Tools to assist with the configuration and maintenance of fapolicyd.

Overview

File Access Policy Analyzer

Tools to assist with the configuration and maintenance of fapolicyd.

Python bindings

We write python bindings using PyO3 and setuptools_rust.

We use pipenv for creating a sand-boxed development environment. To install pipenv into your home directory:

pip3 install --user pipenv

To build and install the bindings run the following from the top level directory of this repository:

pipenv install --dev
pipenv shell
python3 setup.py [develop | install]

There may be some additional build-time requirements. See the development wiki page for more details.

File Access Policy Analyzer User Interface

Run the fapolicy-analyzer UI:

python3 -m fapolicy-analyzer.ui

Requirements

  • Python 3.9
  • Rust 1.52
  • fapolicyd 1.0

fapolicyd configuration

To generate rules that can be analyzed we require the following syslog_format configuration

syslog_format = rule,dec,perm,uid,gid,pid,exe,:,path,ftype,trust

Developers

See the Wiki for more resources.

Comments
  • UI unresponsive after deployment rollback

    UI unresponsive after deployment rollback

    To reproduce

    1. Add trust changes
    2. Deploy
    3. Select "No" when asked to keep changes

    Noteworthy

    • Usually on the first or second deployment the UI becomes unresponsive.
    • Same behavior whether the timer expires or you manually click No.
    • Did not encounter issues If the deployment is accepted.
    • The rollback of configuration is indeed written to disk (ie. the original is restored).
    • The daemon is in active state after the app locks, so it appears to be properly started
    • Consistently reproducible on fc34 using rule-text-write branch's RPM
    • Did not observe issue on RHEL 8 using the same branch
    bug ui 
    opened by jw3 23
  • Include User Guide under Help menu

    Include User Guide under Help menu

    Adds a user guide entry under the help menu.

    • Generates the user guide from the online wiki documentation
    • Integrates the user guide build process into CI and the RPM build
    • Installs the user guide to /usr/share/help via RPM
    • Internationalization support is included for the documentation
    • Adds target to root Makefile that pulls and builds help locally
      • make help-docs
      • Useful for contributing translations

    Closes #645

    documentation feedback0 
    opened by dorschs57 14
  • RPM Build

    RPM Build

    Summary

    Build an RPM that includes the Rust bindings and the Python dist. The standard tools for building Python RPMs or Rust RPMs didn't play well with our layout. So what we have is a two stage process of building a bdist wheel and then using that wheel to build the RPM. The source RPM includes the wheel as the source file.

    This PR includes GitHub actions workflow to build the RPM. When pushing a tag the RPM will be published as a release, otherwise RPM is built and discarded. A future PR will add some automated testing immediately after the build stage.

    Wiki pages related to this PR

    • https://github.com/ctc-oss/fapolicy-analyzer/wiki/RPM-Packaging
    • https://github.com/ctc-oss/fapolicy-analyzer/wiki/Publishing-Releases

    How the RPM is packaged

    1. build a wheel
    2. use the wheel as the rpm source
    3. install the wheel in the rpm build
    4. capture the python site-install files

    Build the builder image

    From the root of the project

    docker build -t rpmbuilder -f scripts/rpm/Dockerfile .

    Build the rpm in the builder container

    docker run --rm -it -v /tmp:/output rpmbuilder

    RPMs will end up in /tmp on the host machine.

    Test the rpm in a container

    todo #115

    Installing the RPM

    dnf install -y fapolicy-analyzer-0.0.4-1.x86_64.rpm

    closes #114

    opened by jw3 11
  • Rollback on unconfirmed deployment

    Rollback on unconfirmed deployment

    Implement rollback in the case of a non-confirmation after deployment, which results in the system rolling back to the previous state.

    This is somewhat handy when dealing only in trust, but it becomes very useful when we progress to altering rules.

    closes #13

    opened by jw3 10
  • Active checks with dbus

    Active checks with dbus

    Eliminate the calls to systemctl for service status checks, using dbus instead. This removes one potential pinch point where deployed rules can limit the call to systemctl. A side-effect of this is that the monitoring function now works even in the case of fully locked down system (ie. only the deny+any+all+all rule).

    This also aligns both stages of deployment, deployment and rollback. Those stages used to be handled differently, where initial deployment only was a pipe write to refresh trust, while rollback deployment was a full daemon reload. Then the pipe write went away to align rule and trust writing, but there were some straggling issues that were left behind. These changes align the backends for both modes and resolve issues where fixes were present in one mode but not the other.

    Closes #565

    deployment 
    opened by jw3 9
  • Application Profiler does not report missing fapolicyd service

    Application Profiler does not report missing fapolicyd service

    In the case where the fapolicyd service is not found the only indication of failure is a stack trace.

