Tools to assist with the configuration and maintenance of fapolicyd.

Overview

File Access Policy Analyzer

Tools to assist with the configuration and maintenance of fapolicyd.

Python bindings

We write python bindings using PyO3 and setuptools_rust.

We use pipenv for creating a sand-boxed development environment. To install pipenv into your home directory:

pip3 install --user pipenv

To build and install the bindings run the following from the top level directory of this repository:

pipenv install --dev
pipenv shell
python3 setup.py [develop | install]

There may be some additional build-time requirements. See the development wiki page for more details.

File Access Policy Analyzer User Interface

Run the fapolicy-analyzer UI:

python3 -m fapolicy-analyzer.ui

Requirements

  • Python 3.9
  • Rust 1.52
  • fapolicyd 1.0

fapolicyd configuration

To generate rules that can be analyzed we require the following syslog_format configuration

syslog_format = rule,dec,perm,uid,gid,pid,exe,:,path,ftype,trust

Developers

See the Wiki for more resources.

Comments
  • UI unresponsive after deployment rollback

    UI unresponsive after deployment rollback

    To reproduce

    1. Add trust changes
    2. Deploy
    3. Select "No" when asked to keep changes

    Noteworthy

    • Usually on the first or second deployment the UI becomes unresponsive.
    • Same behavior whether the timer expires or you manually click No.
    • Did not encounter issues If the deployment is accepted.
    • The rollback of configuration is indeed written to disk (ie. the original is restored).
    • The daemon is in active state after the app locks, so it appears to be properly started
    • Consistently reproducible on fc34 using rule-text-write branch's RPM
    • Did not observe issue on RHEL 8 using the same branch
    bug ui 
    opened by jw3 23
  • Include User Guide under Help menu

    Include User Guide under Help menu

    Adds a user guide entry under the help menu.

    • Generates the user guide from the online wiki documentation
    • Integrates the user guide build process into CI and the RPM build
    • Installs the user guide to /usr/share/help via RPM
    • Internationalization support is included for the documentation
    • Adds target to root Makefile that pulls and builds help locally
      • make help-docs
      • Useful for contributing translations

    Closes #645

    documentation feedback0 
    opened by dorschs57 14
  • RPM Build

    RPM Build

    Summary

    Build an RPM that includes the Rust bindings and the Python dist. The standard tools for building Python RPMs or Rust RPMs didn't play well with our layout. So what we have is a two stage process of building a bdist wheel and then using that wheel to build the RPM. The source RPM includes the wheel as the source file.

    This PR includes GitHub actions workflow to build the RPM. When pushing a tag the RPM will be published as a release, otherwise RPM is built and discarded. A future PR will add some automated testing immediately after the build stage.

    Wiki pages related to this PR

    • https://github.com/ctc-oss/fapolicy-analyzer/wiki/RPM-Packaging
    • https://github.com/ctc-oss/fapolicy-analyzer/wiki/Publishing-Releases

    How the RPM is packaged

    1. build a wheel
    2. use the wheel as the rpm source
    3. install the wheel in the rpm build
    4. capture the python site-install files

    Build the builder image

    From the root of the project

    docker build -t rpmbuilder -f scripts/rpm/Dockerfile .

    Build the rpm in the builder container

    docker run --rm -it -v /tmp:/output rpmbuilder

    RPMs will end up in /tmp on the host machine.

    Test the rpm in a container

    todo #115

    Installing the RPM

    dnf install -y fapolicy-analyzer-0.0.4-1.x86_64.rpm

    closes #114

    opened by jw3 11
  • Rollback on unconfirmed deployment

    Rollback on unconfirmed deployment

    Implement rollback in the case of a non-confirmation after deployment, which results in the system rolling back to the previous state.

    This is somewhat handy when dealing only in trust, but it becomes very useful when we progress to altering rules.

    closes #13

    opened by jw3 10
  • Active checks with dbus

    Active checks with dbus

    Eliminate the calls to systemctl for service status checks, using dbus instead. This removes one potential pinch point where deployed rules can limit the call to systemctl. A side-effect of this is that the monitoring function now works even in the case of fully locked down system (ie. only the deny+any+all+all rule).

    This also aligns both stages of deployment, deployment and rollback. Those stages used to be handled differently, where initial deployment only was a pipe write to refresh trust, while rollback deployment was a full daemon reload. Then the pipe write went away to align rule and trust writing, but there were some straggling issues that were left behind. These changes align the backends for both modes and resolve issues where fixes were present in one mode but not the other.

    Closes #565

    deployment 
    opened by jw3 9
  • Application Profiler does not report missing fapolicyd service

    Application Profiler does not report missing fapolicyd service

    In the case where the fapolicyd service is not found the only indication of failure is a stack trace.

