summaryrefslogtreecommitdiffstats
path: root/perl-install/security
diff options
context:
space:
mode:
Diffstat (limited to 'perl-install/security')
-rw-r--r--perl-install/security/help.pm139
-rw-r--r--perl-install/security/l10n.pm66
-rw-r--r--perl-install/security/level.pm80
-rw-r--r--perl-install/security/msec.pm407
-rw-r--r--perl-install/security/various.pm19
5 files changed, 482 insertions, 229 deletions
diff --git a/perl-install/security/help.pm b/perl-install/security/help.pm
new file mode 100644
index 000000000..ec934e067
--- /dev/null
+++ b/perl-install/security/help.pm
@@ -0,0 +1,139 @@
+package security::help;
+# This help was forked from msec internal function descriptions
+# They were then reworked in order to be targeted for end users, not msec developpers
+
+
+use strict;
+use common;
+
+our %help = (
+
+'accept_bogus_error_responses' => N("Accept bogus IPv4 error messages."),
+
+'accept_broadcasted_icmp_echo' => N("Accept broadcasted icmp echo."),
+
+'accept_icmp_echo' => N("Accept icmp echo."),
+
+'allow_autologin' => N("Allow autologin."),
+
+'allow_issues' =>
+ #-PO: here "ALL" is a value in a pull-down menu; translate it the same as "ALL" is
+ N("If set to \"ALL\", /etc/issue and /etc/issue.net are allowed to exist.
+
+If set to \"None\", no issues are allowed.
+
+Else only /etc/issue is allowed."),
+
+'allow_reboot' => N("Allow reboot by the console user."),
+
+'allow_remote_root_login' => N("Allow remote root login."),
+
+'allow_root_login' => N("Allow direct root login."),
+
+'allow_user_list' => N("Allow the list of users on the system on display managers (kdm and gdm)."),
+
+'allow_xauth_from_root' => N("Allow to export display when
+passing from the root account to the other users.
+
+See pam_xauth(8) for more details.'"),
+
+'allow_x_connections' => N("Allow X connections:
+
+- \"All\" (all connections are allowed),
+
+- \"Local\" (only connection from local machine),
+
+- \"None\" (no connection)."),
+
+'allow_xserver_to_listen' => N("The argument specifies if clients are authorized to connect
+to the X server from the network on the tcp port 6000 or not."),
+
+'authorize_services' =>
+ #-PO: here "ALL", "Local" and "None" are values in a pull-down menu; translate them the same as they're
+ N("Authorize:
+
+- all services controlled by tcp_wrappers (see hosts.deny(5) man page) if set to \"ALL\",
+
+- only local ones if set to \"Local\"
+
+- none if set to \"None\".
+
+To authorize the services you need, use /etc/hosts.allow (see hosts.allow(5))."),
+
+'create_server_link' => N("If SERVER_LEVEL (or SECURE_LEVEL if absent)
+is greater than 3 in /etc/security/msec/security.conf, creates the
+symlink /etc/security/msec/server to point to
+/etc/security/msec/server.<SERVER_LEVEL>.
+
+The /etc/security/msec/server is used by chkconfig --add to decide to
+add a service if it is present in the file during the installation of
+packages."),
+
+'enable_at_crontab' => N("Enable crontab and at for users.
+
+Put allowed users in /etc/cron.allow and /etc/at.allow (see man at(1)
+and crontab(1))."),
+
+'enable_console_log' => N("Enable syslog reports to console 12"),
+
+'enable_dns_spoofing_protection' => N("Enable name resolution spoofing protection. If
+\"%s\" is true, also reports to syslog.", N("Security Alerts:")),
+
+'enable_ip_spoofing_protection' => N("Enable IP spoofing protection."),
+
+'enable_libsafe' => N("Enable libsafe if libsafe is found on the system."),
+
+'enable_log_strange_packets' => N("Enable the logging of IPv4 strange packets."),
+
+'enable_msec_cron' => N("Enable msec hourly security check."),
+
+'enable_pam_wheel_for_su' => N("Enable su only from members of the wheel group. If set to no, allows su from any user."),
+
+'enable_password' => N("Use password to authenticate users."),
+
+'enable_promisc_check' => N("Activate Ethernet cards promiscuity check."),
+
+'enable_security_check' => N("Activate daily security check."),
+
+'enable_sulogin' => N("Enable sulogin(8) in single user level."),
+
+'no_password_aging_for' => N("Add the name as an exception to the handling of password aging by msec."),
+
+'password_aging' => N("Set password aging to \"max\" days and delay to change to \"inactive\"."),
+
+'password_history' => N("Set the password history length to prevent password reuse."),
+
