diff options
Diffstat (limited to 'perl-install/security/msec.pm')
| -rw-r--r-- | perl-install/security/msec.pm | 258 |
1 files changed, 132 insertions, 126 deletions
diff --git a/perl-install/security/msec.pm b/perl-install/security/msec.pm index 35d229a4d..4258653ef 100644 --- a/perl-install/security/msec.pm +++ b/perl-install/security/msec.pm @@ -1,88 +1,92 @@ package security::msec; use strict; -use vars qw($VERSION); -use MDK::Common::File; use MDK::Common; -$VERSION = "0.2"; +#------------------------------------------------------------- +# msec options managment methods -my $check_file = "$::prefix/etc/security/msec/security.conf"; +#------------------------------------------------------------- +# option defaults +sub load_defaults { + my ($msec, $category) = @_; + my $separator = $msec->{$category}{def_separator}; + map { + my ($opt, $val) = split(/$separator/, $_, 2); + chop $val; + if_($opt ne 'set_security_conf', $opt => $val); + } cat_($msec->{$category}{defaults_file}), if_($category eq "checks", 'MAIL_USER'); +} + + +# get_XXX_default(function) - +# return the default of the function|check passed in argument. + +sub get_check_default { + my ($msec, $check) = @_; + $msec->{checks}{default}{$check}; +} + +sub get_function_default { + my ($msec, $function) = @_; + $msec->{functions}{default}{$function}; +} -# *********************************************** -# PRIVATE FUNCTIONS -# *********************************************** -my $num_level; +#------------------------------------------------------------- +# option values + +sub load_values { + my ($msec, $category) = @_; + my $separator = $msec->{$category}{val_separator}; + map { + my ($opt, $val) = split /$separator/; + chop $val; + $val =~ s/[()]//g; + chop $opt if $separator eq '\('; # $opt =~ s/ //g if $separator eq '\('; + if_(defined($val), $opt => $val); + } cat_($msec->{$category}{values_file}); +} -sub get_default { - my ($option, $category) = @_; - my $default_file = ""; - my $default_value = ""; - my $num_level = 0; - if ($category eq "functions") { - require security::level; - $num_level ||= security::level::get(); - $default_file = "$::prefix/usr/share/msec/level.".$num_level; - } - elsif ($category eq "checks") { $default_file = "$::prefix/var/lib/msec/security.conf" } +# get_XXX_value(check|function) - +# return the value of the function|check passed in argument. +# If no value is set, return "default". - foreach (cat_($default_file)) { - if ($category eq 'functions') { - (undef, $default_value) = split / / if /^$option/; - } elsif ($category eq 'checks') { - (undef, $default_value) = split /=/ if /^$option/; - } - } - chop $default_value; - $default_value; +sub get_function_value { + my ($msec, $function) = @_; + exists $msec->{functions}{value}{$function} ? $msec->{functions}{value}{$function} : "default"; } -sub get_value { - my ($item, $category) = @_; - my $value = ''; - my $item_file = - $category eq 'functions' ? "$::prefix/etc/security/msec/level.local" : - $category eq 'checks' ? $check_file : ''; - - foreach (cat_($item_file)) { - /^$item/ or next; - - if ($category eq 'functions') { - my $i = $_; - (undef, $_) = split /\(/; - s/[()]//g; - $value = $_; - $_ = $i; - } elsif ($category eq 'checks') { - (undef, $value) = split(/=/, $_); - } - chop $value; - return $value; - } - "default"; +sub get_check_value { + my ($msec, $check) = @_; + $msec->{checks}{value}{$check} || "default"; } -# *********************************************** -# SPECIFIC OPTIONS -# *********************************************** -# *********************************************** -# FUNCTIONS (level.local) RELATED -# *********************************************** +#------------------------------------------------------------- +# get list of check|functions + +# list_(functions|checks) - +# return a list of functions|checks handled by level.local|security.conf -# get_functions() - -# return a list of functions handled by level.local (see -# man mseclib for more info). -sub get_functions { - my (undef, $category) = @_; - my @functions; +sub raw_checks_list { + my ($msec) = @_; + keys %{$msec->{checks}{default}}; +} + +sub list_checks { + my ($msec) = @_; + difference2([ $msec->raw_checks_list ], [ qw(MAIL_WARN MAIL_USER) ]); +} + +sub list_functions { + my ($msec, $category) = @_; ## TODO handle 3 last functions here so they can be removed from this list my @ignore_list = qw(indirect commit_changes closelog error initlog log set_secure_level @@ -93,89 +97,91 @@ sub get_functions { enable_dns_spoofing_protection enable_ip_spoofing_protection enable_log_strange_packets enable_promisc_check no_password_aging_for)], 'system' => [qw(allow_autologin allow_issues allow_reboot allow_remote_root_login - allow_root_login allow_user_list allow_x_connections allow_xserver_to_listen + allow_root_login allow_user_list allow_xauth_from_root allow_x_connections