From 3fba5ec874f0269d81af9bca90e524703980345d Mon Sep 17 00:00:00 2001

From: Marcus Burghardt <maburgha@redhat.com>

Date: Mon, 14 Nov 2022 15:46:12 +0100

Subject: [PATCH 1/5] Update ocil and fixtext in fapolicy_default_deny

Rules are stored in different places depending on the system version.

These changes are now explicit in ocil and fixtext. In RHEL8.6 it was

introduced the rules.d feature and together the fagenrules script which

reads and concatenate the rules from rules.d to finally save the result

in the /etc/fapolicyd/compiled.rules file.

---

 .../services/fapolicyd/fapolicy_default_deny/rule.yml  | 10 +++++++++-

 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml

index 5b9a1649571..eeecd34e69a 100644

--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml

+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml

@@ -39,10 +39,14 @@ ocil: |-

     permissive = 0

-    Check that fapolicyd employs a deny-all policy on system mounts with the following command:

+    Check that fapolicyd employs a deny-all policy on system mounts with the following commands:

+    For RHEL 8.5 systems and older:

     $ sudo tail /etc/fapolicyd/fapolicyd.rules

+    For RHEL 8.6 systems and newer:

+    $ sudo tail /etc/fapolicyd/compiled.rules

+

     allow exe=/usr/bin/python3.7 : ftype=text/x-python

     deny_audit perm=any pattern=ld_so : all

     deny perm=any all : all

@@ -54,8 +58,12 @@ fixtext: |-

     permissive = 1

+    For RHEL 8.5 systems and older:

     Build the whitelist in the "/etc/fapolicyd/fapolicyd.rules" file ensuring the last rule is "deny perm=any all : all".

+    For RHEL 8.6 systems and newer:

+    Build the whitelist in a file within the "/etc/fapolicyd/rules.d" directory ensuring the last rule is "deny perm=any all : all".

+

     Once it is determined the whitelist is built correctly, set the fapolicyd to enforcing mode by editing the "permissive" line in the /etc/fapolicyd/fapolicyd.conf file.

     permissive = 0

From 0b4eaa7e7d96600eef42ad45524e0b4c6e003990 Mon Sep 17 00:00:00 2001

From: Marcus Burghardt <maburgha@redhat.com>

Date: Thu, 17 Nov 2022 09:40:20 +0100

Subject: [PATCH 2/5] Refactored the OVAL assessment for fapolicy_default_deny

Firsly the existing checks were aligned to the style guides and the

comments were reviewed. The regex used to identify the expected policy

was also fixed since it wasn't ensuring the deny policy if defined in a

wrong position. Finally, it was extended the assessment to consider the

/etc/fapolicyd/compiled.rules file.

---

 .../fapolicy_default_deny/oval/shared.xml     | 64 +++++++++++++------

 1 file changed, 43 insertions(+), 21 deletions(-)

diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml

index 9989459ad22..40bdcf870ca 100644

--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml

+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml

@@ -4,36 +4,58 @@

         oval_metadata("Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy")

         }}}

         <criteria>

-        

-        test_ref="test_fapolicy_default_deny_policy" />

-        

-        test_ref="test_fapolicy_default_deny_enforcement" />

+            <criteria operator="OR">

+                

+                    test_ref="test_fapolicy_default_deny_policy_with_rulesd"/>

+                

+                    test_ref="test_fapolicy_default_deny_policy_without_rulesd"/>

+            </criteria>

+            

+                test_ref="test_fapolicy_default_deny_enforcement"/>

         </criteria>

     </definition>

-    

-    comment="fapolicyd employs a deny-all policy"

-    id="test_fapolicy_default_deny_policy" version="1">

-        <ind:object object_ref="obj_fapolicy_default_deny_policy" />

+    

+        check_existence="only_one_exists" check="all"

+        comment="fapolicyd employs a deny-all policy in compiled.rules file">

+        <ind:object object_ref="object_fapolicy_default_deny_policy_compiled_rules"/>

     </ind:textfilecontent54_test>

-    <ind:textfilecontent54_object id="obj_fapolicy_default_deny_policy" version="1">

-        <ind:behaviors multiline="false" />

+

+    

+        version="1">

+        <ind:filepath>/etc/fapolicyd/compiled.rules</ind:filepath>

+        <ind:pattern operation="pattern match">^\s*deny\s*perm=any\s*all\s*:\s*all\s*\z</ind:pattern>

+        <ind:instance datatype="int">1</ind:instance>

+    </ind:textfilecontent54_object>

+

+    

+        check_existence="only_one_exists" check="all"