    The close button becomes unresponsive, the dialog must be closed out with the X

    ui Profiler resilience 
    opened by jw3 8
  • Policykit issue when launching fapolicy-analyzer a second time

    Policykit issue when launching fapolicy-analyzer a second time

    From fc34 vm

    1. Run fapolicy-analyzer
    2. Close and run again
    [[email protected] ~]$ fapolicy-analyzer 
    Error executing command as another user: No authentication agent found.
    Terminating pkttyagent.
    
    bug 
    opened by jw3 8
  • Fix profiler path validation

    Fix profiler path validation

    Support for validating relative executable paths by using the existing PATH from the users environment. This also supports evaluating a custom PATH provided through the profiler GUI.

    This fixes the issue from #655 where users are forced to use absolute paths to avoid a validation error reporting that the file cannot be found.

    Closes #655

    bug Profiler 
    opened by tparchambault 7
  • Update Event Analysis Tool partial access file color

    Update Event Analysis Tool partial access file color

    Update the Subject and Object list views of the Policy Event Analysis tool to use the color scheme shown in significance-of-color. Specifically the Subjects need update to show pink (or lighter red) if they have only Partial (P) access, and the Objects should be pink if they can only be accessed for a limited set of modes.

    ui 
    opened by dorschs57 7
  • Help manual needs to be included under Help menu

    Help manual needs to be included under Help menu

    We need an offline copy of the user manual.

    1. Maintain the docs as the GitHub Wiki
    2. During RPM CI builds we clone the Wiki and build the User Guide section Markdown into HTML
    3. Bundle the HTML as the doc
    4. Have a placeholder HTML for non-RPM (like dev env) that just has a link to the Wiki
    enhancement rules ui feedback0 
    opened by jw3 6
  • Fa632-validate_profiler_arguments

    Fa632-validate_profiler_arguments

    Added a static class function to check the validity of arguments. This function can be called in the UI layer prior to the creation of the Profiling Session object.

    opened by tparchambault 6
  • Clean up stdout from backend

    Clean up stdout from backend

    Several places with stdout

    On deployment

    waiting on daemon to be Inactive...
    daemon is now Inactive
    waiting on daemon to be Active...
    daemon is now Active
    
    backend 
    opened by jw3 0
  • Change gtk builder file extensions

    Change gtk builder file extensions

    UI files should be named X.ui rather than X.glade.

    The exception would be if we were using the glade format, but we are using the modern GtkBuilder format.

    ui 
    opened by jw3 0
  • Consider that this is not a Python module

    Consider that this is not a Python module

    We are an application, we are not a Python library.

    Things may be simplified if we were to RPM install under /usr/share/fapolicy-analyzer rather than under the Python site-lib.

    HT: While perusing some modern gnome apps, came across Wike, which does this.

    Python rpm 
    opened by jw3 0
  • Handle missing trust.d

    Handle missing trust.d

    Trust.d could be missing due to

    1. Older fapolicyd version
    2. Removed

    This does not need to be a failure case, it simply results in no trust being sourced from trust.d

    bug backend trust 
    opened by jw3 0
  • Address feedback from Fedora review

    Address feedback from Fedora review

    The bz issue is #2153687

    The initial review shows several [!] findings that need addressed. Going to track them all together here.

    • [x] [?]: Package contains desktop file if it is a GUI application.
      • #616
    • [x] [!]: Sources are verified with gpgverify first in %prep if upstream publishes signatures.
    • [x] [!]: Package meets the Packaging Guidelines::Python -- Please, use macros instead of python3 interpreter.
    • [x] Suggested: use "tar -xzf" instead of "tar xzf"
    • [x] Suggested: use "%autosetup -p0" instead of "%autosetup -p1"
    • [x] Rpmlint: E: explicit-lib-dependency dbus-libs
    • [x] Rpmlint: W: no-manual-page-for-binary fapolicy-analyzer
      • #200
    • [ ] Rpmlint: W: invalid-url Source1: vendor-rs.tar.gz
    • [ ] Rpmlint: W: invalid-url Source0: fapolicy-analyzer.tar.gz
    • [x] Rpmlint: W: incoherent-version-in-changelog 0.6.1-1 ['0.6.2-1.fc38', '0.6.2-1']
    • [ ] Rpmlint: W: files-duplicate /usr/lib64/python3.11/site-packages/fapolicy_analyzer/util/init.py /usr/lib64/python3.11/site-packages/fapolicy_analyzer/css/init.py:/usr/lib64/python3.11/site-packages/fapolicy_analyzer/glade/init.py:/usr/lib64/python3.11/site-packages/fapolicy_analyzer/resources/init.py
    • [ ] Rpmlint: W: files-duplicate /usr/lib64/python3.11/site-packages/fapolicy_analyzer/resources/sourceview/styles/init.py /usr/lib64/python3.11/site-packages/fapolicy_analyzer/resources/sourceview/language-specs/init.py
    • [ ] Rpmlint: W: file-not-in-%lang /usr/lib64/python3.11/site-packages/fapolicy_analyzer/locale/es/LC_MESSAGES/fapolicy_analyzer.mo
    rpm feedback1 build 
    opened by jw3 5
Releases(v0.6.3)
Owner
Concurrent Technologies Corporation (CTC)
Concurrent Technologies Corporation (CTC)
Strict separation of config from code.

