Skip to content

corepb/puppet-apparmor

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

24 Commits

lib/puppet

lib/puppet

 
 

manifests

manifests

 
 

spec

spec

 
 

.fixtures.yml

.fixtures.yml

 
 

.gemfile

.gemfile

 
 

.gitignore

.gitignore

 
 

.travis.yml

.travis.yml

 
 

COPYRIGHT

COPYRIGHT

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

Rakefile

Rakefile

 
 

Repository files navigation

puppet-apparmor

Puppet module to manage apparmor profiles.

IN PROGRESS, UNSTABLE

Build Status

Introduction

This puppet module allows management of AppArmor profiles. Apparmor is an implementation of Mandatory Access Control model (similar to Selinux) used in Ubuntu and Suse for the isolation of applications running on the same host.

Features

  • Different apparmor modes are supported (enforced, complain, disabled)
  • Apparmor modes can be switched for the existing apparmor profiles (e.g. shipped with OS)
  • Custom apparmor profiles can be installed
  • Custom apparmor profiles may contain parametes expanded via puppet variables (might be usefull if you want to use this module from another puppet module, which installes and configures something)

Requirements

  • Ubuntu Linux
    • Tested on 12.04 and 14.04
  • Puppet >2.7.x (tested on puppet 2.7.11)

Limitations

  • Suse Linux isn't supported yet, but it should be easy to adapt it (pull requests are welcome)
  • Template functionality isn't fully implemented yet

Structure

This module uses both module types of puppet: native ruby type/provider and puppet DSL module:

  • Native ruby type apparmor_profile is used for apparmor runtime configuration/control and ideally shouldn't be invoked directly
  • apparmor::* is a puppet DSL module, where apparmor::profile builds an overlay over the native module an extends the functionality with templates file management of profiles

Folder structure:

  • lib/ - native ruby type and provider, incl helper functions
  • manifests/ - puppet DSL code
    • init.pp - apparmor initialization class, ensures the installation and service configuration of apparmor. Included by other classes/types
    • install.pp - apparmor::install class, installs apparmor packages
    • params.pp - apparmor::params class, some global defaults reused in other classes
    • profile.pp - apparmor::profile type, main entry point for managing apparmor profiles
    • service.pp - apparmor::service class, controlls the apparmor service
  • spec/ - puppet unit tests
  • .travis.yml, Rakefile, .gemfile, .fixtures.yml - used for travis CI tests

How to use it

Controlling an existing default profile

apparmor::profile{"/sbin/dhclient":
  #possible options: enforced, complain, disabled, absent
  ensure => enforced,
}

Rolling out a new profile without parameters

apparmor::profile{"/sbin/dhclient":
  ensure => enforced,
  source => 'puppet:///modules/site_something/sbin.dhclient',
}

Rolling out a new profile with parameters

apparmor::profile{"/sbin/dhclient":
  ensure   => enforced,
  template => 'site_something/sbin.dhclient.erb',
  template_vars => { hash_structure TBD },
}

Contributing

Please use GitHub Pull requests for this.

License and copyright

Copyright 2014-2015 Artem Sidorenko and contributors.

Copyright 2014 Deutsche Telekom AG

See the COPYRIGHT file at the top-level directory of this distribution and at https://github.com/artem-sidorenko/puppet-apparmor/blob/master/COPYRIGHT

About

puppet apparmor modules

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Ruby 62.2%
  • Puppet 37.8%