Prisma Cloud Compute: How to resolve "filesystem monitoring initialization failed: fork/exec /opt/twistlock/fsmon: operation not permitted " error

• You have deployed a Host/Container defender in your environment.
• The defender is connected but with an error "Error in defender Component"
• Upon expanding the details, you see following error: "filesystem monitoring initialization failed: fork/exec /opt/twistlock/fsmon: operation not permitted "

• Prisma Cloud Compute SaaS version
• Prisma Cloud Compute Self-Hosted version
• RHEL 

The error may be caused by fapolicyd (File Access Policy Daemon) being enabled. fapolicyd is a security feature in RHEL that regulates access to executable files and scripts based on predefined policies. Acting as a whitelist/blacklist mechanism, fapolicyd ensures that only authorized files can be executed, enhancing system security.

We see this error because Twistlock is not properly whitelisted in fapolicyd’s policies, preventing it from running as expected.

1. Verify that fapolicyd is enabled/running on host:

     systemctl status fapolicyd

2. Whitelist the path "/var/lib/twistlock" in the fapolicyd by creating a custom rule (99-twistlock-allow.rules).         

     sudo vi /etc/fapolicyd/rules.d/99-twistlock-allow.rules

3. Allow the path inside the 99-twistlock-allow.rules file and save it.

     allow perm=execute all : dir=/var/lib/twistlock

4. Restart fapolicyd service.

     sudo systemctl restart fapolicyd

5. Restart the defender and the error should go away.