+'password_length' => N("Set the password minimum length and minimum number of digit and minimum number of capitalized letters."),
+
+'set_root_umask' => N("Set the root's file mode creation mask."),
+CHECK_OPEN_PORT => N("if set to yes, check open ports."),
+CHECK_PASSWD => N("if set to yes, check for:
+
+- empty passwords,
+
+- no password in /etc/shadow
+
+- for users with the 0 id other than root."),
+CHECK_PERMS => N("if set to yes, check permissions of files in the users' home."),
+CHECK_PROMISC => N("if set to yes, check if the network devices are in promiscuous mode."),
+CHECK_SECURITY => N("if set to yes, run the daily security checks."),
+CHECK_SGID => N("if set to yes, check additions/removals of sgid files."),
+CHECK_SHADOW => N("if set to yes, check empty password in /etc/shadow."),
+CHECK_SUID_MD5 => N("if set to yes, verify checksum of the suid/sgid files."),
+CHECK_SUID_ROOT => N("if set to yes, check additions/removals of suid root files."),
+CHECK_UNOWNED => N("if set to yes, report unowned files."),
+CHECK_WRITABLE => N("if set to yes, check files/directories writable by everybody."),
+CHKROOTKIT_CHECK => N("if set to yes, run chkrootkit checks."),
+MAIL_USER => N("if set, send the mail report to this email address else send it to root."),
+MAIL_WARN => N("if set to yes, report check result by mail."),
+MAIL_EMPTY_CONTENT => N("Do not send mails if there's nothing to warn about"),
+RPM_CHECK => N("if set to yes, run some checks against the rpm database."),
+SYSLOG_WARN => N("if set to yes, report check result to syslog."),
+TTY_WARN => N("if set to yes, reports check result to tty."),
+
+'set_shell_history_size' => N("Set shell commands history size. A value of -1 means unlimited."),
+
+'set_shell_timeout' => N("Set the shell timeout. A value of zero means no timeout.") . "\n\n" . N("Timeout unit is second"),
+
+'set_user_umask' => N("Set the user's file mode creation mask."),
+);
diff --git a/perl-install/security/l10n.pm b/perl-install/security/l10n.pm
new file mode 100644
index 000000000..355f1fff1
--- /dev/null
+++ b/perl-install/security/l10n.pm
@@ -0,0 +1,66 @@
+package security::l10n;
+# This help was build from stripped from python description of msec functions
+# soft/msec/share/libmsec.py
+#
+# It's used in draksec option labels
+
+use common;
+
+sub fields() {
+ return (
+ 'accept_bogus_error_responses' => N("Accept bogus IPv4 error messages"),
+ 'accept_broadcasted_icmp_echo' => N("Accept broadcasted icmp echo"),
+ 'accept_icmp_echo' => N("Accept icmp echo"),
+ 'allow_autologin' => N("Autologin"),
+ 'allow_issues' => N("/etc/issue* exist"),
+ 'allow_reboot' => N("Reboot by the console user"),
+ 'allow_remote_root_login' => N("Allow remote root login"),
+ 'allow_root_login' => N("Direct root login"),
+ 'allow_user_list' => N("List users on display managers (kdm and gdm)"),
+ 'allow_xauth_from_root' => N("Export display when passing from root to the other users"),
+ 'allow_x_connections' => N("Allow X Window connections"),
+ 'allow_xserver_to_listen' => N("Authorize TCP connections to X Window"),
+ 'authorize_services' => N("Authorize all services controlled by tcp_wrappers"),
+ 'create_server_link' => N("Chkconfig obey msec rules"),
+ 'enable_at_crontab' => N("Enable \"crontab\" and \"at\" for users"),
+ 'enable_console_log' => N("Syslog reports to console 12"),
+ 'enable_dns_spoofing_protection' => N("Name resolution spoofing protection"),
+ 'enable_ip_spoofing_protection' => N("Enable IP spoofing protection"),
+ 'enable_libsafe' => N("Enable libsafe if libsafe is found on the system"),
+ 'enable_log_strange_packets' => N("Enable the logging of IPv4 strange packets"),
+ 'enable_msec_cron' => N("Enable msec hourly security check"),
+ 'enable_pam_wheel_for_su' => N("Enable su only from the wheel group members"),
+ 'enable_password' => N("Use password to authenticate users"),
+ 'enable_promisc_check' => N("Ethernet cards promiscuity check"),
+ 'enable_security_check' => N("Daily security check"),
+ 'enable_sulogin' => N("Sulogin(8) in single user level"),
+ 'no_password_aging_for' => N("No password aging for"),
+ 'password_aging' => N("Set password expiration and account inactivation delays"),
+ 'password_history' => N("Password history length"),
+ 'password_length' => N("Password minimum length and number of digits and upcase letters"),
