summaryrefslogtreecommitdiffstats
path: root/perl-install/security/msec.pm
diff options
context:
space:
mode:
Diffstat (limited to 'perl-install/security/msec.pm')
-rw-r--r--perl-install/security/msec.pm407
1 files changed, 178 insertions, 229 deletions
diff --git a/perl-install/security/msec.pm b/perl-install/security/msec.pm
index 66800ef11..4258653ef 100644
--- a/perl-install/security/msec.pm
+++ b/perl-install/security/msec.pm
@@ -1,238 +1,187 @@
package security::msec;
-use common;
-use log;
-
-sub get_user_list {
- my @user_list = ();
-
- open(PASSWD, "/etc/passwd");
- while(<PASSWD>) {
- my ($login_name, undef, $uid) = split(/:/,$_);
- if($uid >= 500) { push(@user_list, $login_name); }
- }
- @user_list;
+use strict;
+use MDK::Common;
+
+
+#-------------------------------------------------------------
+# msec options managment methods
+
+
+#-------------------------------------------------------------
+# option defaults
+
+sub load_defaults {
+ my ($msec, $category) = @_;
+ my $separator = $msec->{$category}{def_separator};
+ map {
+ my ($opt, $val) = split(/$separator/, $_, 2);
+ chop $val;
+ if_($opt ne 'set_security_conf', $opt => $val);
+ } cat_($msec->{$category}{defaults_file}), if_($category eq "checks", 'MAIL_USER');
+}
+
+
+# get_XXX_default(function) -
+# return the default of the function|check passed in argument.
+
+sub get_check_default {
+ my ($msec, $check) = @_;
+ $msec->{checks}{default}{$check};
+}
+
+sub get_function_default {
+ my ($msec, $function) = @_;
+ $msec->{functions}{default}{$function};
+}
+
+
+
+#-------------------------------------------------------------
+# option values
+
+sub load_values {
+ my ($msec, $category) = @_;
+ my $separator = $msec->{$category}{val_separator};
+ map {
+ my ($opt, $val) = split /$separator/;
+ chop $val;
+ $val =~ s/[()]//g;
+ chop $opt if $separator eq '\('; # $opt =~ s/ //g if $separator eq '\(';
+ if_(defined($val), $opt => $val);
+ } cat_($msec->{$category}{values_file});
+}
+
+
+# get_XXX_value(check|function) -
+# return the value of the function|check passed in argument.
+# If no value is set, return "default".
+
+sub get_function_value {
+ my ($msec, $function) = @_;
+ exists $msec->{functions}{value}{$function} ? $msec->{functions}{value}{$function} : "default";
+}
+
+sub get_check_value {
+ my ($msec, $check) = @_;
+ $msec->{checks}{value}{$check} || "default";
+}
+
+
+
+#-------------------------------------------------------------
+# get list of check|functions
+
+# list_(functions|checks) -
+# return a list of functions|checks handled by level.local|security.conf
+
+sub raw_checks_list {
+ my ($msec) = @_;
+ keys %{$msec->{checks}{default}};
+}
+
+sub list_checks {
+ my ($msec) = @_;
+ difference2([ $msec->raw_checks_list ], [ qw(MAIL_WARN MAIL_USER) ]);
+}
+
+sub list_functions {
+ my ($msec, $category) = @_;
+
+ ## TODO handle 3 last functions here so they can be removed from this list
+ my @ignore_list = qw(indirect commit_changes closelog error initlog log set_secure_level
+ set_security_conf set_server_level print_changes get_translation create_server_link);
+
+ my %options = (
+ 'network' => [qw(accept_bogus_error_responses accept_broadcasted_icmp_echo accept_icmp_echo
+ enable_dns_spoofing_protection enable_ip_spoofing_protection
+ enable_log_strange_packets enable_promisc_check no_password_aging_for)],
+ 'system' => [qw(allow_autologin allow_issues allow_reboot allow_remote_root_login
+ allow_root_login allow_user_list allow_xauth_from_root allow_x_connections allow_xserver_to_listen
+ authorize_services enable_at_crontab enable_console_log
+ enable_msec_cron enable_pam_wheel_for_su enable_password enable_security_check
+ enable_sulogin password_aging password_history password_length set_root_umask
+ set_shell_history_size set_shell_timeout set_user_umask)]);
+
+ # get all function names; filter out those which are in the ignore
+ # list, return what lefts.
