File Access Policy Daemon - Whitelisting scanner

This section describes the methods to whitelist scanner services in File Access Policy Daemon.

About this task

By default, fapolicyd (File Access Policy Daemon) blocks the scan. To use the BigFix Inventory on such system it is needed to update the rules to allow execution of BigFix Scanner executables: wcitinst, wscancfg, wscansw, wscanfs, wscanhw and cpuid. Otherwise, the following actions will fail:
  • Installation of the software scanner, Install or Upgrade Scanner fixlet fails with error code 1 (wcitinst / wcitcfg)
  • Initiate Software Scan fixlet completes, but all types of scan end with error code 57 in the <computer_id>_citlog.log file located in BESClient/LMT/CIT/ folder (wscansw / wscanfs)
    Catalog scan failed: scanner finished with errors (57)
  • Running capacity scanner Run Capacity Scan and Upload Results fails with error code 2. (wscanhw)
  • Detailed Hardware Information action Collect Detailed Hardware Information fails with error code 1. (wscanhw)
Note: There is a change in the approach to define the rules to access the files for the executable scanner services.

Perform the following steps to enable the scanner to install, update, and perform scans on the endpoint:

Procedure

  1. Locate the first fapolicy file that contains any rule starting from deny_
    Run the command:
    # grep deny_ /etc/fapolicyd/rules.d/*
    to get a list of the file with deny_ inside and locate the one with lowest number.
  2. Create Custom Rules File

    Create a new rules file with a prefix number lower than the first deny rule file. For example, if the first deny rule is in 30-patterns.rules, create: /etc/fapolicyd/rules.d/29-bigfix.rules with the following content:

    allow perm=open auid=-1 exe=/opt/BESClient/tools/scanner/internal/bin/wscancfg : dir=/opt/BESClient/
    allow perm=open auid=-1 exe=/opt/BESClient/bin/BESClient : all
allow perm=open auid=-1 exe=/opt/BESClient/tools/scanner/installer/wcitinst : dir=/etc/
allow perm=open auid=-1 exe=/opt/BESClient/tools/scanner/installer/wcitinst : dir=/opt/BESClient/
allow perm=open auid=-1 exe=/opt/BESClient/tools/scanner/installer/wcitinst : path=/usr/bin/bash ftype=application/x-executable trust=1
allow perm=open auid=-1 exe=/opt/BESClient/tools/scanner/installer/wcitinst : dir=/usr/share/zoneinfo ftype=application/octet-stream
allow perm=open auid=-1 exe=/opt/BESClient/tools/scanner/internal/bin/wscancfg : dir=/usr/lib64/gconv/
allow perm=open auid=-1 exe=/opt/BESClient/tools/scanner/internal/bin/wscancfg : dir=/etc/
allow perm=open auid=-1 exe=/opt/BESClient/tools/scanner/internal/bin/wscancfg : dir=/opt/BESClient/
allow perm=open auid=-1 exe=/opt/BESClient/tools/scanner/internal/bin/wscancfg : dir=/var/opt/BESClient/
allow perm=open auid=-1 exe=/opt/BESClient/tools/scanner/internal/bin/wscancfg : dir=/usr/lib/locale ftype=application/octet-stream
allow perm=open auid=-1 exe=/opt/BESClient/tools/scanner/internal/bin/wscancfg : dir=/usr/share/locale ftype=text/plain
allow perm=open auid=-1 exe=/opt/BESClient/tools/scanner/internal/bin/wscanfs : dir=/opt/BESClient/
allow perm=open auid=-1 exe=/opt/BESClient/tools/scanner/internal/bin/wscanfs : dir=/var/opt/BESClient/
allow perm=open auid=-1 exe=/opt/BESClient/tools/scanner/internal/bin/wscanfs : dir=/tmp/
allow perm=open auid=-1 exe=/opt/BESClient/tools/scanner/internal/bin/wscanfs : dir=/etc/
allow perm=open auid=-1 exe=/opt/BESClient/tools/scanner/internal/bin/wscanfs : dir=/usr/
allow perm=open auid=-1 exe=/opt/BESClient/tools/scanner/internal/bin/wscanhw : dir=/opt/BESClient/
allow perm=open auid=-1 exe=/opt/BESClient/tools/scanner/internal/bin/wscanhw : dir=/var/opt/BESClient/
allow perm=open auid=-1 exe=/opt/BESClient/tools/scanner/internal/bin/wscanhw : dir=/etc/
allow perm=open auid=-1 exe=/opt/BESClient/tools/scanner/internal/bin/wscanhw : dir=/usr/
allow perm=open auid=-1 exe=/opt/BESClient/tools/scanner/internal/bin/wscanhw : path=/usr/bin/bash ftype=application/x-executable trust=1
allow perm=execute auid=-1 exe=/opt/BESClient/tools/scanner/internal/bin/wscanhw : path=/opt/BESClient/tools/scanner/internal/bin/diskscan ftype=application/x-executable
allow perm=execute auid=-1 exe=/opt/BESClient/tools/scanner/internal/bin/wscanhw : path=/opt/BESClient/tools/scanner/internal/bin/cpuid ftype=application/x-executable
allow perm=open auid=-1 exe=/opt/BESClient/tools/scanner/internal/bin/cpuid : dir=/etc/
allow perm=open auid=-1 exe=/opt/BESClient/tools/scanner/internal/bin/cpuid : dir=/usr/share/
allow perm=open auid=-1 exe=/opt/BESClient/tools/scanner/internal/bin/cpuid : dir=/opt/BESClient/
allow perm=open auid=-1 exe=/opt/BESClient/tools/scanner/internal/bin/diskscan : dir=/etc/
allow perm=open auid=-1 exe=/opt/BESClient/tools/scanner/internal/bin/diskscan : path=/usr/bin/sg_map ftype=application/x-executable trust=1
allow perm=open auid=-1 exe=/opt/BESClient/tools/scanner/internal/bin/diskscan : path=/usr/sbin/dmsetup ftype=application/x-executable trust=1
allow perm=open auid=-1 exe=/opt/BESClient/tools/scanner/internal/bin/diskscan : path=/usr/sbin/lvm ftype=application/x-executable trust=1
allow perm=open auid=-1 exe=/opt/BESClient/tools/scanner/internal/bin/wscansw : dir=/opt/BESClient/
allow perm=open auid=-1 exe=/opt/BESClient/tools/scanner/internal/bin/wscansw : dir=/var/opt/BESClient/
allow perm=open auid=-1 exe=/opt/BESClient/tools/scanner/internal/bin/wscansw : dir=/etc/
allow perm=open auid=-1 exe=/opt/BESClient/tools/scanner/internal/bin/wscansw : dir=/usr/
allow perm=open auid=-1 exe=/opt/BESClient/tools/scanner/internal/bin/wscansw : dir=/tmp/
allow perm=open auid=-1 exe=/var/opt/BESClient/LMT/CIT/bzip2 : dir=/etc/
allow perm=open auid=-1 exe=/var/opt/BESClient/LMT/CIT/bzip2 : dir=/var/opt/BESClient/
  3. Add Scanner rules into the Custom Rules file: 
    #vi 29-bigfix.rules  #copy/paste the rules into the file
  4. Apply and activate the rule:
    1. Check the created rules: # fagenrules --check
    2. Compile and load the updated rules: # fagenrules --load
    3. Restart the fapolicyd service: # systemctl start fapolicyd

