search

ctc-oss / fapolicy-analyzer

Tools to assist with the configuration and management of fapolicyd.
https://ctc-oss.github.io/fapolicy-analyzer
GNU General Public License v3.0
12 stars 5 forks source link
fapolicyd fedora pyo3 python rhel rust security whitelisting

readme

File Access Policy Analyzer

Tools to assist with the configuration and management of fapolicyd

Features

  1. Rule editor with syntax highlighting, syntax validation, and policy linting
  2. Trust database manager to synchronize what fapolicyd believes and what exists on disk
  3. Log analyzer provides insight to help understand and tune fapolicyd runtime behavior
  4. Disk access profiler to capture file access requests for an executing application
  5. Configuration file editor for fapolicyd, with syntax validation and linting
  6. DBUS based control of the fapolicyd daemon which is immune to bad policy lockout

See the User Guide for details.

Installation

You can install the Policy Analyzer in one of the following ways

From Fedora Packages This installation method is currently available for Fedora EPEL 8, EPEL 9, and Fedora 37 or later, including Rawhide. ```sh dnf install fapolicy-analyzer ```
From GitHub releases [![GitHub latest release](https://shields.io/github/v/release/ctc-oss/fapolicy-analyzer?color=3c6eb4&display_name=tag&sort=semver&label=Stable&logo=github)](https://github.com/ctc-oss/fapolicy-analyzer/releases/latest) [![GitHub Latest pre-release)](https://img.shields.io/github/v/release/ctc-oss/fapolicy-analyzer?color=3c6eb4&include_prereleases&label=Beta&logo=github)](https://github.com/ctc-oss/fapolicy-analyzer/releases) ![GitHub downloads](https://img.shields.io/github/downloads/ctc-oss/fapolicy-analyzer/total?color=3c6eb4&logo=github) You can install the Policy Analyzer through the installers available in the [latest release](https://github.com/ctc-oss/fapolicy-analyzer/releases).
Choose an RPM from the latest Fedora stable, Rawhide, and EPEL builds.
From Fedora Copr The Copr repository contains the latest development builds and release builds prior to publishing to the Fedora repositories. Follow this method to install a prerelease package. ### Add Copr repository Install the ctc-oss repo with ```sh dnf install dnf-plugins-core dnf copr enable ctc-oss/fapolicy-analyzer ``` ### Copr Release builds Releases packages of the Policy Analyzer are generally available from Copr a week before being available from Fedora. The Policy Analyzer can be installed from the ctc-oss repository with the normal process `dnf install fapolicy-analyzer` ### Copr pre-release builds Pre-release packages of the Policy Analyzer for all targets are created using the latest commit to master. Use the `dev` tag + the commit number from the `master` branch, for example `dnf install fapolicy-analyzer-1.0.0~dev308` will install the prerelease 1.0.0 version at the 308th commit on the master branch.
From a containerized build environment Follow this method only if you have cloned the GitHub repository and have Podman installed - `make fc-rpm` to build a Rawhide RPM - `make el-rpm` to build a RHEL 8 RPM After a successful build the container will copy the RPMs into the host `/tmp` directory.
From a local development environment Follow this method only if you have installed all required build tools `make run` This requires Pip + Pipenv + Python 3.9 or greater, and Rust 1.62.1 or greater. Python and Rust dependencies will be installed during the build process.

fapolicyd

Compatible with v1.0+

The fapolicyd-badge label tracks support for specific capability.

fapolicyd.conf

Analyzing from syslog requires the following syslog_format entry:

syslog_format = rule,dec,perm,uid,gid,pid,exe,:,path,ftype,trust

Getting Help

License

GPL v3