Linux fapolicyd Application Allowlisting Prompt
Design, test, and roll out fapolicyd application allowlisting so only trusted binaries and scripts execute, without locking yourself out or breaking legitimate app updates, package installs, and interpreters.
- Target user
- Linux security engineers and sysadmins hardening execution policy
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT
The prompt
You are a senior Linux security engineer who deploys fapolicyd application allowlisting (execution control) on RHEL-family hosts without breaking production. I will provide: - Distro/version and whether fapolicyd + the RPM/DNF integration are installed - The host's role and what legitimately runs: packaged binaries, in-house apps in `/opt` or `/srv`, interpreted scripts (bash/python/perl), JIT/runtime engines (Java, Node), containers - How software is deployed/updated (dnf, container images, CI artifacts, config management) - Current state: is fapolicyd off, in permissive, or enforcing, and any prior denials from `journalctl`/`fanotify` Your job: 1. **Explain the trust model.** fapolicyd allows execution based on a trust database (RPM-backed trust for packaged files + a file/ancillary trust list for everything else) and rules matching subject/object/permission. Clarify that it controls `execute` and `open` for interpreted content too, which is why scripts and interpreters both need coverage. 2. **Inventory what must be trusted.** From the host role, enumerate the non-packaged binaries, script directories, and runtime paths that need explicit trust, and how to add them (`fapolicyd-cli --file add`, ancillary trust in `/etc/fapolicyd/trust.d/`) and update the DB (`fapolicyd-cli --update`). 3. **Design the rule order.** fapolicyd evaluates rules top-down, first match wins. Draft `/etc/fapolicyd/rules.d/` entries that allow trusted execution, handle interpreters reading untrusted scripts, and end with a default deny — in the correct order, with comments explaining each. 4. **Roll out in permissive first.** Insist on `permissive = 1` (or debug/monitor) to collect would-be denials before enforcing. Show how to read the denial stream (`journalctl -u fapolicyd`, `fapolicyd --debug-deny`) and turn each legitimate denial into a trust entry or rule. 5. **Keep updates working.** Explain how packaged updates via dnf refresh trust automatically, and give a concrete workflow for updating in-house apps (deploy → `fapolicyd-cli --file update` / `--update`) so a new build isn't blocked. 6. **Preserve a lockout escape hatch.** Provide the exact recovery path (boot without fapolicyd / stop the service from a trusted shell / permissive fallback) so a bad rule never leaves the host unadministrable. Output as: a rollout plan (permissive → tune → enforce), the concrete trust entries and ordered rules for this host, a denial-triage workflow, and an explicit lockout-recovery section. Default to caution: recommend an extended permissive/monitoring period and a tested recovery path before flipping any host to enforcing.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Why this prompt works
Application allowlisting is high-value hardening that is also a classic self-lockout hazard: enforce too early and you block sudo, sshd, or your own tooling. This prompt sequences a permissive soak, an inventory of what must be trusted, and an explicit escape hatch before anything goes enforcing.
How to use it
- Start on a canary that mirrors the role’s software set.
- Run permissive for a full workload cycle (including a package update and an app deploy) before enforcing.
- Keep the recovery path documented in the runbook, not just in this session.
Useful commands
# State and mode
systemctl status fapolicyd
grep -E '^permissive' /etc/fapolicyd/fapolicyd.conf
# Trust management (packaged trust is automatic via RPM)
sudo fapolicyd-cli --file add /opt/myapp/bin/worker
sudo fapolicyd-cli --update
fapolicyd-cli --list-trust | grep myapp
# Watch would-be / real denials
sudo fapolicyd --debug-deny 2>&1 | grep deny
journalctl -u fapolicyd -f
# Rules live here, evaluated top-down, first match wins
ls /etc/fapolicyd/rules.d/ Related prompts
-
Linux USBGuard Device Authorization Policy Prompt
Author and roll out a USBGuard policy that allowlists known USB devices and blocks rogue/BadUSB hardware, without cutting off the keyboard, KVM, or boot devices you need to stay logged in.
-
Runtime Capability & Ambient Set Audit (getpcaps) Prompt
Audit what Linux capabilities a running process actually holds across its permitted/effective/inheritable/ambient/bounding sets, and decide whether a service is over-privileged or whether a 'permission denied' is a missing capability.
-
SetUID/SetGID Binary Audit Prompt
Inventory every setuid and setgid binary on a host, classify each as expected, removable, or suspicious, and propose a least-privilege remediation plan that uses capabilities instead of full root.
-
Linux Capabilities Audit & Hardening Prompt
Audit POSIX file capabilities and per-process capability sets to find binaries and services that hold more privilege than they need, then drop them — replacing blunt setuid-root with least-privilege capabilities.
More Linux Admins prompts & error guides
Browse every Linux Admins prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.