillary trust database - we'll see later how to apply these changes.
Ok - that was a relatively simple application. What about something more complex? For this example, I've pulled down the
ansible binary. We can perform the same app profiling, and see the trusted/untrusted components.
This example is a little more interesting. In addition to the
/usr/local/bin/ansible binary, we have a number of shared libraries and other files that the application attempted to access. This is certainly useful for understanding how complex applications access system components, and helping create exceptions.
For now, let's simply add the
ansible binary to the ancillary trust database.
Navigate back to 'Tool -> Administer Trust Databases'. In the top left-hand corner is a button to deploy the latest changesets. Press this button to deploy the updates to the ancillary trust database. You'll see a screen highlighting the changes to be made:
Once you select 'Ok', the changes will be written to the ancillary trust database on the host:
# cat /etc/fapolicyd/fapolicyd.trust /usr/local/bin/cowsay 2772992 fc564f72acb1e84a64131d687ef5106dadcf410d03126638aca46e498d020ca6 /usr/local/bin/ansible 5936 3a296b73554feba5f98d3d0550915e7633416ea650e90c17cb19b07beefe2622
You could then take this file, and template it across many systems using Ansible.
This was a very quick overview of the File Access Policy Analyzer open source tool that can make application control implementation simpler and easier.
You could implement the
fapolicy-analyzer as part of a DevSecOps approach to application control management.
- Using the
fapolicy-analyzerduring application development to identify a trusted application baseline
- Packaging updates to the
fapolicydancillary baseline along with application releases
- Automating updated
fapolicydbaselines across many hosts using Ansible