+ grep { !member($_, @ignore_list) && member($_, @{$options{$category}}) } keys %{$msec->{functions}{default}};
+}
+
+
+#-------------------------------------------------------------
+# set back checks|functions values
+
+sub set_function {
+ my ($msec, $function, $value) = @_;
+ $msec->{functions}{value}{$function} = $value;
+}
+
+sub set_check {
+ my ($msec, $check, $value) = @_;
+ $msec->{checks}{value}{$check} = $value;
+}
+
+
+#-------------------------------------------------------------
+# apply configuration
+
+# config_(check|function)(check|function, value) -
+# Apply the configuration to 'prefix'/etc/security/msec/security.conf||/etc/security/msec/level.local
+
+sub apply_functions {
+ my ($msec) = @_;
+ my @list = sort($msec->list_functions('system'), $msec->list_functions('network'));
+ touch($msec->{functions}{values_file}) if !-e $msec->{functions}{values_file};
+ substInFile {
+ foreach my $function (@list) { s/^$function.*\n// }
+ if (eof) {
+ $_ .= join("\n", if_(!$_, ''), (map {
+ my $value = $msec->get_function_value($_);
+ if_($value ne 'default', "$_ ($value)");
+ } @list), "");
+ }
+ } $msec->{functions}{values_file};
+}
+
+sub apply_checks {
+ my ($msec) = @_;
+ my @list = sort $msec->raw_checks_list;
+ setVarsInSh($msec->{checks}{values_file},
+ {
+ map {
+ my $value = $msec->get_check_value($_);
+ if_($value ne 'default', $_ => $value);
+ } @list
+ }
+ );
}
-sub add_config {
- my ($prefix, $config_option, @values) = @_;
- my $tmp_file = "$prefix/etc/security/msec/level.local.tmp";
- my $result = "";
-
- $result = $config_option.'(';
- foreach $value (@values) {
- $result .= $value.',';
- }
- chop $result;
- $result .= ')';
-
- open(TMP_CONFIG, '>>'.$tmp_file);
- print TMP_CONFIG "$result\n";
- close TMP_CONFIG;
+sub reload {
+ my ($msec) = @_;
+ require security::level;
+ my $num_level = security::level::get();
+ $msec->{functions}{defaults_file} = "$::prefix/usr/share/msec/level.$num_level";
+ $msec->{functions}{default} = { $msec->load_defaults('functions') };
}
-sub commit_changes {
- my ($prefix) = $_;
- my $tmp_file = "$prefix/etc/security/msec/level.local.tmp";
- my $config_file = "$prefix/etc/security/msec/level.local";
- my %config_data;
- my $config_option = "";
-
- open (TMP_CONFIG, $tmp_file);
-
- if (!(-x $config_file)) {
- open(CONFIG_FILE, '>'.$config_file);
- print CONFIG_FILE "from mseclib import *\n\n";
- while(<TMP_CONFIG>) { print CONFIG_FILE $_; }
- }
- else {
- open(CONFIG_FILE, $config_file);
- while(<CONFIG_FILE>) {
- if($_ =~ /\(/) {
- ($config_option, undef) = split(/\(/, $_);
- (undef, $config_data{$config_option}) = split(/\(/, $_);
- }
- }
- close CONFIG_FILE;
-
- while(<TMP_CONFIG>) {
- ($config_option, undef) = split(/\(/, $_);
- (undef, $config_data{$config_option}) = split(/\(/, $_);
- }
-
- open(CONFIG_FILE, '>'.$config_file);
- print CONFIG_FILE "from mseclib import *\n\n";
- foreach $config_option (keys %config_data) {
- print CONFIG_FILE $config_option.'('.$config_data{$config_option}.'\n';
- }
- }
-
- close CONFIG_FILE;
- close TMP_CONFIG;
-
- standalone::rm_rf($tmp_file);
-}
-
-sub get_config {
- my ($prefix, $security) = @_;
-
- my (%net_options_defaults) = (
- accept_bogus_error_responses => [ 0, 0, 0, 0, 1, 1 ],
- accept_icmp_echo => [ 1, 1, 1, 1, 0, 0 ],
- enable_ip_spoofing_protection => [ 0, 0, 0, 1, 1, 1 ],
- enable_log_strange_packets => [ 0, 0, 0, 0, 1, 1 ] );
-
- my (%user_options_defaults) = (
- allow_autologin => [ 1, 1, 1, 0, 0, 0 ],
- allow_issues => [ "ALL", "ALL", "ALL", "LOCAL", "LOCAL", "NONE" ],
- allow_reboot => [ 1, 1, 1, 1, 0, 0 ],
- allow_root_login => [ 1, 1, 1, 1, 0, 0 ],
- allow_user_list => [ 1, 1, 1, 1, 0, 0 ],
- enable_at_crontab => [ 1, 1, 1, 1, 0, 0 ],
- enable_pam_wheel_for_su => [ 0, 0, 0, 0, 0, 0 ],
- enable_password => [ 0, 1, 1, 1, 1, 1 ],
- enable_sulogin => [ 0, 0, 0, 0, 1, 1 ],
- password_aging => [ "99999,-1", "99999,-1", "99999,-1", "99999,-1", "60,-1", "30,-1" ],
- password_length => [ "0,0,0", "0,0,0", "0,0,0", "0,0,0", "0,0,0", "0,0,0" ],