    The close button becomes unresponsive, the dialog must be closed out with the X

    ui Profiler resilience 
    opened by jw3 8
  • Policykit issue when launching fapolicy-analyzer a second time

    Policykit issue when launching fapolicy-analyzer a second time

    From fc34 vm

    1. Run fapolicy-analyzer
    2. Close and run again
    [vagrant@fedora ~]$ fapolicy-analyzer 
    Error executing command as another user: No authentication agent found.
    Terminating pkttyagent.
    
    bug 
    opened by jw3 8
  • Fix profiler path validation

    Fix profiler path validation

    Support for validating relative executable paths by using the existing PATH from the users environment. This also supports evaluating a custom PATH provided through the profiler GUI.

    This fixes the issue from #655 where users are forced to use absolute paths to avoid a validation error reporting that the file cannot be found.

    Closes #655

    bug Profiler 
    opened by tparchambault 7
  • Update Event Analysis Tool partial access file color

    Update Event Analysis Tool partial access file color

    Update the Subject and Object list views of the Policy Event Analysis tool to use the color scheme shown in significance-of-color. Specifically the Subjects need update to show pink (or lighter red) if they have only Partial (P) access, and the Objects should be pink if they can only be accessed for a limited set of modes.

    ui 
    opened by dorschs57 7
  • Help manual needs to be included under Help menu

    Help manual needs to be included under Help menu

    We need an offline copy of the user manual.

    1. Maintain the docs as the GitHub Wiki
    2. During RPM CI builds we clone the Wiki and build the User Guide section Markdown into HTML
    3. Bundle the HTML as the doc
    4. Have a placeholder HTML for non-RPM (like dev env) that just has a link to the Wiki
    enhancement rules ui feedback0 
    opened by jw3 6
  • Fa632-validate_profiler_arguments

    Fa632-validate_profiler_arguments

    Added a static class function to check the validity of arguments. This function can be called in the UI layer prior to the creation of the Profiling Session object.

    opened by tparchambault 6
  • Clean up stdout from backend

    Clean up stdout from backend

    Several places with stdout

    On deployment

    waiting on daemon to be Inactive...
    daemon is now Inactive
    waiting on daemon to be Active...
    daemon is now Active
    
    backend 
    opened by jw3 0
  • Change gtk builder file extensions

    Change gtk builder file extensions

    UI files should be named X.ui rather than X.glade.

    The exception would be if we were using the glade format, but we are using the modern GtkBuilder format.

    ui 
    opened by jw3 0
  • Consider that this is not a Python module

    Consider that this is not a Python module

    We are an application, we are not a Python library.

    Things may be simplified if we were to RPM install under /usr/share/fapolicy-analyzer rather than under the Python site-lib.

    HT: While perusing some modern gnome apps, came across Wike, which does this.

    Python rpm 
    opened by jw3 0
  • Handle missing trust.d

    Handle missing trust.d

    Trust.d could be missing due to

    1. Older fapolicyd version
    2. Removed

    This does not need to be a failure case, it simply results in no trust being sourced from trust.d

    bug backend trust 
    opened by jw3 0
  • Address feedback from Fedora review

    Address feedback from Fedora review

    The bz issue is #2153687

    The initial review shows several [!] findings that need addressed. Going to track them all together here.

    • [x] [?]: Package contains desktop file if it is a GUI application.
      • #616
    • [x] [!]: Sources are verified with gpgverify first in %prep if upstream publishes signatures.
    • [x] [!]: Package meets the Packaging Guidelines::Python -- Please, use macros instead of python3 interpreter.
    • [x] Suggested: use "tar -xzf" instead of "tar xzf"
    • [x] Suggested: use "%autosetup -p0" instead of "%autosetup -p1"
    • [x] Rpmlint: E: explicit-lib-dependency dbus-libs
    • [x] Rpmlint: W: no-manual-page-for-binary fapolicy-analyzer
      • #200
    • [ ] Rpmlint: W: invalid-url Source1: vendor-rs.tar.gz
    • [ ] Rpmlint: W: invalid-url Source0: fapolicy-analyzer.tar.gz
    • [x] Rpmlint: W: incoherent-version-in-changelog 0.6.1-1 ['0.6.2-1.fc38', '0.6.2-1']
    • [ ] Rpmlint: W: files-duplicate /usr/lib64/python3.11/site-packages/fapolicy_analyzer/util/init.py /usr/lib64/python3.11/site-packages/fapolicy_analyzer/css/init.py:/usr/lib64/python3.11/site-packages/fapolicy_analyzer/glade/init.py:/usr/lib64/python3.11/site-packages/fapolicy_analyzer/resources/init.py
    • [ ] Rpmlint: W: files-duplicate /usr/lib64/python3.11/site-packages/fapolicy_analyzer/resources/sourceview/styles/init.py /usr/lib64/python3.11/site-packages/fapolicy_analyzer/resources/sourceview/language-specs/init.py
    • [ ] Rpmlint: W: file-not-in-%lang /usr/lib64/python3.11/site-packages/fapolicy_analyzer/locale/es/LC_MESSAGES/fapolicy_analyzer.mo
    rpm feedback1 build 
    opened by jw3 5
Releases(v0.6.3)
Owner
Concurrent Technologies Corporation (CTC)
Concurrent Technologies Corporation (CTC)
A Python library to parse PARI/GP configuration and header files

pari-utils A Python library to parse PARI/GP configuration and header files. This is mainly used in the code generation of https://github.com/sagemath