+        comment="fapolicyd employs a deny-all policy in fapolicyd.rules file">

+        <ind:object object_ref="object_fapolicy_default_deny_policy_fapolicyd_rules"/>

+    </ind:textfilecontent54_test>

+

+    

+        version="2">

         <ind:filepath>/etc/fapolicyd/fapolicyd.rules</ind:filepath>

-        <ind:pattern operation="pattern match">(^|\n)\s*deny\s*perm=any\s*all\s*:\s*all\s*$</ind:pattern>

+        <ind:pattern operation="pattern match">^\s*deny\s*perm=any\s*all\s*:\s*all\s*\z</ind:pattern>

         <ind:instance datatype="int">1</ind:instance>

     </ind:textfilecontent54_object>

-    

-    comment="fapolicyd is in enforcement mode"

-    id="test_fapolicy_default_deny_enforcement" version="1">

-        <ind:object object_ref="obj_fapolicy_default_deny_enforcement" />

-        <ind:state state_ref="state_fapolicy_default_deny_enforcement" />

+

+    

+        check_existence="all_exist" check="all"

+        comment="permissive mode is disabled in fapolicyd settings">

+        <ind:object object_ref="object_fapolicy_default_deny_permissive_mode" />

+        <ind:state state_ref="state_fapolicy_default_deny_permissive_mode_off" />

     </ind:textfilecontent54_test>

-    <ind:textfilecontent54_object id="obj_fapolicy_default_deny_enforcement" version="1">

+

+    <ind:textfilecontent54_object id="object_fapolicy_default_deny_permissive_mode" version="2">

         <ind:filepath>/etc/fapolicyd/fapolicyd.conf</ind:filepath>

         <ind:pattern operation="pattern match">^\s*permissive\s*=\s*(\d+)</ind:pattern>

-        <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>

+        <ind:instance datatype="int" operation="equals">1</ind:instance>

     </ind:textfilecontent54_object>

-    <ind:textfilecontent54_state id="state_fapolicy_default_deny_enforcement" version="1" comment="root email alias">

-    <ind:subexpression operation="equals" datatype="int">0</ind:subexpression>

-  </ind:textfilecontent54_state>

+

+    

+        comment="permissive mode value is set to 0 (off) in fapolicyd settings file">

+        <ind:subexpression operation="equals" datatype="int">0</ind:subexpression>

+    </ind:textfilecontent54_state>

 </def-group>

From a0fc2ee0b58404ca642804a8977eca6b77fb6807 Mon Sep 17 00:00:00 2001

From: Marcus Burghardt <maburgha@redhat.com>

Date: Thu, 17 Nov 2022 10:32:51 +0100

Subject: [PATCH 3/5] Refactored the test scenario scripts

The scripts were invalid and wrongly reporting results. The main issue

was in scripts which intended to create two lines in a file but were

overwriting the entire file in the second command instead of append the

second line. The scripts were also refactored to consider systems using

the rules.d feature and also older systems which doesn't have the

rules.d feature. Another issue was that "no_quotes" was false by default

in the bash_shell_file_set macro, but the fapolicyd.conf doesn't expect

quotes and this was causing inconsistency in the file, so the no_quotes

was set to true when calling the macro from test scenarios. Finally the

scripts names were better aligned to their respective scenarios.

---

 .../tests/allow_policy.fail.sh                 | 18 ++++++++++++++++++

 .../tests/commented_value.fail.sh              | 12 ------------

 .../tests/correct_value.pass.sh                | 12 ------------

 .../tests/deny_not_last.fail.sh                | 12 ------------

 .../tests/deny_policy.pass.sh                  | 18 ++++++++++++++++++

 .../tests/deny_policy_but_permissive.fail.sh   | 16 ++++++++++++++++

 .../tests/deny_policy_commented.fail.sh        | 18 ++++++++++++++++++

 .../tests/deny_policy_not_ensured.fail.sh      | 18 ++++++++++++++++++

 .../tests/fapolicy_permissive.fail.sh          |  5 -----

 .../tests/wrong_value.fail.sh                  | 11 -----------

 10 files changed, 88 insertions(+), 52 deletions(-)

 create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/allow_policy.fail.sh

 delete mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh

 delete mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh

 delete mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh

 create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy.pass.sh

 create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_but_permissive.fail.sh

 create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_commented.fail.sh

 create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_not_ensured.fail.sh

 delete mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh

 delete mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh

diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/allow_policy.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/allow_policy.fail.sh

new file mode 100644

index 00000000000..23d7e699056

--- /dev/null

+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/allow_policy.fail.sh

@@ -0,0 +1,18 @@

+#!/bin/bash

+# packages = fapolicyd

+# remediation = none

+

+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}}

+

+if [ -f /etc/fapolicyd/compiled.rules ]; then

+    active_rules_file="/etc/fapolicyd/compiled.rules"

