Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sap_hana_install: Add support for fapolicyd #727

Merged
merged 28 commits into from
Jun 14, 2024
Merged

sap_hana_install: Add support for fapolicyd #727

merged 28 commits into from
Jun 14, 2024

Conversation

berndfinger
Copy link
Member

@berndfinger berndfinger commented Apr 26, 2024
edited
Loading

This PR adds support for fapolicyd:

  • The presence of the package fapolicyd is ensured.
  • The integrity setting in /etc/fapolicyd/fapolicyd.conf will be sha256 instead of the default none.
  • The presence of a new fapolicyd rule file in /etc/faplicyd/rules.d, for protecting shell scripts, is ensured.
  • The presence of all executables under /hana and /usr/sap in fapolicyd trust files in /etc/faplicyd/trust.d is ensured.
  • The service fapolicyd is enabled and running.

I introduced a new role parameter, sap_hana_install_root_path which is needed for this functionality, and replaced /hana by this variable and /hana/shared by its corresponding variable.

I also modified yes/no to true/false in defaults/main.yml so we over time only use those for all roles.

Solves #728.

@berndfinger
sap_hana_install: Support fapolicyd
01b3d0a 
Also use role parameters for /hana and /hana/shared where possible.

Signed-off-by: Bernd Finger <[email protected]>
@berndfinger
sap_hana_install: Use "hana" instead of "_hana"
8c32eb4 
... for the name of the fapolicyd trusted files file.

Signed-off-by: Bernd Finger <[email protected]>
@berndfinger
sap_hana_install: Ensure fapolicyd is present...
1f88415 
... if fapolicyd is to be used.
Also replace yes by true and no by false in defaults/main.yml.

Signed-off-by: Bernd Finger <[email protected]>
@berndfinger
sap_hana_install: fapolicyd - fix ansible-lint
e7dba36 
Signed-off-by: Bernd Finger <[email protected]>
@berndfinger
sap_hana_install: Improve the pattern for identifying executables
aac67af 
Signed-off-by: Bernd Finger <[email protected]>
@berndfinger
sap_hana_install: fix wrong comment
dccde01 
Signed-off-by: Bernd Finger <[email protected]>
@berndfinger
sap_hana_install: fapolicyd - further improvements
6ff52d2 
- Add all files with mime type pattern '/x-'
- Support more than one directory which contains executable files
- Use a separate fapolicyd trust file for each directory

Signed-off-by: Bernd Finger <[email protected]>
@berndfinger
sap_hana_install: fapolicyd - necessary changes to defaults/main.yml
1c0e382 
Signed-off-by: Bernd Finger <[email protected]>
@berndfinger
sap_hana_install: fapolicyd - further improvements
936f1ee 
- add support for setting the fapolicyd integrity levels
  default: sha256
- use /hana/shared and /usr/sap for the directories to be scanned
- rename parameter sap_hana_install_directories_with_executables to
  sap_hana_install_fapolicyd_trusted_directories
- reduce line lengths in some cases

Signed-off-by: Bernd Finger <[email protected]>
@berndfinger
sap_hana_install: fapolicyd - use /hana and /usr/sap
adfc634 
... for the paths to be searched for executables, so the paths are
identical to those used to set the file contexts for SELinux

Signed-off-by: Bernd Finger <[email protected]>
@berndfinger
sap_hana_install: fapolicyd - modify task name
b94e9cc 
Signed-off-by: Bernd Finger <[email protected]>
@berndfinger
sap_hana_install: fapolicyd - add marker to fapolicyd config file
73cb99d 
Signed-off-by: Bernd Finger <[email protected]>
@berndfinger
sap_hana_install: fapolicyd - simplify marker addition
8a508c2 
Signed-off-by: Bernd Finger <[email protected]>
@berndfinger
sap_hana_install: fapolicyd - add --check-config
adc3e9b 
...after modifying the fapolicyd config file

Signed-off-by: Bernd Finger <[email protected]>
@berndfinger
sap_hana_install: fapolicyd - add config validation
a0464c1 
Signed-off-by: Bernd Finger <[email protected]>
@berndfinger
sap_hana_install: fapolicyd - validate argument for fapolicyd integrity
10ecc6f 
Signed-off-by: Bernd Finger <[email protected]>
@berndfinger
sap_hana_install: fapolicyd - also protect shellscripts
109799c 
Signed-off-by: Bernd Finger <[email protected]>
@berndfinger
sap_hana_install: fapolicyd - modify comment for rules file
b996b88 
Signed-off-by: Bernd Finger <[email protected]>
@berndfinger
sap_hana_install: fapolicyd - add Ansible marker to rules file
7891bbf 
Signed-off-by: Bernd Finger <[email protected]>
@berndfinger
sap_hana_install: fapolicyd - add condition for processing template
05445d8 
Signed-off-by: Bernd Finger <[email protected]>
@berndfinger
sap_hana_install: fapolicyd - add tag sap_hana_install_use_fapolicyd
7337d3f 
Signed-off-by: Bernd Finger <[email protected]>
@berndfinger
sap_hana_install: fapolicyd - reorder modificaitons
cd3ab78 
Signed-off-by: Bernd Finger <[email protected]>
@berndfinger
sap_hana_install: fapolicyd - implement just one rule
8ed8244 
... for multiple directories

Signed-off-by: Bernd Finger <[email protected]>
@berndfinger
sap_hana_install: fapolicyd - ansible-lint cleanup
3f9fc3a 
... and some further tweaking

Signed-off-by: Bernd Finger <[email protected]>
@berndfinger berndfinger requested a review from rhmk April 26, 2024 13:12
rhmk
rhmk requested changes Jun 7, 2024
View reviewed changes
Copy link
Member

@rhmk rhmk left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please correct the comments, they are misleading. The rest looks fine for me

@berndfinger
Copy link
Member Author

berndfinger commented Jun 7, 2024
edited
Loading

please correct the comments, they are misleading. The rest looks fine for me

Thanks for your review! All good now (I hope).

@berndfinger
sap_hana_install: fapolicyd - rename variables
08fc76b 
- We use sap_hana_install_shared_path in favor of sap_hana_install_install_path
- If present (e.g. in playbooks or inventories), we use the first directory component
  of sap_hana_install_install_path for sap_hana_install_root_path and we assign
  sap_hana_install_install_path to sap_hana_install_shared_path.

Examples:
If sap_hana_install_install_path is defined as '/hana_01/shared', the following variables
will be set:

sap_hana_install_root_path.: '/hana_01'
sap_hana_install_shared_path: '/hana_01/shared'

If sap_hana_install_install_path is not defined, the following variables will be set:

sap_hana_install_root_path.: '/hana'
sap_hana_install_shared_path: '/hana/shared'

Signed-off-by: Bernd Finger <[email protected]>
rhmk
rhmk approved these changes Jun 13, 2024
View reviewed changes
Copy link
Member

@rhmk rhmk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

sean-freeman
sean-freeman approved these changes Jun 14, 2024
View reviewed changes
Copy link
Member

@sean-freeman sean-freeman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm with backwards compatibility for the var names of directory paths (i.e. /hana)

@berndfinger berndfinger merged commit f5ffb3a into sap-linuxlab:dev Jun 14, 2024
3 of 4 checks passed
@berndfinger berndfinger mentioned this pull request Jun 14, 2024
Closed
@berndfinger berndfinger deleted the hana_install_fapolicyd branch June 14, 2024 14:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rhmk rhmk rhmk approved these changes

@sean-freeman sean-freeman sean-freeman approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@berndfinger @sean-freeman @rhmk