Python Decouple: Strict separation of settings from code Decouple helps you to organize your settings so that you can change parameters without having

Henrique Bastos 2.3k Dec 30, 2022
Yamale (ya·ma·lē) - A schema and validator for YAML.

Yamale (ya·ma·lē) ⚠️ Ensure that your schema definitions come from internal or trusted sources. Yamale does not protect against intentionally maliciou

23andMe 534 Dec 21, 2022
Generate config files and qr codes for wireguard vpn

wireguard config generator for python Generate config files and qr codes for wireguard vpn You will need to install qrcode and pillow in python and yo

18 Dec 02, 2022
Scooch Configures Object Oriented Class Hierarchies for python

Scooch Scooch Configures Object Oriented Class Hierarchies for python. A good place to start with Scooch is at the documentation found here. Scooch is

Pandora Media, Inc. 6 Dec 20, 2022
ConfZ is a configuration management library for Python based on pydantic.

ConfZ – Pydantic Config Management ConfZ is a configuration management library for Python based on pydantic. It easily allows you to load your configu

Zühlke 164 Dec 27, 2022
Load Django Settings from Environmental Variables with One Magical Line of Code

DjEnv: Django + Environment Load Django Settings Directly from Environmental Variables features modify django configuration without modifying source c

Daniel J. Dufour 28 Oct 01, 2022
A lightweight Traits like module

Traitlets home https://github.com/ipython/traitlets pypi-repo https://pypi.org/project/traitlets/ docs https://traitlets.readthedocs.io/ license Modif

IPython 532 Dec 27, 2022
A set of Python scripts and notebooks to help administer and configure Workforce projects.

Workforce Scripts A set of Python scripts and notebooks to help administer and configure Workforce projects. Notebooks Several example Jupyter noteboo

Esri 75 Sep 09, 2022
A YAML validator for Programming Historian lessons.

phyaml A simple YAML validator for Programming Historian lessons. USAGE: python3 ph-lesson-yaml-validator.py lesson.md The script automatically detect

Riva Quiroga 1 Nov 07, 2021
KConfig Browser is a graphical application which allows you to modify KDE configuration files found in ~/.config

kconfig_browser KConfig Browser is a graphical application which allows you to modify KDE configuration files found in ~/.config Screenshot Why I crea

11 Sep 15, 2022
Config files for my GitHub profile.

Config files for my GitHub profile.

Lukas Sales 7 May 17, 2022
A Python library to parse PARI/GP configuration and header files

pari-utils A Python library to parse PARI/GP configuration and header files. This is mainly used in the code generation of https://github.com/sagemath

Sage Mathematical Software System 3 Sep 18, 2022
Config files for my GitHub profile.

Hacked This is a python base script from which you can hack or clone any person's facebook friendlist or followers accounts which have simple password

2 Dec 10, 2021
Event Coding for the HV Protocol MEG datasets

Scripts for QA and trigger preprocessing of NIMH HV Protocol Install pip install git+https://github.com/nih-megcore/hv_proc Usage hv_process.py will

2 Nov 14, 2022
A compact library for Python 3.10x that allows users to configure their SimPads real-time

SimpadLib v1.0.6 What is this? This is a python library programmed by Ashe Muller that allows users to interface directly with their SimPad devices, a

Ashe Muller 2 Jan 08, 2022
An application pulls configuration information from JSON files generated

AP Provisioning Automation An application pulls configuration information from JSON files generated by Ekahau and then uses Netmiko to configure the l

Cisco GVE DevNet Team 1 Dec 17, 2021
Kubernates Config Manager

Kubernates Config Manager Sometimes we need manage more than one kubernates cluster at the same time. Switch cluster configs is a dangerous and troubl

周文阳 3 Jan 10, 2022
Pyleri is an easy-to-use parser created for SiriDB

Python Left-Right Parser Pyleri is an easy-to-use parser created for SiriDB. We first used lrparsing and wrote jsleri for auto-completion and suggesti

Cesbit 106 Dec 06, 2022
A helper for organizing Django project settings by relying on well established programming patterns.

django-configurations django-configurations eases Django project configuration by relying on the composability of Python classes. It extends the notio

Jazzband 955 Jan 05, 2023
Napalm-vs-openconfig - Comparison of NAPALM and OpenConfig YANG with NETCONF transport

NAPALM vs NETCONF/OPENCONFIG Abstracts Multi vendor network management and autom

Anton Karneliuk 1 Jan 17, 2022