diff options
Diffstat (limited to 'perl-install/security/msec.pm')
| -rw-r--r-- | perl-install/security/msec.pm | 341 |
1 files changed, 121 insertions, 220 deletions
diff --git a/perl-install/security/msec.pm b/perl-install/security/msec.pm index c069fba35..4258653ef 100644 --- a/perl-install/security/msec.pm +++ b/perl-install/security/msec.pm @@ -1,172 +1,92 @@ package security::msec; use strict; -use vars qw($VERSION); -use MDK::Common::File; - -$VERSION = "0.2"; - -=head1 NAME - -msec - Perl functions to handle msec configuration files - -=head1 SYNOPSYS +use MDK::Common; - require security::msec; - my $msec = new msec; +#------------------------------------------------------------- +# msec options managment methods - $secure_level = get_secure_level; - @functions = $msec->get_functions; - foreach @functions { %options{$_} = $msec->get_function_value($_) } - foreach @functions { %defaults{$_} = $msec->get_function_default($_) } - foreach @functions { $msec->config_function($_, %options{$_}) } +#------------------------------------------------------------- +# option defaults - @checks = $msec->get_default_checks; - foreach @checks { %options{$_} = $msec->get_check_value($_) } - foreach @checks { %defaults{$_} = $msec->get_check_default($_) } - foreach @checks { $msec->config_check($_, %options{$_}) } +sub load_defaults { + my ($msec, $category) = @_; + my $separator = $msec->{$category}{def_separator}; + map { + my ($opt, $val) = split(/$separator/, $_, 2); + chop $val; + if_($opt ne 'set_security_conf', $opt => $val); + } cat_($msec->{$category}{defaults_file}), if_($category eq "checks", 'MAIL_USER'); +} -=head1 DESCRIPTION -C<msec> is a perl module used by draksec to customize the different options -that can be set in msec's configuration files. +# get_XXX_default(function) - +# return the default of the function|check passed in argument. -=head1 COPYRIGHT +sub get_check_default { + my ($msec, $check) = @_; + $msec->{checks}{default}{$check}; +} -Copyright (C) 2000,2001,2002 MandrakeSoft <cbelisle@mandrakesoft.com> +sub get_function_default { + my ($msec, $function) = @_; + $msec->{functions}{default}{$function}; +} -This program is free software; you can redistribute it and/or modify -it under the terms of the GNU General Public License as published by -the Free Software Foundation; either version 2, or (at your option) -any later version. -This program is distributed in the hope that it will be useful, -but WITHOUT ANY WARRANTY; without even the implied warranty of -MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -GNU General Public License for more details. -You should have received a copy of the GNU General Public License -along with this program; if not, write to the Free Software -Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +#------------------------------------------------------------- +# option values -=cut +sub load_values { + my ($msec, $category) = @_; + my $separator = $msec->{$category}{val_separator}; + map { + my ($opt, $val) = split /$separator/; + chop $val; + $val =~ s/[()]//g; + chop $opt if $separator eq '\('; # $opt =~ s/ //g if $separator eq '\('; + if_(defined($val), $opt => $val); + } cat_($msec->{$category}{values_file}); +} -use MDK::Common; +# get_XXX_value(check|function) - +# return the value of the function|check passed in argument. +# If no value is set, return "default". -my $check_file = "$::prefix/etc/security/msec/security.conf"; - -my @sec_levels = ("Dangerous", "Poor", "Standard", "High", "Higher", "Paranoid"); -my %sec_levels = ("Dangerous" => 0, "Poor" => 1, "Standard" => 2, "High" => 3, "Higher" => 4, "Paranoid" => 5); - - -# *********************************************** -# PRIVATE FUNCTIONS -# *********************************************** - -sub get_default { - my ($option, $category) = @_; - my $default_file = ""; - my $default_value = ""; - my $num_level = 0; - - if ($category eq "functions") { - my $word_level = get_secure_level(); - $num_level = $sec_levels{$word_level}; - $default_file = "$::prefix/usr/share/msec/level.".