- set_root_umask => [ "002", "002", "022", "022", "022", "077" ],
- set_user_umask => [ "002", "002", "022", "022", "077", "077" ],
- set_shell_history_size => [ "-1", "-1", "-1", "-1", "10", "10" ],
- set_shell_timeout => [ "0", "0", "0", "0", "3600", "900" ] );
-
- my (%server_options_defaults) = (
- allow_x_connections => [ "ALL", "LOCAL", "LOCAL", "LOCAL", "LOCAL", "NONE" ],
- authorize_services => [ "ALL", "ALL", "ALL", "ALL", "LOCAL", "NONE" ],
- enable_libsafe => [ 0, 0, 0, 0, 0, 0 ] );
-
- my (%net_options) = (
- accept_bogus_error_responses => $net_options_defaults{accept_bogus_error_responses}[$security],
- accept_icmp_echo => $net_options_defaults{accept_icmp_echo}[$security],
- enable_ip_spoofing_protection => $net_options_defaults{enable_ip_spoofing_protection}[$security],
- enable_log_strange_packets => $net_options_defaults{enable_log_strange_packets}[$security]
- );
-
- my (%net_options_matrix) = (
- accept_bogus_error_responses => { label => _("Accept/Refuse bogus IPV4 error messages"),
- val => \$net_options{accept_bogus_error_responses},
- type => "bool" },
- accept_icmp_echo => { label => _("Accept/Refuse ICMP echo"),
- val => \$net_options{accept_icmp_echo},
- type => "bool" },
- enable_ip_spoofing_protection => { label => _("Enable/Disable IP spoofing protection. If alert is true, also reports to syslog"),
- val => \$net_options{enable_ip_spoofing_protection},
- type=> "bool" },
- enable_log_strange_packets => { label => _("Enable/Disable the logging of IPv4 strange packets"),
- val => \$net_options{enable_log_strange_packets},
- type => "bool" }
- );
-
- my (%user_options) = (
- allow_autologin => $user_options_defaults{allow_autologin}[$security],
- allow_issues => $user_options_defaults{allow_issues}[$security],
- allow_reboot => $user_options_defaults{allow_reboot}[$security],
- allow_root_login => $user_options_defaults{allow_root_login}[$security],
- allow_user_list => $user_options_defaults{allow_user_list}[$security],
- enable_at_crontab => $user_options_defaults{enable_at_crontab}[$security],
- enable_pam_wheel_for_su => $user_options_defaults{enable_pam_wheel_for_su}[$security],
- enable_password => $user_options_defaults{enable_password}[$security],
- enable_sulogin => $user_options_defaults{enable_sulogin}[$security],
- password_aging => $user_options_defaults{password_aging}[$security],
- password_length => $user_options_defaults{password_length}[$security],
- set_root_umask => $user_options_defaults{set_root_umask}[$security],
- set_user_umask => $user_options_defaults{set_user_umask}[$security],
- set_shell_history_size => $user_options_defaults{set_shell_history_size}[$security],
- set_shell_timeout => $user_options_defaults{set_shell_timeout}[$security]
- );
-
- my (%user_options_matrix) = (
- allow_autologin => { label => _("Allow/Forbid autologin"),
- val => \$user_options{allow_autologin},
- type => "bool" },
- allow_issues => { label => _("Allow/Forbid pre-login message : If ALL, allow remote and local pre-login message (/etc/issue[.net]).\n If LOCAL, allow local pre-login message (/etc/issue). If NONE, disable pre-login message."),
- val => \$user_options{allow_issues},
- list => ["ALL", "LOCAL", "NONE"] },
- allow_reboot => { label => _("Allow/Forbid reboot by the console user"),
- val => \$user_options{allow_reboot},
- type => "bool" },
- allow_root_login => { label => _("Allow/Forbid direct root login"),
- val => \$user_options{allow_root_login},
- type => "bool" },
- allow_user_list => { label => _("Allow/Forbid the list of users on the system in the display managers (kdm and gdm)"),
- val => \$user_options{allow_user_list},
- type => "bool" },
- enable_at_crontab => { label => _("Enable/Disable crontab and at for users. Put allowed users in /etc/cron.allow\n and /etc/at.allow (see at(1) and crontab(1))"),
- val => \$user_options{enable_at_crontab},
- type => "bool" },
- enable_pam_wheel_for_su => { label => _("Enable su only for members of the wheel group or allow su from any user"),