allow_xserver_to_listen authorize_services enable_at_crontab enable_console_log enable_msec_cron enable_pam_wheel_for_su enable_password enable_security_check enable_sulogin password_aging password_history password_length set_root_umask set_shell_history_size set_shell_timeout set_user_umask)]); - my $file = "$::prefix/usr/share/msec/mseclib.py"; - my $function; - - # read mseclib.py to get each function's name and if it's - # not in the ignore list, add it to the returned list. - foreach (cat_($file)) { - if (/^def/) { - (undef, $function) = split / /; - ($function, undef) = split(/\(/, $function); - if (!member($function, @ignore_list) && member($function, @{$options{$category}})) { - push(@functions, $function) - } - } - } - - @functions; + # get all function names; filter out those which are in the ignore + # list, return what lefts. + grep { !member($_, @ignore_list) && member($_, @{$options{$category}}) } keys %{$msec->{functions}{default}}; } -# get_function_value(function) - -# return the value of the function passed in argument. If no value is set, -# return "default". -sub get_function_value { - shift; - get_value(@_, 'functions'); + +#------------------------------------------------------------- +# set back checks|functions values + +sub set_function { + my ($msec, $function, $value) = @_; + $msec->{functions}{value}{$function} = $value; } -# get_function_default(function) - -# return the default value of the function according to the security level -sub get_function_default { - shift; - return get_default(@_, "functions"); +sub set_check { + my ($msec, $check, $value) = @_; + $msec->{checks}{value}{$check} = $value; } -# config_function(function, value) - -# Apply the configuration to 'prefix'/etc/security/msec/level.local -sub config_function { - my (undef, $function, $value) = @_; - my $options_file = "$::prefix/etc/security/msec/level.local"; - substInFile { s/^$function.*\n// } $options_file; - append_to_file($options_file, "$function ($value)") if $value ne 'default'; -} +#------------------------------------------------------------- +# apply configuration -# *********************************************** -# PERIODIC CHECKS (security.conf) RELATED -# *********************************************** +# config_(check|function)(check|function, value) - +# Apply the configuration to 'prefix'/etc/security/msec/security.conf||/etc/security/msec/level.local -# get_default_checks() - -# return a list of periodic checks handled by security.conf -sub get_default_checks { - map { if_(/(.*?)=/, $1) } cat_("$::prefix/var/lib/msec/security.conf"); +sub apply_functions { + my ($msec) = @_; + my @list = sort($msec->list_functions('system'), $msec->list_functions('network')); + touch($msec->{functions}{values_file}) if !-e $msec->{functions}{values_file}; + substInFile { + foreach my $function (@list) { s/^$function.*\n// } + if (eof) { + $_ .= join("\n", if_(!$_, ''), (map { + my $value = $msec->get_function_value($_); + if_($value ne 'default', "$_ ($value)"); + } @list), ""); + } + } $msec->{functions}{values_file}; } -# get_check_value(check) -# return the value of the check passed in argument -sub get_check_value { - shift; - get_value(@_, 'checks'); +sub apply_checks { + my ($msec) = @_; + my @list = sort $msec->raw_checks_list; + setVarsInSh($msec->{checks}{values_file}, + { + map { + my $value = $msec->get_check_value($_); + if_($value ne 'default', $_ => $value); + } @list + } + ); } -# get_check_default(check) -# Get the default value according to the security level -sub get_check_default { - my ($check) = @_; - return get_default($check, 'checks'); +sub reload { + my ($msec) = @_; + require security::level; + my $num_level = security::level::get(); + $msec->{functions}{defaults_file} = "$::prefix/usr/share/msec/level.$num_level"; + $msec->{functions}{default} = { $msec->load_defaults('functions') }; } -# config_check(check, value) -# Apply the configuration to "$::prefix"/etc/security/msec/security.conf -sub config_check { - my (undef, $check, $value) = @_; - if ($value eq 'default') { - substInFile { s/^$check.*\n// } $check_file; - } else { - setVarsInSh($check_file, { $check => $value }); - } +sub new { + my ($type) = @_; + my $msec = bless {}, $type; + + $msec->{functions}{values_file} = "$::prefix/etc/security/msec/level.local"; + $msec->{checks}{values_file} = "$::prefix/etc/security/msec/security.conf"; + $msec->{checks}{defaults_file} = "$::prefix/var/lib/msec/security.conf"; + $msec->{checks}{val_separator} = '='; + $msec->{functions}{val_separator} = '\('; + $msec->{checks}{def_separator} = '='; + $msec->{functions}{def_separator} = ' '; + $msec->reload; + + $msec->{checks}{default} = { $msec->load_defaults('checks') }; + $msec->{functions}{value} = { $msec->load_values('functions') }; + $msec->{checks}{value} = { $msec->load_values('checks') }; + $msec; } -sub new { shift } 1; |