+else

+    active_rules_file="/etc/fapolicyd/fapolicyd.rules"

+fi

+

+truncate -s 0 $active_rules_file

+

+echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file

+echo "allow perm=any all : all" >> $active_rules_file

+

+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "0", "true") }}}

diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh

deleted file mode 100644

index a8df835af76..00000000000

--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh

+++ /dev/null

@@ -1,12 +0,0 @@

-#!/bin/bash

-# packages = fapolicyd

-# remediation = none

-

-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}}

-

-truncate -s 0 /etc/fapolicyd/fapolicyd.rules

-

-echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules

-echo "# deny perm=any all : all" > /etc/fapolicyd/fapolicyd.rules

-

-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}

diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh

deleted file mode 100644

index c88406b0be4..00000000000

--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh

+++ /dev/null

@@ -1,12 +0,0 @@

-#!/bin/bash

-# packages = fapolicyd

-# remediation = none

-

-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}}

-

-truncate -s 0 /etc/fapolicyd/fapolicyd.rules

-

-echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules

-echo "deny perm=any all : all" > /etc/fapolicyd/fapolicyd.rules

-

-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}

diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh

deleted file mode 100644

index 59b16308563..00000000000

--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh

+++ /dev/null

@@ -1,12 +0,0 @@

-#!/bin/bash

-# packages = fapolicyd

-# remediation = none

-

-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}}

-

-truncate -s 0 /etc/fapolicyd/fapolicyd.rules

-

-echo "deny perm=any all : all" >> /etc/fapolicyd/fapolicyd.rules

-echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules

-

-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}

diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy.pass.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy.pass.sh

new file mode 100644

index 00000000000..f3ff83ca602

--- /dev/null

+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy.pass.sh

@@ -0,0 +1,18 @@

+#!/bin/bash

+# packages = fapolicyd

+# remediation = none

+

+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}}

+

+if [ -f /etc/fapolicyd/compiled.rules ]; then

+    active_rules_file="/etc/fapolicyd/compiled.rules"

+else

+    active_rules_file="/etc/fapolicyd/fapolicyd.rules"

+fi

+

+truncate -s 0 $active_rules_file

+

+echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file

+echo "deny perm=any all : all" >> $active_rules_file

+

+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "0", "true") }}}

diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_but_permissive.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_but_permissive.fail.sh

new file mode 100644

index 00000000000..caa401ca174

--- /dev/null

+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_but_permissive.fail.sh

@@ -0,0 +1,16 @@

+#!/bin/bash

+# packages = fapolicyd

+# remediation = none

+

+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}}

+

+if [ -f /etc/fapolicyd/compiled.rules ]; then

+    active_rules_file="/etc/fapolicyd/compiled.rules"

+else

+    active_rules_file="/etc/fapolicyd/fapolicyd.rules"

+fi

+

+truncate -s 0 $active_rules_file

+

+echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file

+echo "deny perm=any all : all" >> $active_rules_file

diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_commented.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_commented.fail.sh

new file mode 100644

index 00000000000..4e4bc430cec

--- /dev/null

+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_commented.fail.sh

@@ -0,0 +1,18 @@

+#!/bin/bash

+# packages = fapolicyd

+# remediation = none

+

+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}}

+

+if [ -f /etc/fapolicyd/compiled.rules ]; then

+    active_rules_file="/etc/fapolicyd/compiled.rules"

+else

+    active_rules_file="/etc/fapolicyd/fapolicyd.rules"

+fi

+

+truncate -s 0 $active_rules_file

+

+echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file

+echo "# deny perm=any all : all" >> $active_rules_file

+

+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "0", "true") }}}

diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_not_ensured.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_not_ensured.fail.sh

new file mode 100644

index 00000000000..b52e5446afc

--- /dev/null

+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_not_ensured.fail.sh

@@ -0,0 +1,18 @@

+#!/bin/bash

+# packages = fapolicyd

+# remediation = none

+

+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}}

+

+if [ -f /etc/fapolicyd/compiled.rules ]; then

+    active_rules_file="/etc/fapolicyd/compiled.rules"

+else

+    active_rules_file="/etc/fapolicyd/fapolicyd.rules"

