https://github.com/ctc-oss/fapolicy-analyzer

Tools to assist with the configuration and management of fapolicyd.
https://github.com/ctc-oss/fapolicy-analyzer

fapolicyd fedora pyo3 python rhel rust security whitelisting

Last synced: 6 months ago
JSON representation

Tools to assist with the configuration and management of fapolicyd.

• Host: GitHub
• URL: https://github.com/ctc-oss/fapolicy-analyzer
• Owner: ctc-oss
• License: gpl-3.0
• Created: 2021-01-19T11:54:14.000Z (over 4 years ago)
• Default Branch: master
• Last Pushed: 2024-11-12T18:48:50.000Z (6 months ago)
• Last Synced: 2024-11-12T19:35:42.905Z (6 months ago)
• Topics: fapolicyd, fedora, pyo3, python, rhel, rust, security, whitelisting
• Language: Python
• Homepage: https://ctc-oss.github.io/fapolicy-analyzer
• Size: 1.91 MB
• Stars: 13
• Watchers: 5
• Forks: 5
• Open Issues: 121
• Metadata Files:
  • Readme: README.md
  • Changelog: CHANGELOG.md
  • Contributing: CONTRIBUTING.md
  • License: LICENSE

Awesome Lists containing this project

README

        


  
File Access Policy Analyzer




















Tools to assist with the configuration and management of fapolicyd





## Features

1. Rule editor with syntax highlighting, syntax validation, and policy linting

2. Trust database manager to synchronize what fapolicyd believes and what exists on disk

3. Log analyzer provides insight to help understand and tune fapolicyd runtime behavior

4. Disk access profiler to capture file access requests for an executing application

5. Configuration file editor for fapolicyd, with syntax validation and linting

6. DBUS based control of the fapolicyd daemon which is immune to bad policy lockout

See the [**User Guide**][1] for details.

## Installation

You can install the Policy Analyzer in one of the following ways

  From Fedora Packages



This installation method is currently available for Fedora EPEL 8, EPEL 9, and Fedora 37 or later, including Rawhide.

```sh

dnf install fapolicy-analyzer

```

  From GitHub releases

[![GitHub latest release](https://shields.io/github/v/release/ctc-oss/fapolicy-analyzer?color=3c6eb4&display_name=tag&sort=semver&label=Stable&logo=github)](https://github.com/ctc-oss/fapolicy-analyzer/releases/latest)

[![GitHub Latest pre-release)](https://img.shields.io/github/v/release/ctc-oss/fapolicy-analyzer?color=3c6eb4&include_prereleases&label=Beta&logo=github)](https://github.com/ctc-oss/fapolicy-analyzer/releases)

![GitHub downloads](https://img.shields.io/github/downloads/ctc-oss/fapolicy-analyzer/total?color=3c6eb4&logo=github)

You can install the Policy Analyzer through the installers available in

the [latest release](https://github.com/ctc-oss/fapolicy-analyzer/releases). 


Choose an RPM from the latest Fedora stable, Rawhide, and EPEL builds. 


  From Fedora Copr



The Copr repository contains the latest development builds and release builds prior to publishing to the Fedora

repositories.

Follow this method to install a prerelease package.

### Add Copr repository

Install the ctc-oss repo with

```sh

dnf install dnf-plugins-core

dnf copr enable ctc-oss/fapolicy-analyzer

```

### Copr Release builds

Releases packages of the Policy Analyzer are generally available from Copr a week before being available from Fedora.

The Policy Analyzer can be installed from the ctc-oss repository with the normal process

`dnf install fapolicy-analyzer`

### Copr pre-release builds

Pre-release packages of the Policy Analyzer for all targets are created using the latest commit to master.

Use the `dev` tag + the commit number from the `master` branch, for example

`dnf install fapolicy-analyzer-1.0.0~dev308`

will install the prerelease 1.0.0 version at the 308th commit on the master branch.

  From a containerized build environment

Follow this method only if you have cloned the GitHub repository and have Podman installed

- `make fc-rpm` to build a Rawhide RPM

- `make el-rpm` to build a RHEL 8 RPM

After a successful build the container will copy the RPMs into the host `/tmp` directory.

  From a local development environment

Follow this method only if you have installed all required build tools

`make run`

This requires Pip + Pipenv + Python 3.9 or greater, and Rust 1.62.1 or greater.

Python and Rust dependencies will be installed during the build process.

## fapolicyd

Compatible with v1.0+

The [![fapolicyd-badge](https://img.shields.io/github/labels/ctc-oss/fapolicy-analyzer/fapolicyd-feature?style=flat)][2]

label tracks support for specific [capability][3].

### fapolicyd.conf

Analyzing from syslog requires the following `syslog_format` entry:

```

syslog_format = rule,dec,perm,uid,gid,pid,exe,:,path,ftype,trust

```

## Getting Help

- See the [Known Issues](https://github.com/ctc-oss/fapolicy-analyzer/wiki/Known-Issues)

- Start a [Discussion](https://github.com/ctc-oss/fapolicy-analyzer/discussions)

- Create a new [Issue](https://github.com/ctc-oss/fapolicy-analyzer/issues)

## License

GPL v3

[1]: https://github.com/ctc-oss/fapolicy-analyzer/wiki/User-Guide

[2]: https://github.com/ctc-oss/fapolicy-analyzer/labels/fapolicyd-feature

[3]: https://github.com/linux-application-whitelisting/fapolicyd/blob/main/ChangeLog