Include remediation for fapolicy_default_deny rule

linux_os/guide/services/fapolicyd/fapolicy_default_deny/ansible/shared.yml

@@ -0,0 +1,31 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: {{{ rule_title }}} - Ensure a Final Rule Denying Everything
+  ansible.builtin.copy:
+    content: |
+      # Red Hat KCS 7003854 (https://access.redhat.com/solutions/7003854)
+      deny perm=any all : all
+    dest: /etc/fapolicyd/rules.d/99-deny-everything.rules
+    owner: root
+    group: fapolicyd
+    mode: '0644'
+  register: result_fapolicyd_final_rule
+
+- name: {{{ rule_title }}} - Ensure fapolicyd is Not Permissive
+  ansible.builtin.lineinfile:
+    path: /etc/fapolicyd/fapolicyd.conf
+    regexp: '^(permissive\s*=).*$'
+    line: '\1 0'
+    backrefs: true
+  register: result_fapolicyd_enforced
+
+- name: "{{{ rule_title }}} - Restart fapolicyd If Permissive Mode or Final Rule is Changed"
+  ansible.builtin.service:
+    name: fapolicyd
+    state: restarted
+  when:
+    - result_fapolicyd_final_rule is changed or result_fapolicyd_enforced is changed

linux_os/guide/services/fapolicyd/fapolicy_default_deny/bash/shared.sh

@@ -0,0 +1,24 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+cat > /etc/fapolicyd/rules.d/99-deny-everything.rules << EOF
+# Red Hat KCS 7003854 (https://access.redhat.com/solutions/7003854)
+deny perm=any all : all
+EOF
+
+chmod 644 /etc/fapolicyd/rules.d/99-deny-everything.rules
+chgrp fapolicyd /etc/fapolicyd/rules.d/99-deny-everything.rules
+
+{{{ set_config_file(path="/etc/fapolicyd/fapolicyd.conf",
+                    parameter="permissive",
+                    value="0",
+                    create=true,
+                    insensitive=true,
+                    separator=" = ",
+                    separator_regex="\s*=\s*",
+                    prefix_regex="^\s*") }}}
+
+systemctl restart fapolicyd

linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/allow_policy.fail.sh

@@ -1,8 +1,5 @@
 #!/bin/bash
 # packages = fapolicyd
-# remediation = none
-
-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}}
 
 if [ -f /etc/fapolicyd/compiled.rules ]; then
     active_rules_file="/etc/fapolicyd/compiled.rules"
@@ -11,8 +8,14 @@ else
 fi
 
 truncate -s 0 $active_rules_file
-
 echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file
 echo "allow perm=any all : all" >> $active_rules_file
 
-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "0", "true") }}}
+{{{ set_config_file(path="/etc/fapolicyd/fapolicyd.conf",
+                    parameter="permissive",
+                    value="0",
+                    create=true,
+                    insensitive=true,
+                    separator=" = ",
+                    separator_regex="\s*=\s*",
+                    prefix_regex="^\s*") }}}

linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy.pass.sh

@@ -1,8 +1,5 @@
 #!/bin/bash
 # packages = fapolicyd
-# remediation = none
-
-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}}
 
 if [ -f /etc/fapolicyd/compiled.rules ]; then
     active_rules_file="/etc/fapolicyd/compiled.rules"
@@ -11,8 +8,14 @@ else
 fi
 
 truncate -s 0 $active_rules_file
-
 echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file
 echo "deny perm=any all : all" >> $active_rules_file
 
-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "0", "true") }}}
+{{{ set_config_file(path="/etc/fapolicyd/fapolicyd.conf",
+                    parameter="permissive",
+                    value="0",
+                    create=true,
+                    insensitive=true,
+                    separator=" = ",
+                    separator_regex="\s*=\s*",
+                    prefix_regex="^\s*") }}}

linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_but_permissive.fail.sh

@@ -1,8 +1,5 @@
 #!/bin/bash
 # packages = fapolicyd
-# remediation = none
-
-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}}
 
 if [ -f /etc/fapolicyd/compiled.rules ]; then
     active_rules_file="/etc/fapolicyd/compiled.rules"
@@ -11,6 +8,14 @@ else
 fi
 
 truncate -s 0 $active_rules_file
-
 echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file
 echo "deny perm=any all : all" >> $active_rules_file
+
+{{{ set_config_file(path="/etc/fapolicyd/fapolicyd.conf",
+                    parameter="permissive",
+                    value="1",
+                    create=true,
+                    insensitive=true,
+                    separator=" = ",
+                    separator_regex="\s*=\s*",
+                    prefix_regex="^\s*") }}}

linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_commented.fail.sh

@@ -1,8 +1,5 @@
 #!/bin/bash
 # packages = fapolicyd
-# remediation = none
-
-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}}
 
 if [ -f /etc/fapolicyd/compiled.rules ]; then
     active_rules_file="/etc/fapolicyd/compiled.rules"
@@ -11,8 +8,14 @@ else
 fi
 
 truncate -s 0 $active_rules_file
-
 echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file
 echo "# deny perm=any all : all" >> $active_rules_file
 
-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "0", "true") }}}
+{{{ set_config_file(path="/etc/fapolicyd/fapolicyd.conf",
+                    parameter="permissive",
+                    value="0",
+                    create=true,
+                    insensitive=true,
+                    separator=" = ",
+                    separator_regex="\s*=\s*",
+                    prefix_regex="^\s*") }}}

linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_not_ensured.fail.sh

@@ -1,8 +1,5 @@
 #!/bin/bash
 # packages = fapolicyd
-# remediation = none
-
-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}}
 
 if [ -f /etc/fapolicyd/compiled.rules ]; then
     active_rules_file="/etc/fapolicyd/compiled.rules"
@@ -11,8 +8,14 @@ else
 fi
 
 truncate -s 0 $active_rules_file
-
 echo "deny perm=any all : all" >> $active_rules_file
 echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file
 
-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "0", "true") }}}
+{{{ set_config_file(path="/etc/fapolicyd/fapolicyd.conf",
+                    parameter="permissive",
+                    value="0",
+                    create=true,
+                    insensitive=true,
+                    separator=" = ",
+                    separator_regex="\s*=\s*",
+                    prefix_regex="^\s*") }}}