fapolicyd
: A class for installing and configuring fapolicyd
fapolicyd::rule_file
: A type for managing fapolicyd rules filesfapolicyd::trust_file
: A type for managing fapolicyd trust files
fapolicyd::format_rule
: A function for formatting a rule to be added to a .rules filefapolicyd::get_trusted_file_info
: A function that returns the trusted application's file information in the format<file absolute path> <file size> <file sha256 hash>
Fapolicyd::Object
: A type for defining a fapolicyd rule objectFapolicyd::Rule
: A type for defining a fapolicyd ruleFapolicyd::Subject
: A type for defining a fapolicyd rule subject
This class installs and configures fapolicyd
include fapolicyd
The following parameters are available in the fapolicyd
class:
package_ensure
service_ensure
service_enable
permissive
nice_val
q_size
uid
gid
do_stat_report
detailed_report
db_max_size
subj_cache_size
obj_cache_size
watch_fs
trust
integrity
syslog_format
rpm_sha256_only
allow_filesystem_mark
Data type: Enum['present', 'installed', 'absent']
Set the state of the package
Default value: 'present'
Data type: Enum['running', 'stopped']
Set the state of the service
Default value: 'running'
Data type: Boolean
Set whether the service is enabled/disabled
Default value: true
Data type: Integer[0,1]
Set to 0 to send policy decision to the kernel for enforcement. Set to 1 to always allow access even if a policy would block it.
Default value: 0
Data type: Integer[0,20]
Set a process niceness value scheduler boost
Default value: 14
Data type: Integer[1]
Set the queue size for the internal queue that fapolicyd will use.
Default value: 800
Data type: String[1]
Set the uid or name of the user account under which fapolicy should switch to during startup
Default value: 'fapolicyd'
Data type: String[1]
Set the gid or name of the group under which fapolicy should switch to during startup
Default value: 'fapolicyd'
Data type: Integer[0,1]
Set whether fapolicy do should (1) or should not (0) create a usage statistics policy on shutdown
Default value: 1
Data type: Integer[0,1]
Set whether fapolicyd should(1) or should not(0) add subject and object information to the usage statistics report
Default value: 1
Data type: Integer[1]
Set how many megabytes to allow the trust database to grow to
Default value: 50
Data type: Integer[1]
Set how many entries the subject cache holds
Default value: 1549
Data type: Integer[1]
Set how many entries the object cache holds
Default value: 8191
Data type: Array[String[1]]
Set a list of file systems that should be watched for access permission
Default value: ['ext2','ext3','ext4','tmpfs','xfs','vfat','iso9660','btrfs']
Data type: Array[Enum['rpmdb','file'],1,2]
Set list of trust back-ends
Default value: ['rpmdb','file']
Data type: Enum['none','size','ima','sha256']
Set the integrity strategy that should be used
Default value: 'none'
Data type: String[1]
Set the format of the output from the access decision
Default value: 'rule,dec,perm,auid,pid,exe,:,path,ftype,trust'
Data type: Integer[0,1]
Set option (0 or 1) for whether the daemon should be forced to only work with SHA256 hashes
Default value: 0
Data type: Integer[0,1]
Set option (0 or 1) for whether to allow fapolicyd to monitor file access events on the underlying file system when they are bind mounted or are overlayed
Default value: 0
A type for managing fapolicyd rules files under /etc/fapolicyd/rules.d/
fapolicyd::rule_file { 'myapps':
priority => 80,
comment => 'Rules for myapps',
rules => [
{
decision => 'allow',
perm => 'execute',
subjects => [
{
type => 'exe',
setting => '/usr/bin/bash',
},
{
type => 'trust',
setting => '1',
},
],
objects => [
{
type => 'path',
setting => '/tmp/ls',
},
{
type => 'ftype',
setting => 'application/x-executable'
},
{
type => 'trust',
setting => '0'
},
]
}
],
}
The following parameters are available in the fapolicyd::rule_file
defined type:
Data type: Integer[0]
Priority of the rules in the rule file
Default value: 100
Data type: String[1]
A comment to place into the rules file for describing the rules
Default value: "${priority}-${title}.rules"
Data type: Array[Fapolicyd::Rule]
An array of rules to add to the rules file
Default value: []
A type for managing fapolicyd trust files under /etc/fapolicyd/trust.d/
fapolicyd::trust_file { 'myapp':
trusted_apps => [
'/tmp/ls',
],
}
The following parameters are available in the fapolicyd::trust_file
defined type:
Data type: Array[Stdlib::Absolutepath]
An array of the absolute path of applications to trust
Default value: []
A type for defining a fapolicyd rule object
Alias of
Struct['type' => Enum['all','path','dir','device','ftype','trust','sha256hash'],
'setting' => Optional[String[1]]]
A type for defining a fapolicyd rule
Alias of
Struct['decision' => Enum['allow', 'deny', 'allow_audit', 'deny_audit', 'allow_syslog', 'deny_syslog', 'allow_log', 'deny_log'],
'perm' => Optional[Enum['open', 'execute', 'any']],
'subjects' => Array[Fapolicyd::Subject,1],
'objects' => Array[Fapolicyd::Object]]
A type for defining a fapolicyd rule subject
Alias of
Struct['type' => Enum['all','auid','uid','gid','sessionid','pid','ppid','trust','comm','exe','dir','ftype','device','pattern'],
'setting' => Optional[Variant[String[1],Integer]]]