forked from theforeman/foreman-documentation
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add fapolicyd to Foreman and Smart Proxy (theforeman#2616)
For version 3.9 and above, we have started supporting fapolicyd on the Project Server as well as Smart Proxy Server. The procedure to install and enable faplicyd for both of them remains the same. You can install fapolicyd along with fresh installation of Project or SmartProxy, or you can install it on existing Project or SmartProxy.
- Loading branch information
Showing
5 changed files
with
73 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| [id="using-fapolicyd-on-server_{context}"] | ||
| ifeval::["{context}" == "{project-context}"] | ||
| = Optional: Using fapolicyd on {ProjectServer} | ||
| endif::[] | ||
| ifeval::["{context}" == "{smart-proxy-context}"] | ||
| = Optional: Using fapolicyd on {SmartProxyServer} | ||
| endif::[] | ||
|
|
||
| By enabling `fapolicyd` on your {ProjectServer}, you can provide an additional layer of security by monitoring and controlling access to files and directories. | ||
| The fapolicyd daemon uses the RPM database as a repository of trusted binaries and scripts. | ||
|
|
||
| You can turn on or off the fapolicyd on your {ProjectServer} or {SmartProxyServer} at any point. |
49 changes: 49 additions & 0 deletions
49
guides/common/modules/proc_installing-fapolicyd-on-server.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| [id="installing-fapolicyd-on-server_{context}"] | ||
| ifeval::["{context}" == "{project-context}"] | ||
| = Installing fapolicyd on {ProjectServer} | ||
| endif::[] | ||
| ifeval::["{context}" == "{smart-proxy-context}"] | ||
| = Installing fapolicyd on {SmartProxyServer} | ||
| endif::[] | ||
|
|
||
| ifeval::["{context}" == "{project-context}"] | ||
| You can install `fapolicyd` along with {ProjectServer} or can be installed on an existing {ProjectServer}. | ||
| If you are installing `fapolicyd` along with the new {ProjectServer}, the installation process will detect the fapolicyd in your {EL} host and deploy the {ProjectServer} rules automatically. | ||
| endif::[] | ||
| ifeval::["{context}" == "{smart-proxy-context}"] | ||
| You can install `fapolicyd` along with {SmartProxyServer} or can be installed on an existing {SmartProxyServer}. | ||
| If you are installing `fapolicyd` along with the new {SmartProxyServer}, the installation process will detect the fapolicyd in your {EL} host and deploy the {SmartProxyServer} rules automatically. | ||
| endif::[] | ||
|
|
||
| .Prerequisite | ||
| * Ensure your host has access to the BaseOS repositories of {EL}. | ||
| .Procedure | ||
| . Install fapolicyd: | ||
| + | ||
| [options="nowrap" subs="+quotes,attributes"] | ||
| ---- | ||
| ifndef::foreman-deb[] | ||
| # dnf install fapolicyd | ||
| endif::[] | ||
| ---- | ||
| . Start the `fapolicyd` service: | ||
| + | ||
| [options="nowrap" subs="+quotes,attributes"] | ||
| ---- | ||
| # systemctl enable --now fapolicyd | ||
| ---- | ||
|
|
||
| .Verification | ||
| * Verify that the `fapolicyd` service is running correctly: | ||
| + | ||
| [options="nowrap" subs="+quotes"] | ||
| ---- | ||
| # systemctl status fapolicyd | ||
| ---- | ||
| .New {ProjectServer} or {SmartProxyServer} installations | ||
| In case of new {ProjectServer} or {SmartProxyServer} installation, follow the standard installation procedures after installing and enabling fapolicyd on your {EL} host. | ||
|
|
||
| .Additional resources | ||
| For more information on fapolicyd, see https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/assembly_blocking-and-allowing-applications-using-fapolicyd_security-hardening#doc-wrapper[Blocking and allowing applications using fapolicyd] in _Red Hat Enterprise Linux 8 Security hardening_. |