$num_level; - } - elsif ($category eq "checks") { $default_file = "$::prefix/var/lib/msec/security.conf"; } - - open F, $default_file; - while(<F>) { - if ($category eq 'functions') { - if ($_ =~ /^$option/) { (undef, $default_value) = split(/ /, $_) } - } elsif ($category eq 'checks') { - if ($_ =~ /^$option/) { (undef, $default_value) = split(/=/, $_) } - } - } - close F; - chop $default_value; - $default_value; +sub get_function_value { + my ($msec, $function) = @_; + exists $msec->{functions}{value}{$function} ? $msec->{functions}{value}{$function} : "default"; } -sub get_value { - my ($item, $category) = @_; - my $value = ''; - my $found = 0; - my $item_file; - $item_file = "$::prefix/etc/security/msec/level.local" if $category eq 'functions'; - $item_file = $check_file if $category eq 'checks'; - - if (-e $item_file) { - open F, $item_file; - while(<F>) { - if($_ =~ /^$item/) { - if ($category eq 'functions') { - my $i = $_; - (undef, $_) = split /\(/; - tr /()//d; - $value = $_; - $_ = $i; - } elsif ($category eq 'checks') { - (undef, $value) = split(/=/, $_); - } - chop $value; - $found = 1; - close F; - } - } - close F; - $value = "default" if $found == 0; - } - else { $value = "default" } - $value; +sub get_check_value { + my ($msec, $check) = @_; + $msec->{checks}{value}{$check} || "default"; } -# *********************************************** -# SPECIFIC OPTIONS -# *********************************************** - -# get_secure_level() - Get the secure level -# duplicated with some drakx code -sub get_secure_level { - shift; - my $num_level = 2; +#------------------------------------------------------------- +# get list of check|functions - $num_level = cat_("$::prefix/etc/profile") =~ /export SECURE_LEVEL=(\d+)/ && $1 || - cat_("$::prefix/etc/profile.d/msec.sh") =~ /export SECURE_LEVEL=(\d+)/ && $1 || - ${{ getVarsFromSh("$::prefix/etc/sysconfig/msec") }}{SECURE_LEVEL}; - # || $ENV{SECURE_LEVEL}; +# list_(functions|checks) - +# return a list of functions|checks handled by level.local|security.conf - return $sec_levels[$num_level];} - -sub get_seclevel_list { - qw(Standard High Higher Paranoid); +sub raw_checks_list { + my ($msec) = @_; + keys %{$msec->{checks}{default}}; } -sub set_secure_level { - my $word_level = $_[1]; - - my $run_level = $sec_levels{$word_level}; - system "/usr/sbin/msec", $run_level ? $run_level : 3; +sub list_checks { + my ($msec) = @_; + difference2([ $msec->raw_checks_list ], [ qw(MAIL_WARN MAIL_USER) ]); } -# *********************************************** -# FUNCTIONS (level.local) RELATED -# *********************************************** - -# get_functions() - -# return a list of functions handled by level.local (see -# man mseclib for more info). -sub get_functions { - shift; - my ($category) = @_; - my @functions = (); - my (@tmp_network_list, @tmp_system_list); +sub list_functions { + my ($msec, $category) = @_; ## TODO handle 3 last functions here so they can be removed from this list my @ignore_list = qw(indirect commit_changes closelog error initlog log set_secure_level @@ -177,110 +97,91 @@ sub get_functions { enable_dns_spoofing_protection enable_ip_spoofing_protection enable_log_strange_packets enable_promisc_check no_password_aging_for)], 'system' => [qw(allow_autologin allow_issues allow_reboot allow_remote_root_login - allow_root_login allow_user_list allow_x_connections allow_xserver_to_listen + allow_root_login allow_user_list allow_xauth_from_root allow_x_connections allow_xserver_to_listen authorize_services enable_at_crontab enable_console_log enable_msec_cron enable_pam_wheel_for_su enable_password enable_security_check enable_sulogin password_aging password_history password_length set_root_umask set_shell_history_size set_shell_timeout set_user_umask)]); - my $file = "$::prefix/usr/share/msec/mseclib.py"; - my $function = ''; - - # read mseclib.py to get each function's name and if it's - # not in the ignore list, add it to the returned list. - open F, $file; - while (<F>) { - if ($_ =~ /^def/) { - (undef, $function) = split(/ /, $_); - ($function, undef) = split(/\(/, $function); - if (!