Results

After restarting the fapolicyd in case of failed Scanner installation, run Uninstall Scanner fixlet and repeat installation. Otherwise repeat the failed operation to check if Scanner is allowed to executed on the endpoint.
Note: For more information on fapolicyd, refer to the Red Hat document if your are using Red Hat. For other Linux distributions, refer to https://github.com/linux-application-whitelisting/fapolicyd.

Removing BigFix Scanner fapolicyd rules

To remove created rules for BigFix Scanner for fapolicyd following those steps:

1. Delete the Custom rules file named e.g. “29-bigfix.rules”

  1. Go to rules directory: # cd /etc/fapolicyd/rules.d

  2. Identify and delete the custom rules file, e.g.: # rm 29-bigfix.rules

2. Run #fagenrules --load to reload configuration without custom rules

3. Restart the fapolicyd service: # systemctl restart fapolicyd

If there are still some issues with running BigFix Scanner try to investigate this as follows:
  1. Enable the debug mode for the fapolicyd denials
    1. Connect to the affected device
    2. Stop the fapolicy:# systemctl stop fapolicyd
    3. Start the fapolicyd with debug on# fapolicyd --debug-deny
    4. Keep the session open to watch the output
  2. From BigFix Console re-issue the failing action
  3. Watch the output on the console, first denial should be reported
  4. Get back to the affected device:
    1. Interrupt debug
    2. Adjust the configuration
    3. Run fagenrules --check to confirm that rules were correctly entered
    4. Run fagenrules --load to reload configuration
    5. Start debug: # fapolicyd --debug-deny again
  5. Repeat steps 2, 3 and 4 until no errors are reported.
  6. Start again fapolicyd: # systemctl start fapolicyd

See also Red Hat Documentation: Troubleshooting issues related to fapolicyd