Forge Home

fapolicyd

A Puppet module for managing fapolicyd

181 downloads

139 latest version

3.1 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 0.1.1 (latest)
  • 0.1.0
released Mar 11th 2024
This version is compatible with:
  • Puppet Enterprise 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2021.7.x
  • Puppet >= 7.24 < 9.0.0

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'jortencio-fapolicyd', '0.1.1'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add jortencio-fapolicyd
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install jortencio-fapolicyd --version 0.1.1

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download

Documentation

jortencio/fapolicyd — version 0.1.1 Mar 11th 2024

fapolicyd

A Puppet module that is used to configure fapolicyd on Red Hat Enterprise Linux 8 or 9 systems.

For more information about fapolicyd, please refer to Introduction to fapolicyd

Table of Contents

  1. Description
  2. Setup - The basics of getting started with fapolicyd
  3. Usage - Configuration options and additional functionality
  4. Limitations - OS compatibility, etc.
  5. Development - Guide for contributing to the module

Description

This Puppet module can be used to do a basic installation and configuration of fapolicyd - A simple application whitelisting daemon for Linux.

Setup

What fapolicyd affects

This fapolicyd Puppet module currently manages the following configurations:

  • Installation of fapolicyd package
  • Management of the fapolicyd service
  • Configuration of /etc/fapolicyd/fapolicyd.conf file
  • Configuration of trusted applications via files under /etc/fapolicyd/trusted.d/
  • Configuration of rules via files under /etc/fapolicyd/rules.d/

Setup Requirements

In order to use this module, make sure to have the following Puppet modules installed:

  • puppetlabs-stdlib

Beginning with fapolicyd

In order to get started with the fapolicyd Puppet module to install the fapolicyd package and start the fapolicyd service with default settings:

include fapolicyd

Usage

For additional information regarding the usage of the fapolicyd Puppet module, please refer to REFERENCES

Whitelist applications using a trust file under /etc/fapolicyd/trusted.d/

The following example demonstrates how mark an application as trusted using Puppet.

To mark the applications /tmp/ls and /tmp/cat as trusted into the file /etc/fapolicyd/trusted.d/myapp

fapolicyd::trust_file { 'myapp':
  trusted_apps => [
    '/tmp/ls',
    '/tmp/cat',
  ],
}

Note: If an application being whitelisted does not currently exist on a machine, the trust file will instead include a comment. Once the application does exist on the machine, the comment will be updated to be a trusted application on the next Puppet run. The comment included will be similar to the following:

#<application path> is trusted but does not currently exist on the machine

For more information regarding trust files, refer to the Red Hat Enterprise Linux documentation for Marking files as trusted using an additional source of trust

Allow or deny applications using a rule file under /etc/fapolicyd/rules.d/

The following example demonstrates how to add an fapolicyd rule using Puppet.

The fapolicyd rule: allow perm=execute exe=/usr/bin/bash trust=1 : path=/tmp/ls ftype=application/x-executable trust=0 can be added to the file /etc/fapolicyd/rules.d/80-myapps.rules using the following Puppet code:

fapolicyd::rule_file { 'myapps':
  priority => 80,
  comment  => 'Rules for myapps',
  rules    => [
  {
    decision => 'allow',
    perm     => 'execute',
    subjects => [
      {
        type    => 'exe',
        setting => '/usr/bin/bash',
      },
      {
        type    => 'trust',
        setting => '1',
      },
    ],
    objects  => [
      {
        type    => 'path',
        setting => '/tmp/ls',
      },
      {
        type    => 'ftype',
        setting => 'application/x-executable'
      },
      {
        type    => 'trust',
        setting => '0'
      },
    ]
    }
  ],
}

For more information regarding fapolicyd rules, refer to the Red Hat Enterprise Linux documentation for Adding custom allow and deny rules for fapolicyd

Limitations

This module has only been tested on Red Hat Enterprise Linux 8 and 9.

Development

If you would like to contribute with the development of this module, please feel free to log development changes in the issues register for this project