(member($function, @ignore_list))) { - push(@functions, $function) if (member($function, @{$options{$category}})); - } - } - } - close F; - - @functions; + # get all function names; filter out those which are in the ignore + # list, return what lefts. + grep { !member($_, @ignore_list) && member($_, @{$options{$category}}) } keys %{$msec->{functions}{default}}; } -# get_function_value(function) - -# return the value of the function passed in argument. If no value is set, -# return "default". -sub get_function_value { - shift; - get_value(@_, 'functions'); -} -# get_function_default(function) - -# return the default value of the function according to the security level -sub get_function_default { - shift; - return get_default(@_, "functions"); +#------------------------------------------------------------- +# set back checks|functions values + +sub set_function { + my ($msec, $function, $value) = @_; + $msec->{functions}{value}{$function} = $value; } -# config_function(function, value) - -# Apply the configuration to 'prefix'/etc/security/msec/level.local -sub config_function { - shift; - my ($function, $value) = @_; - my $options_file = "$::prefix/etc/security/msec/level.local"; - - if ($value eq 'default') { - substInFile { s/^$function.*\n// } $options_file; - } else { - substInFile { s/^$function.*\n// } $options_file; - append_to_file($options_file, "$function ($value)") - } +sub set_check { + my ($msec, $check, $value) = @_; + $msec->{checks}{value}{$check} = $value; } -# *********************************************** -# PERIODIC CHECKS (security.conf) RELATED -# *********************************************** -# get_default_checks() - -# return a list of periodic checks handled by security.conf -sub get_default_checks { - my $check; - my @checks = (); +#------------------------------------------------------------- +# apply configuration - my $check_file = "$::prefix/var/lib/msec/security.conf"; +# config_(check|function)(check|function, value) - +# Apply the configuration to 'prefix'/etc/security/msec/security.conf||/etc/security/msec/level.local - if (-e $check_file) { - open F, $check_file; - while (<F>) { - ($check, undef) = split(/=/, $_); - push @checks, $check if (!(member($check, qw(MAIL_USER)))) +sub apply_functions { + my ($msec) = @_; + my @list = sort($msec->list_functions('system'), $msec->list_functions('network')); + touch($msec->{functions}{values_file}) if !-e $msec->{functions}{values_file}; + substInFile { + foreach my $function (@list) { s/^$function.*\n// } + if (eof) { + $_ .= join("\n", if_(!$_, ''), (map { + my $value = $msec->get_function_value($_); + if_($value ne 'default', "$_ ($value)"); + } @list), ""); } - close F; - } - @checks; + } $msec->{functions}{values_file}; } -# get_check_value(check) -# return the value of the check passed in argument -sub get_check_value { - shift; - get_value(@_, 'checks'); +sub apply_checks { + my ($msec) = @_; + my @list = sort $msec->raw_checks_list; + setVarsInSh($msec->{checks}{values_file}, + { + map { + my $value = $msec->get_check_value($_); + if_($value ne 'default', $_ => $value); + } @list + } + ); } -# get_check_default(check) -# Get the default value according to the security level -sub get_check_default { - my ($check) = @_; - return get_default($check, 'checks'); +sub reload { + my ($msec) = @_; + require security::level; + my $num_level = security::level::get(); + $msec->{functions}{defaults_file} = "$::prefix/usr/share/msec/level.$num_level"; + $msec->{functions}{default} = { $msec->load_defaults('functions') }; } -# config_check(check, value) -# Apply the configuration to "$::prefix"/etc/security/msec/security.conf -sub config_check { - shift; - my ($check, $value) = @_; - if ($value eq 'default') { - substInFile { s/^$check.*\n// } $check_file; - } else { - setVarsInSh($check_file, { $check => $value }); - } +sub new { + my ($type) = @_; + my $msec = bless {}, $type; + + $msec->{functions}{values_file} = "$::prefix/etc/security/msec/level.local"; + $msec->{checks}{values_file} = "$::prefix/etc/security/msec/security.conf"; + $msec->{checks}{defaults_file} = "$::prefix/var/lib/msec/security.conf"; + $msec->{checks}{val_separator} = '='; + $msec->{functions}{val_separator} = '\('; + $msec->{checks}{def_separator} = '='; + $msec->{functions}{def_separator} = ' '; + $msec->reload; + + $msec->{checks}{default} = { $msec->load_defaults('checks') }; + $msec->{functions}{value} = { $msec->load_values('functions') }; + $msec->{checks}{value} = { $msec->load_values('checks') }; + $msec; } -sub new { shift } 1; |