Skip to content

Latest commit

 

History

History
365 lines (222 loc) · 8.63 KB

REFERENCE.md

File metadata and controls

365 lines (222 loc) · 8.63 KB
Raw

Reference

Table of Contents

Classes

  • fapolicyd: A class for installing and configuring fapolicyd

Defined types

Functions

Private Functions

  • fapolicyd::format_rule: A function for formatting a rule to be added to a .rules file
  • fapolicyd::get_trusted_file_info: A function that returns the trusted application's file information in the format <file absolute path> <file size> <file sha256 hash>

Data types

Classes

fapolicyd

This class installs and configures fapolicyd

Examples

include fapolicyd

Parameters

The following parameters are available in the fapolicyd class:

package_ensure

Data type: Enum['present', 'installed', 'absent']

Set the state of the package

Default value: 'present'

service_ensure

Data type: Enum['running', 'stopped']

Set the state of the service

Default value: 'running'

service_enable

Data type: Boolean

Set whether the service is enabled/disabled

Default value: true

permissive

Data type: Integer[0,1]

Set to 0 to send policy decision to the kernel for enforcement. Set to 1 to always allow access even if a policy would block it.

Default value: 0

nice_val

Data type: Integer[0,20]

Set a process niceness value scheduler boost

Default value: 14

q_size

Data type: Integer[1]

Set the queue size for the internal queue that fapolicyd will use.

Default value: 800

uid

Data type: String[1]

Set the uid or name of the user account under which fapolicy should switch to during startup

Default value: 'fapolicyd'

gid

Data type: String[1]

Set the gid or name of the group under which fapolicy should switch to during startup

Default value: 'fapolicyd'

do_stat_report

Data type: Integer[0,1]

Set whether fapolicy do should (1) or should not (0) create a usage statistics policy on shutdown

Default value: 1

detailed_report

Data type: Integer[0,1]

Set whether fapolicyd should(1) or should not(0) add subject and object information to the usage statistics report

Default value: 1

db_max_size

Data type: Integer[1]

Set how many megabytes to allow the trust database to grow to

Default value: 50

subj_cache_size

Data type: Integer[1]

Set how many entries the subject cache holds

Default value: 1549

obj_cache_size

Data type: Integer[1]

Set how many entries the object cache holds

Default value: 8191

watch_fs

Data type: Array[String[1]]

Set a list of file systems that should be watched for access permission

Default value: ['ext2','ext3','ext4','tmpfs','xfs','vfat','iso9660','btrfs']

trust

Data type: Array[Enum['rpmdb','file'],1,2]

Set list of trust back-ends

Default value: ['rpmdb','file']

integrity

Data type: Enum['none','size','ima','sha256']

Set the integrity strategy that should be used

Default value: 'none'

syslog_format

Data type: String[1]

Set the format of the output from the access decision

Default value: 'rule,dec,perm,auid,pid,exe,:,path,ftype,trust'

rpm_sha256_only

Data type: Integer[0,1]

Set option (0 or 1) for whether the daemon should be forced to only work with SHA256 hashes

Default value: 0

allow_filesystem_mark

Data type: Integer[0,1]

Set option (0 or 1) for whether to allow fapolicyd to monitor file access events on the underlying file system when they are bind mounted or are overlayed

Default value: 0

Defined types

fapolicyd::rule_file

A type for managing fapolicyd rules files under /etc/fapolicyd/rules.d/

Examples

fapolicyd::rule_file { 'myapps':
  priority => 80,
  comment  => 'Rules for myapps',
  rules    => [
    {
      decision => 'allow',
      perm     => 'execute',
       subjects => [
        {
          type    => 'exe',
          setting => '/usr/bin/bash',
        },
        {
          type    => 'trust',
          setting => '1',
        },
      ],
      objects  => [
        {
          type    => 'path',
          setting => '/tmp/ls',
        },
        {
          type    => 'ftype',
          setting => 'application/x-executable'
        },
        {
          type    => 'trust',
          setting => '0'
        },
      ]
    }
  ],
}

Parameters

The following parameters are available in the fapolicyd::rule_file defined type:

priority

Data type: Integer[0]

Priority of the rules in the rule file

Default value: 100

comment

Data type: String[1]

A comment to place into the rules file for describing the rules

Default value: "${priority}-${title}.rules"

rules

Data type: Array[Fapolicyd::Rule]

An array of rules to add to the rules file

Default value: []

fapolicyd::trust_file

A type for managing fapolicyd trust files under /etc/fapolicyd/trust.d/

Examples

fapolicyd::trust_file { 'myapp':
  trusted_apps => [
    '/tmp/ls',
  ],
}

Parameters

The following parameters are available in the fapolicyd::trust_file defined type:

trusted_apps

Data type: Array[Stdlib::Absolutepath]

An array of the absolute path of applications to trust

Default value: []

Data types

Fapolicyd::Object

A type for defining a fapolicyd rule object

Alias of

Struct['type' => Enum['all','path','dir','device','ftype','trust','sha256hash'],
  'setting' => Optional[String[1]]]

Fapolicyd::Rule

A type for defining a fapolicyd rule

Alias of

Struct['decision' => Enum['allow', 'deny', 'allow_audit', 'deny_audit', 'allow_syslog', 'deny_syslog', 'allow_log', 'deny_log'],
  'perm' => Optional[Enum['open', 'execute', 'any']],
  'subjects' => Array[Fapolicyd::Subject,1],
  'objects' => Array[Fapolicyd::Object]]

Fapolicyd::Subject

A type for defining a fapolicyd rule subject

Alias of

Struct['type' => Enum['all','auid','uid','gid','sessionid','pid','ppid','trust','comm','exe','dir','ftype','device','pattern'],
  'setting' => Optional[Variant[String[1],Integer]]]