Sage Mathematical Software System 3 Sep 18, 2022
Secsie is a configuration language made for speed, beauty, and ease of use.

secsie-conf pip3 install secsie-conf Secsie is a configuration language parser for Python, made for speed and beauty. Instead of writing config files

Noah Broyles 3 Feb 19, 2022
Configuration Management for Python ⚙

dynaconf - Configuration Management for Python. Features Inspired by the 12-factor application guide Settings management (default values, validation,

Bruno Rocha 2.8k Jan 6, 2023
Flexible Python configuration system. The last one you will ever need.

OmegaConf Description Project Code quality Docs and support OmegaConf is a hierarchical configuration system, with support for merging configurations

Omry Yadan 1.4k Jan 2, 2023
Pydantic-ish YAML configuration management.

Pydantic-ish YAML configuration management.

Dribia Data Research 18 Oct 27, 2022
Python Marlin Configurator to make valid configuration files to be used to compile Marlin with.

marlin-configurator Concept originally imagined by The-EG using PowerShell Build Script for Marlin Configurations The purpose of this project is to pa

DevPeeps 2 Oct 9, 2021
Configuration Extractor for EXE4J PE files

EXE4J Configuration Extractor This script helps reverse engineering Portable Executable files created with EXE4J by extracting their configuration dat

Karsten Hahn 6 Jun 29, 2022
Sync any your configuration file to remote. Currently only support gist.

Sync your configuration to remote, such as vimrc. You can use EscSync to manage your configure of editor, shell, etc.

Me1onRind 0 Nov 21, 2022
A tool to manage configuration files, build scripts etc. across multiple projects.

A tool to manage configuration files, build scripts etc. across multiple projects.

null 8 Dec 14, 2022
Simple dataclasses configuration management for Python with hocon/json/yaml/properties/env-vars/dict support.

Simple dataclasses configuration management for Python with hocon/json/yaml/properties/env-vars/dict support, based on awesome and lightweight pyhocon parsing library.

Teo Stocco 62 Dec 23, 2022
filetailor is a peer-based configuration management utility for plain-text files such as dotfiles.

filetailor filetailor is a peer-based configuration management utility for plain-text files (and directories) such as dotfiles. Files are backed up to

null 5 Dec 23, 2022
An application pulls configuration information from JSON files generated

AP Provisioning Automation An application pulls configuration information from JSON files generated by Ekahau and then uses Netmiko to configure the l

Cisco GVE DevNet Team 1 Dec 17, 2021
KConfig Browser is a graphical application which allows you to modify KDE configuration files found in ~/.config

kconfig_browser KConfig Browser is a graphical application which allows you to modify KDE configuration files found in ~/.config Screenshot Why I crea

null 11 Sep 15, 2022
A slightly opinionated template for iPython configuration for interactive development

A slightly opinionated template for iPython configuration for interactive development. Auto-reload and no imports for packages and modules in the project.

Seva Zhidkov 24 Feb 16, 2022
Organize Django settings into multiple files and directories. Easily override and modify settings. Use wildcards and optional settings files.

Organize Django settings into multiple files and directories. Easily override and modify settings. Use wildcards in settings file paths and mark setti

Nikita Sobolev 942 Jan 5, 2023
A set of Python scripts and notebooks to help administer and configure Workforce projects.

Workforce Scripts A set of Python scripts and notebooks to help administer and configure Workforce projects. Notebooks Several example Jupyter noteboo

Esri 75 Sep 9, 2022
🤫 Easily manage configs and secrets in your Python projects (with CLI support)

Installation pip install confidential How does it work? Confidential manages secrets for your project, using AWS Secrets Manager. First, store a secr

Candid™️ 63 Oct 30, 2022
Generate config files and qr codes for wireguard vpn

wireguard config generator for python Generate config files and qr codes for wireguard vpn You will need to install qrcode and pillow in python and yo

null 18 Dec 2, 2022
Napalm-vs-openconfig - Comparison of NAPALM and OpenConfig YANG with NETCONF transport

NAPALM vs NETCONF/OPENCONFIG Abstracts Multi vendor network management and autom

Anton Karneliuk 1 Jan 17, 2022