diff options
-rw-r--r-- | perl-install/security/main.pm | 60 | ||||
-rw-r--r-- | perl-install/security/msec.pm | 177 |
2 files changed, 99 insertions, 138 deletions
diff --git a/perl-install/security/main.pm b/perl-install/security/main.pm index e76779308..d7ae8e3f2 100644 --- a/perl-install/security/main.pm +++ b/perl-install/security/main.pm @@ -5,7 +5,7 @@ use MDK::Common; use my_gtk qw(:helpers :wrappers :ask); use log; -use security::libsafe; +#use security::libsafe; use security::msec; sub myexit { my_gtk::exit @_ } @@ -68,7 +68,7 @@ sub basic_seclevel_option { sub basic_secadmin_check { my ($secadmin_check, $msec) = @_; - $$secadmin_check->set_active(1) if ($msec->get_check_value('', "MAIL_WARN") eq "yes"); + $$secadmin_check->set_active(1) if ($msec->get_check_value("MAIL_WARN") eq "yes"); new Gtk::Label(_("Security Alerts:")), $$secadmin_check; } @@ -76,7 +76,7 @@ sub basic_secadmin_check { sub basic_secadmin_entry { my ($secadmin_entry, $msec) = @_; - $$secadmin_entry->set_text($msec->get_check_value('', "MAIL_USER")); + $$secadmin_entry->set_text($msec->get_check_value("MAIL_USER")); my $hbox = new Gtk::HBox(0, 0); new Gtk::Label(_("Security Administrator:")), $$secadmin_entry; @@ -84,7 +84,7 @@ sub basic_secadmin_entry { sub network_generate_page { my ($rsecurity_net_hash, $msec) = @_; - my @network_options = $msec->get_functions('', "network"); + my @network_options = $msec->get_functions("network"); my @yesno_choices = qw(yes no default ignore); my @alllocal_choices = qw(ALL LOCAL NONE default); @@ -93,22 +93,22 @@ sub network_generate_page { foreach my $tmp (@network_options) { # my $hbutton = gtksignal_connect(new Gtk::Button(_("Help")), # 'clicked' => sub { show_msec_help($tmp) } ); - my $default = $msec->get_function_default('', $tmp); + my $default = $msec->get_function_default($tmp); if (member($default, @yesno_choices) || member($default, @alllocal_choices)) { $$rsecurity_net_hash{$tmp} = new Gtk::Combo(); $$rsecurity_net_hash{$tmp}->entry->set_editable(0); } else { $$rsecurity_net_hash{$tmp} = new Gtk::Entry(); - $$rsecurity_net_hash{$tmp}->set_text($msec->get_check_value('', $tmp)); + $$rsecurity_net_hash{$tmp}->set_text($msec->get_check_value($tmp)); } if (member($default, @yesno_choices)) { $$rsecurity_net_hash{$tmp}->set_popdown_strings(@yesno_choices); - $$rsecurity_net_hash{$tmp}->entry->set_text($msec->get_check_value('', $tmp)); + $$rsecurity_net_hash{$tmp}->entry->set_text($msec->get_check_value($tmp)); } elsif (member($default, @alllocal_choices)) { $$rsecurity_net_hash{$tmp}->set_popdown_strings(@alllocal_choices); - $$rsecurity_net_hash{$tmp}->entry->set_text($msec->get_check_value('', $tmp)); + $$rsecurity_net_hash{$tmp}->entry->set_text($msec->get_check_value($tmp)); } push @items, [ new Gtk::Label($tmp._(" (default: %s)",$default)), $$rsecurity_net_hash{$tmp} ]; #, $hbutton]; } @@ -120,7 +120,7 @@ sub network_generate_page { sub system_generate_page { my ($rsecurity_system_hash, $msec) = @_; - my @system_options = $msec->get_functions('', "system"); + my @system_options = $msec->get_functions("system"); my @yesno_choices = qw(yes no default ignore); my @alllocal_choices = qw(ALL LOCAL NONE default); @@ -129,24 +129,29 @@ sub system_generate_page { foreach my $tmp (@system_options) { # my $hbutton = gtksignal_connect(new Gtk::Button(_("Help")), # 'clicked' => sub { show_msec_help($tmp) } ); - my $default = $msec->get_function_default('', $tmp); + my $default = $msec->get_function_default($tmp); + my $def = $default ? $default : "default"; my $item_hbox = new Gtk::HBox(0, 0); if (member($default, @yesno_choices) || member($default, @alllocal_choices)) { $$rsecurity_system_hash{$tmp} = new