- val => \$user_options{enable_pam_wheel_for_su},
- type => "bool" },
- enable_password => { label => _("Use password to authenticate users"),
- val => \$user_options{enable_password},
- type => "bool" },
- enable_sulogin => { label => _("Enable/Disable sulogin in single user level (see sulogin(8))"),
- val => \$user_options{enable_sulogin},
- type => "bool" },
- password_aging => { label => _("Set password aging to max days, Set delay before inactive\n (99999 to disable password aging, -1 to disable de-activation"),
- val => \$user_options{password_aging} },
- password_length => { label => _("Set the password minimum length, the minimum number of digits and the minimum number of capitalized letters"),
- val => \$user_options{password_length} },
- set_root_umask => { label => _("Set the root umask"),
- val => \$user_options{set_root_umask} },
- set_user_umask => { label => _("Set the user umask"),
- val => \$user_options{set_user_umask} },
- set_shell_history_size => { label => _("Set shell commands history size (-1 for unlimited)"),
- val => \$user_options{set_shell_history_size} },
- set_shell_timeout => { label => _("Set the shell timeout in seconds (0 for unlimited)"),
- val => \$user_options{set_shell_timeout} }
- );
-
- my (%server_options) = (
- allow_x_connections => $server_options_defaults{allow_x_connections}[$security],
- authorize_services => $server_options_defaults{authorize_services}[$security],
- enable_libsafe => $server_options_defaults{enable_libsafe}[$security]
- );
-
- my (%server_options_matrix) = (
- allow_x_connections => { label => ("Allow/Forbid X connections : If ALL, all connections allowed. If LOCAL, local connections allowed.\n If NONE, only console connections allowed"),
- val => \$server_options{allow_x_connections},
- list => [ "ALL", "LOCAL", "NONE" ] },
- authorize_services => { label => _("Allow/Forbid services : If ALL, authorize all services. If LOCAL, authorize only local services.\n If NONE, disable all services. (see hosts.deny(5)). To authorize a service, see hosts.allow(5)."),
- val => \$server_options{authorize_services},
- list => [ "ALL", "LOCAL", "NONE" ] },
- enable_libsafe => { label => _("Enable/Disable libsafe if it's installed on the system."),
- val => \$server_options{enable_libsafe},
- type => "bool" },
- );
-
- my $config_file = "$prefix/etc/security/msec/level.local";
- my $values = "";
- my $config_option = "";
-
- open CONFIGFILE, $config_file;
- while(<CONFIGFILE>) {
- if($_ =~ /\(/) {
- ($config_option, undef) = split(/\(/, $_);
- (undef, $values) = split(/\(/, $_);
- chop $values;
-
- if ($config_option ne "set_security_conf") {
- if ($net_options_matrix{$config_option}{description} eq "") {
- (undef, $net_options_matrix{$config_option}{value}) = $values;
- } elsif ($user_options_matrix{$config_option}{description} eq "") {
- (undef, $user_options_matrix{$config_option}{value}) = $values;
- } elsif ($server_options_matrix{$config_option}{description} eq "") {
- (undef, $server_options_matrix{$config_option}{value}) = $values;
- }
- }
- else {
- # TODO : Add code to handle set_security_conf
- }
- }
- }
-
- close CONFIGFILE;
-
- return (\%net_options_matrix, \%user_options_matrix, \%server_options_matrix);
+sub new {
+ my ($type) = @_;
+ my $msec = bless {}, $type;
+
+ $msec->{functions}{values_file} = "$::prefix/etc/security/msec/level.local";
+ $msec->{checks}{values_file} = "$::prefix/etc/security/msec/security.conf";
+ $msec->{checks}{defaults_file} = "$::prefix/var/lib/msec/security.conf";
+ $msec->{checks}{val_separator} = '=';
+ $msec->{functions}{val_separator} = '\(';
+ $msec->{checks}{def_separator} = '=';
+ $msec->{functions}{def_separator} = ' ';
+ $msec->reload;
+
+ $msec->{checks}{default} = { $msec->load_defaults('checks') };
+ $msec->{functions}{value} = { $msec->load_values('functions') };
+ $msec->{checks}{value} = { $msec->load_values('checks') };
+ $msec;
}
1;
generated by cgit v1.2.1 (git 2.21.0) at 2025-10-27 20:29:52 +0000