- release now has 3 integrity modes: file size, IMA, and sha256 based
- it can now send event information to syslog
- the syslog event information is tailorable to how you'd like to see it
- there is now the ability to create sets of words that can be matched
against in the rules engine
- there are now 2 policies shipped: known-libs and restrictive
- fapolicyd-cli can now dump the trust db for inspection
- the integrity system needs sha256 hashes,
it will print a warning for files in rpms that do not have them
- polished the pattern detection engine
- rpm backend now drops most of the files in /usr/share/ to dramatically reduce
memory consumption and improve startup speed
- the commandline utility can now delete the lmdb trust database and manage
the file trust source
- dramatically improved startup time
- fapolicyd-cli has picked up --list and --ftype commands to help debug/write policy
- file type identification has been improved
- trust database statistics have been added to the reports
- allows watched mount points to be specified by file system types
- ELF file detection was improved
- the rules have been rewritten to express the policy based on subject
object trust for better performance and reliability
- exceptions for dracut and ansible were added to the rules to avoid problems
under normal system use
- adds an admin defined trust database (fapolicyd.trust)
- setting boost, queue, user, and group on the daemon
command line are deprecated
Improved subject cache management, performance improvements, drop need for
fapolicyd.mounts file - daemon detects filesystems to monitor, stop collecting
documentation in the trust database, and handle long paths.
This release features:
- systemd usage updates
- file permission adjustments based on selinux policy review
- unterminated reads of auid & sessionid values was fixed
- ld_preload pattern is deprecated for now