+fi

+

+truncate -s 0 $active_rules_file

+

+echo "deny perm=any all : all" >> $active_rules_file

+echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file

+

+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "0", "true") }}}

diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh

deleted file mode 100644

index 50756a0e7a3..00000000000

--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh

+++ /dev/null

@@ -1,5 +0,0 @@

-#!/bin/bash

-# packages = fapolicyd

-# remediation = none

-

-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}

diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh

deleted file mode 100644

index da3e33f57fd..00000000000

--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh

+++ /dev/null

@@ -1,11 +0,0 @@

-#!/bin/bash

-# packages = fapolicyd

-# remediation = none

-

-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}}

-

-truncate -s 0 /etc/fapolicyd/fapolicyd.rules

-

-echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules

-

-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}

From 0b731cf7a0433111311ab5e427a54d2f6c1b9d14 Mon Sep 17 00:00:00 2001

From: Marcus Burghardt <maburgha@redhat.com>

Date: Thu, 17 Nov 2022 11:02:34 +0100

Subject: [PATCH 4/5] Fixed bash_shell_file_set macro to consider spaces

Once the test scenario scripts were fixed, an issue was revelead in

bash_shell_file_set macro. The macro was not considering config files

which have spaces before and after the separator carachter. Since the

separator_regex parameter already expects regex format, it was easily

extended.

---

 shared/macros/10-bash.jinja | 8 ++++----

 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja

index ae0f0e5e6ad..0e369314645 100644

--- a/shared/macros/10-bash.jinja

+++ b/shared/macros/10-bash.jinja

@@ -122,13 +122,13 @@ fi

 {{%- macro bash_shell_file_set(path, parameter, value, no_quotes=false) -%}}

 {{% if no_quotes -%}}

   {{% if "$" in value %}}

-  {{% set value = '%s' % value.replace("$", "\\$") %}}

+    {{% set value = '%s' % value.replace("$", "\\$") %}}

   {{% endif %}}

 {{%- else -%}}

   {{% if "$" in value %}}

-  {{% set value = '\\"%s\\"' % value.replace("$", "\\$") %}}

+    {{% set value = '\\"%s\\"' % value.replace("$", "\\$") %}}

   {{% else %}}

-  {{% set value = "'%s'" % value %}}

+    {{% set value = "'%s'" % value %}}

   {{% endif %}}

 {{%- endif -%}}

 {{{ set_config_file(

@@ -140,7 +140,7 @@ fi

         insert_before="^#\s*" ~ parameter,

         insensitive=false,

         separator="=",

-        separator_regex="=",

+        separator_regex="\s*=\s*",

         prefix_regex="^\s*")

     }}}

 {{%- endmacro -%}}

From 3a8101e921f7b0b5e261fdbf4b42bf210fcccf78 Mon Sep 17 00:00:00 2001

From: Marcus Burghardt <maburgha@redhat.com>

Date: Fri, 18 Nov 2022 09:58:47 +0100

Subject: [PATCH 5/5] Use jinja to limit the RHEL 8 minor version text

The change is intended to avoid that RHEL 9 and OL get RHEL 8 minor

version text.

---

 .../guide/services/fapolicyd/fapolicy_default_deny/rule.yml   | 4 ++++

 1 file changed, 4 insertions(+)

diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml

index eeecd34e69a..220801bc471 100644

--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml

+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml

@@ -41,10 +41,12 @@ ocil: |-

     Check that fapolicyd employs a deny-all policy on system mounts with the following commands:

+    {{%- if product in ["rhel8"] %}}

     For RHEL 8.5 systems and older:

     $ sudo tail /etc/fapolicyd/fapolicyd.rules

     For RHEL 8.6 systems and newer:

+    {{%- endif %}}

     $ sudo tail /etc/fapolicyd/compiled.rules

     allow exe=/usr/bin/python3.7 : ftype=text/x-python

@@ -58,10 +60,12 @@ fixtext: |-

     permissive = 1

+    {{%- if product in ["rhel8"] %}}

     For RHEL 8.5 systems and older:

     Build the whitelist in the "/etc/fapolicyd/fapolicyd.rules" file ensuring the last rule is "deny perm=any all : all".

     For RHEL 8.6 systems and newer:

+    {{%- endif %}}

     Build the whitelist in a file within the "/etc/fapolicyd/rules.d" directory ensuring the last rule is "deny perm=any all : all".

     Once it is determined the whitelist is built correctly, set the fapolicyd to enforcing mode by editing the "permissive" line in the /etc/fapolicyd/fapolicyd.conf file.