Gtk::Combo(); $$rsecurity_system_hash{$tmp}->entry->set_editable(0); } else { - $$rsecurity_system_hash{$tmp} = new Gtk::Entry(); - $$rsecurity_system_hash{$tmp}->set_text($msec->get_check_value('', $tmp)); + $$rsecurity_system_hash{$tmp} = new Gtk::Entry(); +# $$rsecurity_system_hash{$tmp}->set_text($def); + $$rsecurity_system_hash{$tmp}->set_text($msec->get_check_value($tmp)); + } if (member($default, @yesno_choices)) { $$rsecurity_system_hash{$tmp}->set_popdown_strings(@yesno_choices); - $$rsecurity_system_hash{$tmp}->entry->set_text($msec->get_check_value('', $tmp)); +# $$rsecurity_system_hash{$tmp}->entry->set_text($msec->get_check_value($tmp)); + $$rsecurity_system_hash{$tmp}->entry->set_text($def); } elsif (member($default, @alllocal_choices)) { $$rsecurity_system_hash{$tmp}->set_popdown_strings(@alllocal_choices); - $$rsecurity_system_hash{$tmp}->entry->set_text($msec->get_check_value('', $tmp)); +# $$rsecurity_system_hash{$tmp}->entry->set_text($msec->get_check_value($tmp)); + $$rsecurity_system_hash{$tmp}->entry->set_text($def); } - push @items, [ new Gtk::Label($tmp._(" (default: %s)",$default)), $$rsecurity_system_hash{$tmp} ]; #, $hbutton ]; + push @items, [ new Gtk::Label($tmp._(" (default: %s)",$def)), $$rsecurity_system_hash{$tmp} ]; #, $hbutton ]; } createScrolledWindow(gtkpack(new Gtk::VBox(0, 0), @@ -154,10 +159,9 @@ sub system_generate_page { create_packtable({ col_spacings => 10, row_spacings => 5 }, @items))); } -# TODO: Format label & entry in a table to make it nice to see sub checks_generate_page { my ($rsecurity_checks_hash, $msec) = @_; - my @security_checks = $msec->get_checks(''); + my @security_checks = $msec->get_checks; my @choices = qw(yes no default); my @ignore_list = qw(MAIL_WARN MAIL_USER); @@ -169,7 +173,7 @@ sub checks_generate_page { $$rsecurity_checks_hash{$tmp} = new Gtk::Combo(); $$rsecurity_checks_hash{$tmp}->entry->set_editable(0); $$rsecurity_checks_hash{$tmp}->set_popdown_strings(@choices); - $$rsecurity_checks_hash{$tmp}->entry->set_text($msec->get_check_value('', $tmp)); + $$rsecurity_checks_hash{$tmp}->entry->set_text($msec->get_check_value($tmp)); push @items, [ new Gtk::Label(_($tmp)), $$rsecurity_checks_hash{$tmp} ]; #, $hbutton ]; } } @@ -260,31 +264,31 @@ sub draksec_main { $w = wait_msg(_("Please wait, setting security options...")); standalone::explanations("Setting security administrator option"); - if($secadmin_check_value == 1) { $msec->config_check('', 'MAIL_WARN', 'yes') } - else { $msec->config_check('', 'MAIL_WARN', 'no') } + if($secadmin_check_value == 1) { $msec->config_check('MAIL_WARN', 'yes') } + else { $msec->config_check('MAIL_WARN', 'no') } standalone::explanations("Setting security administrator contact"); - if($secadmin_value ne $msec->get_check_value('', 'MAIL_USER') && $secadmin_check_value) { - $msec->config_check('', 'MAIL_USER', $secadmin_value); + if($secadmin_value ne $msec->get_check_value('MAIL_USER') && $secadmin_check_value) { + $msec->config_check('MAIL_USER', $secadmin_value); } standalone::explanations("Setting security periodic checks"); foreach my $key (keys %security_checks_value) { - if ($security_checks_value{$key}->entry->get_text() ne $msec->get_check_value('', $key)) { - $msec->config_check('', $key, $security_checks_value{$key}->entry->get_text()); + if ($security_checks_value{$key}->entry->get_text() ne $msec->get_check_value($key)) { + $msec->config_check($key, $security_checks_value{$key}->entry->get_text()); } } standalone::explanations("Setting msec functions related to networking"); foreach my $key (keys %network_options_value) { - if($network_options_value{$key} =~ /Combo/) { $msec->config_function('', $key, $network_options_value{$key}->entry->get_text()) } - else { $msec->config_function('', $key, $network_options_value{$key}->get_text()) } + if($network_options_value{$key} =~ /Combo/) { $msec->config_function($key, $network_options_value{$key}->entry->get_text()) } + else { $msec->config_function($key, $network_options_value{$key}->get_text()) } } standalone::explanations("Setting msec functions related to the system"); foreach my $key (keys %system_options_value) { - if($system_options_value{$key} =~ /Combo/) { $msec->config_function('', $key, $system_options_value{$key}->entry->get_text()) } - else { $msec->config_function('', $key, $system_options_value{$key}->get_text()) } + if($system_options_value{$key} =~ /Combo/) { $msec->config_function($key, $system_options_value{$key}->entry->get_text()) } + else { $msec->config_function($key, $system_options_value{$key}->get_text()) } } remove_wait_msg($w); diff --git a/perl-install/security/msec.pm b/perl-install/security/msec.pm index c8b206678..e15459126 100644 --- a/perl-install/security/msec.pm +++ b/perl-install/security/msec.pm @@ -2,6 +2,7 @@ package security::msec; use strict; use vars qw($VERSION); +use MDK::Common::File; $VERSION = "0.2"; @@ -15,17 +16,17 @@ msec - Perl functions to handle msec configuration files my $msec = new msec; - $secure_level = get_secure_level($prefix); + $secure_level = get_secure_level; - @functions = $msec->get_functions($prefix); - foreach @functions { %options{$_} = $msec->get_function_value($prefix, $_) } - foreach @functions { %defaults{$_} = $msec->get_function_default($prefix, $_) } - foreach @functions { $msec->config_function($prefix, $_, %options{$_}) } + @functions = $msec->get_functions; + foreach @functions { %options{$_} = $msec->get_function_value($_) } + foreach @functions { %defaults{$_} = $msec->get_function_default($_) } + foreach @functions { $msec->config_function($_, %options{$_}) } - @checks = $msec->get_checks($prefix); - foreach @checks { %options{$_} = $msec->get_check_value($prefix, $_) } - foreach @checks { %defaults{$_} = $msec->get_check_default($prefix, $_) } - foreach @checks { $msec->config_check($prefix, $_, %options{$_}) } + @checks = $msec->get_checks; + foreach @checks { %options{$_} = $msec->get_check_value($_) } + foreach @checks { %defaults{$_} = $msec->get_check_default($_) } + foreach @checks { $msec->config_check($_, %options{$_}) } =head1 DESCRIPTION @@ -54,75 +55,33 @@ Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. use MDK::Common; + +my $check_file = "$::prefix/etc/security/msec/security.conf"; # *********************************************** # PRIVATE FUNCTIONS # *********************************************** -sub config_option { - my ($prefix, $option, $value, $category) =@_; - my %options_hash = ( ); - my $key = ""; - my $options_file = ""; - - if($category eq "functions") { $options_file = "$prefix/etc/security/msec/level.local"; } - elsif($category eq "checks") { $options_file ="$prefix/etc/security/msec/security.conf"; } - - if(-e $options_file) { - open F, $options_file; - if($category eq "functions") { - while(<F>) { - if (!($_ =~ /^from mseclib/) && $_ ne "\n") { - my ($name, $value_set) = split (/\(/, $_); - chop $value_set; chop $value_set; - $options_hash{$name} = $value_set; - } - } - } - elsif($category eq "checks") { - %options_hash = getVarsFromSh($options_file); - } - close F; - } - - $options_hash{$option} = $value; - - open F, '>'.$options_file; - foreach $key (keys %options_hash) { - if ($options_hash{$key} ne "default") { - if($category eq "functions") { print F "$key"."