Forge Home

fapolicyd

A Puppet module for managing fapolicyd

181 downloads

139 latest version

3.1 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 0.1.1 (latest)
  • 0.1.0
released Mar 11th 2024
This version is compatible with:
  • Puppet Enterprise 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2021.7.x
  • Puppet >= 7.24 < 9.0.0

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'jortencio-fapolicyd', '0.1.1'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add jortencio-fapolicyd
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install jortencio-fapolicyd --version 0.1.1

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download

Documentation

jortencio/fapolicyd — version 0.1.1 Mar 11th 2024

Reference

Table of Contents

Classes

  • fapolicyd: A class for installing and configuring fapolicyd

Defined types

Functions

Private Functions

  • fapolicyd::format_rule: A function for formatting a rule to be added to a .rules file
  • fapolicyd::get_trusted_file_info: A function that returns the trusted application's file information in the format <file absolute path> <file size> <file sha256 hash>

Data types

Classes

fapolicyd

This class installs and configures fapolicyd

Examples

include fapolicyd

Parameters

The following parameters are available in the fapolicyd class:

package_ensure

Data type: Enum['present', 'installed', 'absent']

Set the state of the package

Default value: 'present'

service_ensure

Data type: Enum['running', 'stopped']

Set the state of the service

Default value: 'running'

service_enable

Data type: Boolean

Set whether the service is enabled/disabled

Default value: true

permissive

Data type: Integer[0,1]

Set to 0 to send policy decision to the kernel for enforcement. Set to 1 to always allow access even if a policy would block it.

Default value: 0

nice_val

Data type: Integer[0,20]

Set a process niceness value scheduler boost

Default value: 14

q_size

Data type: Integer[1]

Set the queue size for the internal queue that fapolicyd will use.

Default value: 800

uid

Data type: String[1]

Set the uid or name of the user account under which fapolicy should switch to during startup

Default value: 'fapolicyd'

gid

Data type: String[1]

Set the gid or name of the group under which fapolicy should switch to during startup

Default value: 'fapolicyd'

do_stat_report

Data type: Integer[0,1]

Set whether fapolicy do should (1) or should not (0) create a usage statistics policy on shutdown

Default value: 1

detailed_report

Data type: Integer[0,1]

Set whether fapolicyd should(1) or should not(0) add subject and object information to the usage statistics report

Default value: 1

db_max_size

Data type: Integer[1]

Set how many megabytes to allow the trust database to grow to

Default value: 50

subj_cache_size

Data type: Integer[1]

Set how many entries the subject cache holds

Default value: 1549

obj_cache_size

Data type: Integer[1]

Set how many entries the object cache holds

Default value: 8191

watch_fs

Data type: Array[String[1]]

Set a list of file systems that should be watched for access permission

Default value: ['ext2','ext3','ext4','tmpfs','xfs','vfat','iso9660','btrfs']

trust

Data type: Array[Enum['rpmdb','file'],1,2]

Set list of trust back-ends

Default value: ['rpmdb','file']

integrity

Data type: Enum['none','size','ima','sha256']

Set the integrity strategy that should be used

Default value: 'none'

syslog_format

Data type: String[1]

Set the format of the output from the access decision

Default value: 'rule,dec,perm,auid,pid,exe,:,path,ftype,trust'

rpm_sha256_only

Data type: Integer[0,1]

Set option (0 or 1) for whether the daemon should be forced to only work with SHA256 hashes

Default value: 0

allow_filesystem_mark

Data type: Integer[0,1]

Set option (0 or 1) for whether to allow fapolicyd to monitor file access events on the underlying file system when they are bind mounted or are overlayed

Default value: 0

Defined types

fapolicyd::rule_file

A type for managing fapolicyd rules files under /etc/fapolicyd/rules.d/

Examples

fapolicyd::rule_file { 'myapps':
  priority => 80,
  comment  => 'Rules for myapps',
  rules    => [
    {
      decision => 'allow',
      perm     => 'execute',
       subjects => [
        {
          type    => 'exe',
          setting => '/usr/bin/bash',
        },
        {
          type    => 'trust',
          setting => '1',
        },
      ],
      objects  => [
        {
          type    => 'path',
          setting => '/tmp/ls',
        },
        {
          type    => 'ftype',
          setting => 'application/x-executable'
        },
        {
          type    => 'trust',
          setting => '0'
        },
      ]
    }
  ],
}

Parameters

The following parameters are available in the fapolicyd::rule_file defined type:

priority

Data type: Integer[0]

Priority of the rules in the rule file

Default value: 100

comment

Data type: String[1]

A comment to place into the rules file for describing the rules

Default value: "${priority}-${title}.rules"

rules

Data type: Array[Fapolicyd::Rule]

An array of rules to add to the rules file

Default value: []

fapolicyd::trust_file

A type for managing fapolicyd trust files under /etc/fapolicyd/trust.d/

Examples

fapolicyd::trust_file { 'myapp':
  trusted_apps => [
    '/tmp/ls',
  ],
}

Parameters

The following parameters are available in the fapolicyd::trust_file defined type:

trusted_apps

Data type: Array[Stdlib::Absolutepath]

An array of the absolute path of applications to trust

Default value: []

Data types

Fapolicyd::Object

A type for defining a fapolicyd rule object

Alias of

Struct['type' => Enum['all','path','dir','device','ftype','trust','sha256hash'],
  'setting' => Optional[String[1]]]

Fapolicyd::Rule

A type for defining a fapolicyd rule

Alias of

Struct['decision' => Enum['allow', 'deny', 'allow_audit', 'deny_audit', 'allow_syslog', 'deny_syslog', 'allow_log', 'deny_log'],
  'perm' => Optional[Enum['open', 'execute', 'any']],
  'subjects' => Array[Fapolicyd::Subject,1],
  'objects' => Array[Fapolicyd::Object]]

Fapolicyd::Subject

A type for defining a fapolicyd rule subject

Alias of

Struct['type' => Enum['all','auid','uid','gid','sessionid','pid','ppid','trust','comm','exe','dir','ftype','device','pattern'],
  'setting' => Optional[Variant[String[1],Integer]]]