 So my name is Ranvan Sroka and I'm working here in Red Hat in Brno as a software engineer and I'd like to talk about application by listing a little bit so So what is an application by listing? well, it is a security practice where the application or program is allowed to run according to its presence in the list which Usually an administrator is responsible for maintaining such a list What application will be there or it won't be so Why is that so important? Well, there are at least two reasons because it adds another level of security to the system and and it is application by listing Capability is part of many certifications hems for example common criteria and others and This actually pushes the software and ours to implement some sort of application by listing solution So where is the Red Hat? Well, we introduced FAPoCD framework in row 8.1 and Federa, I guess 29 What is FAPoCD framework? Well, it's it's a simple and lightweight solution from Red Hat and it benefits from RPM and DNF integration and It has also all the support and it is build upon a free notify API FAP notify API is kernel API, which is similar to I notify who knows I notify this API can watch file system events based on System calls like open and close and read write But FAP notify can watch also exec System call and it is bookable bookable on system call sites. That means System call is Being on hold while the watcher doing the response we can see the The diagram here, so we have two processes here the The one on the left is beige is which is being watched by FAPoCD moon, which is watcher and bench would like to Execute the standard PS Linux command so If beige calls exec we it will This system call will be on hold and the kernel will not if we'll send the FA notify events to the to the watcher about About what's happening So FAPoCD moon can read from the divend that beige wants to execute PS command with such an ID such a PID and FAPoCD demon has to decide what to do with it and it There are two possible Resolutions This will be allowed or denied if this is going to be allowed Exit we will continue and It will eventually end with the success and but if this is denied and FAPoCD demon will send the denied then exec we will fail and PS command won't be executed So FAPoCD framework can be divided into few into few parts but the most Significant one is a demon when demon starts it loads all backends and All data from them and it stored them into its internal database and Then it's then it is waiting for FA notify events and where such an event occurs on the system there it will It will look up for the role that matches and eventually we'll check if this Content of that event is trusted or not that It can construct the query against the database and if it success it will it can it can tell that is it is trusted so FAPoCD can be configured in three ways The first one is rules file, which holds usually how it holds default set of rules The second way is a configuration file for demon there we can to make some performance options and The last way is to edit trust file There you can specify the list of applications which be trust So as I said before there are optional backends here by default There are two of them rpmd rpmdb and FAPoCD trust rpmdb backends just loads all files from the rpm database and it makes them trust it and FAPoCD trust is some another way how to specify this application by administrator for example so when we have these files in database we can Say they are trusted and if they are trusted by default by With default rules set they will be allowed to run so FAPoCD has implemented language which has subject of notation as As a Linux or audit and it can be divided into four parts The first decision can be allow or deny and it can be also audited Decision means that what what action Will be taken if a rule matches So and it can also send an audit message to all the demon Permission is based on FA notify API which can be open or execute that that comes from what Cisco was called and There is also Any keyword which can match both of them The Another part is subject subject this process which Is going to call the system call an object is what is going to be executed or opened and That's all about FAPoCD We can install it Installation is simple as that it is in default repositories in a row in Federa So if we install it what can we do about it? So we would like to enable some Custom software in home directory. Let's say I'm regular user and I would like to run my script or something so Let's say I have two files in my home directory which is One one is binary and the second one is Python script. I created Binary from its copy of LS command, but it's in my home. So if I if I run it it will Bring me what is on this in this directory? so I Need to run the FAPoCD demon in the back in the background and save the save the command output Then I then I after that If I try this binary it is not possible to run it as we can see so What can we do about it? We can investigate the output of the FAPoCD demon if you start looking for my bin you can grab that there is a There is a line that says that there was an event about that and it was denied and And we can see that There are some metadata and it was denied by the rule number nine, which is some default rule that denies everything probably So we can see that it was the event has or had Execute permission and the subject is my shell which is going to execute my bin with This file type as an exit as an exit executable. So We need to create a rule that will allow such an event So let's say we allow execution allow even that has execute permission and We can specify there are my bash or my shell or we can put there all and it will work with Any shell let's say But the important thing here is that it has to be trusted and trusted means that it Comes from rpm database. It is properly properly installed on the system and It is not some 30-way script or something so let's specify their object which is my bin and It has with this file type and we know that it isn't this fall is Definitely, definitely not trusted, but it's optional to put there If we do that, you can see that now we are able to run this binary in home directory So There's a success right now Let's try to run Python script This is some how a word example, so Again, if we run FAPO CD in the debug mode in the background Then we are not able to run this application So let's again investigate the output and after graphing for my app We can see there is an event really similar to that before but It differs in a file type and in a file Which which is actually objects. So so the subject is totally the same We need to change only only the object if we construct the rule With the same approach as before you can get something like that so we just change the file as object and it's And it's so file type again But after that it's still it's still not working So we can run it again And you can see that we can now we can grab two events. So there is a one new subsequent event that That that is new there and We can see that there are there The first only in Permission So we can change the rule which we had before To any It's the same rule for Python script, but Any permission and if we run it again with this rule It's not it starts to work But there are two ways how to run a Python script, right? We tried to the left one, but there is also the right one. I would like to point out difference if we grab for for the event in the FMPoSD log We can grab we can see that if we run This script with Python interpreter specified that Subject will change but if we Put there all keywords before as a subject it will still work, but it differs and It's good to know Another way how to enable running application in Home is to enable whole directory with the option in Object, but that's not very wise because You can run almost everything in in home directory, right and the last option is that you can mark this You can mark these files as trusted and put there in FAPoSD trust file and The if they are trusted they can be run or executed. Okay That's okay, so if we are okay with our Configuration and everything works we can just enable FAPoSD demon with system D and You can Benefit from it Okay, thank you Days Because all of the competition for this System protection Especially things like network sockets and Because Why is that What is so Does it have any benefit for It's a comparing to competition competition with antivirus companies or something so Difference is this difference is that Each antivirus Checks binaries for some patterns and Then it decides if it will be allowed or something or move to I don't know some quarantine but we have this simple idea behind that that what is installed from Official repository is allowed. Okay, we trust it and We trust also RPM database that it can verify the files on the disk and so we are okay That's that's our line that the font cross Yeah, it's young project also this API is very limited but We are using This exact cause why this is the most important feature that API any question preferably easy one For other distributions So we have We have some kind of API which is which we can Expand we can implement what whichever source we choose it can be really whatever We can we can set in a demon configuration Which backend we use we can use also like multiple backends at the same time and Then it then in a rule language everything is but Trusted or not so that's the That's how it works I had that question a lot The basic idea behind that is like okay, you can you can deny something through the AC Linux, but This is More like dynamic solution you can change it a lot you can It's a user friendly. It's a very hard to maintain something like that in sonics So I guess The cost of Can you repeat it again Overhead like Some performance impact or something like that. Yeah, of course, there is some performance hit but We worked on it and it's a we ready to see the lot in last year, let's say I'm not sure I won't be telling any numbers, but There is some But it's definitely better than IMA like It's another level that's why I said it's a lightweight lightweight and simple It's a really fast in comparison to IMA eternal questions