($options_hash{$key})\n"; } - elsif($category eq "checks") { print F "$key=$options_hash{$key}\n"; } - } - } - close F; -} sub get_default { - my ($prefix, $option, $category) = @_; + my ($option, $category) = @_; my $default_file = ""; my $default_value = ""; my $num_level = 0; if ($category eq "functions") { - my $word_level = get_secure_level($prefix); + my $word_level = get_secure_level(); if ($word_level eq "Dangerous") { $num_level = 0 } elsif ($word_level eq "Poor") { $num_level = 1 } elsif ($word_level eq "Standard") { $num_level = 2 } elsif ($word_level eq "High") { $num_level = 3 } elsif ($word_level eq "Higher") { $num_level = 4 } elsif ($word_level eq "Paranoid") { $num_level = 5 } - $default_file = "$prefix/usr/share/msec/level.".$num_level; + $default_file = "$::prefix/usr/share/msec/level.".$num_level; } - elsif ($category eq "checks") { $default_file = "$prefix/var/lib/msec/security.conf"; } + elsif ($category eq "checks") { $default_file = "$::prefix/var/lib/msec/security.conf"; } open F, $default_file; - if($category eq "functions") { - while(<F>) { - if ($_ =~ /^$option/) { (undef, $default_value) = split(/ /, $_); } - } - } - elsif ($category eq "checks") { - while(<F>) { - if ($_ =~ /^$option/) { (undef, $default_value) = split(/=/, $_); } - } + while(<F>) { + if ($_ =~ /^$option/) { (undef, $default_value) = split(/$category eq "functions" ? ' ' : '=' /o, $_); } } close F; chop $default_value; @@ -135,27 +94,21 @@ sub get_default { # SPECIFIC OPTIONS # *********************************************** -# get_secure_level(prefix) - Get the secure level +# get_secure_level() - Get the secure level # duplicated with some drakx code sub get_secure_level { - shift @_; - my $prefix = $_; + shift; my $num_level = 2; - $num_level = cat_("$prefix/etc/profile") =~ /export SECURE_LEVEL=(\d+)/ && $1 || - cat_("$prefix/etc/profile.d/msec.sh") =~ /export SECURE_LEVEL=(\d+)/ && $1 || - ${{ getVarsFromSh("$prefix/etc/sysconfig/msec") }}{SECURE_LEVEL}; + $num_level = cat_("$::prefix/etc/profile") =~ /export SECURE_LEVEL=(\d+)/ && $1 || + cat_("$::prefix/etc/profile.d/msec.sh") =~ /export SECURE_LEVEL=(\d+)/ && $1 || + ${{ getVarsFromSh("$::prefix/etc/sysconfig/msec") }}{SECURE_LEVEL}; # || $ENV{SECURE_LEVEL}; - if ($num_level == 0) { return "Dangerous" } - elsif ($num_level == 1) { return "Poor" } - elsif ($num_level == 2) { return "Standard" } - elsif ($num_level == 3) { return "High" } - elsif ($num_level == 4) { return "Higher" } - elsif ($num_level == 5) { return "Paranoid" } -} + my @sec_levels = ("Dangerous", "Poor", "Standard", "High", "Higher", "Paranoid"); + return $sec_levels[$num_level];} sub get_seclevel_list { qw(Standard High Higher Paranoid); @@ -163,28 +116,22 @@ sub get_seclevel_list { sub set_secure_level { my $word_level = $_[1]; - my $num_level = 0; - if ($word_level eq "Dangerous") { $num_level = 0 } - elsif ($word_level eq "Poor") { $num_level = 1 } - elsif ($word_level eq "Standard") { $num_level = 2 } - elsif ($word_level eq "High") { $num_level = 3 } - elsif ($word_level eq "Higher") { $num_level = 4 } - elsif ($word_level eq "Paranoid") { $num_level = 5 } - - system "/usr/sbin/msec", $num_level; + my %sec_levels = ("Dangerous" => 0, "Poor" => 1, "Standard" => 2, "High" => 3, "Higher" => 4, "Paranoid" => 5); + my $num_level = $sec_levels{$word_level}; + system "/usr/sbin/msec", $num_level ? $run_level : 3; } # *********************************************** # FUNCTIONS (level.local) RELATED # *********************************************** -# get_functions(prefix) - +# get_functions() - # return a list of functions handled by level.local (see # man mseclib for more info). sub get_functions { shift; - my ($prefix, $category) = @_; + my ($category) = @_; my @functions = (); my (@tmp_network_list, @tmp_system_list); @@ -204,10 +151,10 @@ sub get_functions { enable_sulogin password_aging password_history password_length set_root_umask set_shell_history_size set_shell_timeout set_user_umask); - my $file = "$prefix/usr/share/msec/mseclib.py"; + my $file = "$::prefix/usr/share/msec/mseclib.py"; my $function = ''; - print "$prefix\n"; + print "$::prefix\n"; # read mseclib.py to get each function's name and if it's # not in the ignore list, add it to the returned list. open F, $file; @@ -226,13 +173,13 @@ sub get_functions { @functions; } -# get_function_value(prefix, function) - +# get_function_value(function) - # return the value of the function passed in argument. If no value is set, # return "default". sub get_function_value { - my ($prefix, $function) = @_; + my ($function) = @_; my $value = ''; - my $msec_options = "$prefix/etc/security/msec/level.local"; + my $msec_options = "$::prefix/etc/security/msec/level.local"; my $found = 0; if (-e $msec_options) { @@ -252,34 +199,40 @@ sub get_function_value { $value; } -# get_function_default(prefix, function) - +# get_function_default(function) - # return the default value of the function according to the security level sub get_function_default { shift; - my ($prefix, $function) = @_; - return get_default($prefix, $function, "functions"); + my ($function) = @_; + return get_default($function, "functions"); } -# config_function(prefix, function, value) - +# config_function(function, value) - # Apply the configuration to 'prefix'/etc/security/msec/level.local sub config_function { - shift @_; - my ($prefix, $function, $value) = @_; - config_option($prefix, $function, $value, "functions"); + shift; + my ($function, $value) = @_; + my $options_file = "$::prefix/etc/security/msec/level.local"; + + if ($value eq 'default') { + substInFile { s/^$function.*// } $options_file; + } else { + substInFile { s/^$function.*// } $options_file; + append_to_file($options_file, "$function $value") + } } # *********************************************** # PERIODIC CHECKS (security.conf) RELATED # *********************************************** -# get_checks(prefix) - +# get_checks() - # return a list of periodic checks handled by security.conf sub get_checks { - my $prefix = $_; my $check; my @checks = (); - my $check_file = "$prefix/var/lib/msec/security.conf"; + my $check_file = "$::prefix/var/lib/msec/security.conf"; my @ignore_list = qw(MAIL_USER); if (-e $check_file) { @@ -294,12 +247,12 @@ sub get_checks { @checks; } -# get_check_value(prefix, check) +# get_check_value(check) # return the value of the check passed in argument sub get_check_value { - shift @_; - my ($prefix, $check) = @_; - my $check_file = "$prefix/etc/security/msec/security.conf"; + shift; + my ($check) = @_; + my $check_file = $check_file; my $value = ''; my $found = 0; @@ -320,19 +273,23 @@ sub get_check_value { $value; } -# get_check_default(prefix, check) +# get_check_default(check) # Get the default value according to the security level sub get_check_default { - my ($prefix, $check) = @_; - return get_default($prefix, $check, "checks"); + my ($check) = @_; + return get_default($check, "checks"); } -# config_check(prefix, check, value) -# Apply the configuration to "prefix"/etc/security/msec/security.conf +# config_check(check, value) +# Apply the configuration to "$::prefix"/etc/security/msec/security.conf sub config_check { - shift @_; - my ($prefix, $check, $value) = @_; - config_option($prefix, $check, $value, "checks"); + shift; + my ($check, $value) = @_; + if ($value eq 'default') { + substInFile { s/^$check.*// } $check_file; + } else { + setVarsInSh($check_file, { $check => $value }); + } } sub new { shift } |