+ 'set_root_umask' => N("Root umask"),
+ 'set_shell_history_size' => N("Shell history size"),
+ 'set_shell_timeout' => N("Shell timeout"),
+ 'set_user_umask' => N("User umask"),
+ CHECK_OPEN_PORT => N("Check open ports"),
+ CHECK_PASSWD => N("Check for unsecured accounts"),
+ CHECK_PERMS => N("Check permissions of files in the users' home"),
+ CHECK_PROMISC => N("Check if the network devices are in promiscuous mode"),
+ CHECK_SECURITY => N("Run the daily security checks"),
+ CHECK_SGID => N("Check additions/removals of sgid files"),
+ CHECK_SHADOW => N("Check empty password in /etc/shadow"),
+ CHECK_SUID_MD5 => N("Verify checksum of the suid/sgid files"),
+ CHECK_SUID_ROOT => N("Check additions/removals of suid root files"),
+ CHECK_UNOWNED => N("Report unowned files"),
+ CHECK_WRITABLE => N("Check files/directories writable by everybody"),
+ CHKROOTKIT_CHECK => N("Run chkrootkit checks"),
+ MAIL_EMPTY_CONTENT => N("Do not send empty mail reports"),
+ MAIL_USER => N("If set, send the mail report to this email address else send it to root"),
+ MAIL_WARN => N("Report check result by mail"),
+ RPM_CHECK => N("Run some checks against the rpm database"),
+ SYSLOG_WARN => N("Report check result to syslog"),
+ TTY_WARN => N("Reports check result to tty"),
+ );
+}
+
+1;
diff --git a/perl-install/security/level.pm b/perl-install/security/level.pm
new file mode 100644
index 000000000..bb3d9ddf2
--- /dev/null
+++ b/perl-install/security/level.pm
@@ -0,0 +1,80 @@
+package security::level;
+
+use strict;
+use common;
+use run_program;
+# perl_checker: require interactive
+
+sub level_list() {
+ (
+ 0 => N("Disable msec"),
+ 1 => N("Standard"),
+ 2 => N("Secure"),
+ );
+}
+
+sub to_string { +{ level_list() }->{$_[0]} }
+sub from_string { +{ reverse level_list() }->{$_[0]} || 2 }
+
+sub rawlevel_list() {
+ (
+ 0 => 'none',
+ 1 => 'standard',
+ 2 => 'secure',
+ );
+}
+
+sub to_lowlevel_string { +{ rawlevel_list() }->{$_[0]} }
+sub from_lowlevel_string { +{ reverse rawlevel_list() }->{$_[0]} || 2 }
+
+sub get_string() { to_string(get() || 2) }
+sub get_common_list() { map { to_string($_) } (1, 2, 3, 4, 5) }
+
+sub get() {
+ my $level = ${{ getVarsFromSh("$::prefix/etc/security/msec/security.conf") }}{BASE_LEVEL} || #- 2009.1 msec
+ "standard";
+ from_lowlevel_string($level);
+}
+
+sub set {
+ my ($security) = @_;
+ my @levelnames = ('none', 'standard', 'secure');
+ # use Standard level if specified level is out of range
+ $security = 1 if $security > $#levelnames;
+ run_program::rooted($::prefix, 'msec', '-q', '-f', $levelnames[$security]);
+ run_program::rooted($::prefix, 'msecperms', '-q', '-e', $levelnames[$security]);
+}
+
+sub level_choose {
+ my ($in, $security, $email) = @_; # perl_checker: $in = interactive->new
+
+ my %help = (
+ 0 => N("This level is to be used with care, as it disables all additional security
+provided by msec. Use it only when you want to take care of all aspects of system security
+on your own."),
+ 1 => N("This is the standard security recommended for a computer that will be used to connect to the Internet as a client."),
+ 2 => N("With this security level, the use of this system as a server becomes possible.
+The security is now high enough to use the system as a server which can accept
+connections from many clients. Note: if your machine is only a client on the Internet, you should choose a lower level."),
+ );
+
+ my @l = 1 .. 2;
+
+ $in->ask_from_({ title => $::isInstall ? N("Security") : N("DrakSec Basic Options"),
+ interactive_help_id => 'securityLevel',
+ }, [
+ { label => N("Please choose the desired security level"), title => 1 },
+ { val => $security, list => \@l,
+ format => sub {
+ #-PO: this string is used to properly format "<security level>: <level description>"
+ N("%s: %s", to_string($_[0]), formatAlaTeX($help{$_[0]}));
+ },
+ type => 'list', gtk => { use_boxradio => 1 } },
+ { label => N("Security Administrator:"), title => 1 },
+ { label => N("Login or email:"), val => $email, },
+ ],
+ );
+}
+
+
+1;
diff --git a/perl-install/security/msec.pm b/perl-install/security/msec.pm
index 66800ef11..4258653ef 100644
--- a/perl-install/security/msec.pm
+++ b/perl-install/security/msec.pm
@@ -1,238 +1,187 @@
package security::msec;
-use common;
-use log;
-
-sub get_user_list {
- my @user_list = ();
-
- open(PASSWD, "/etc/passwd");
- while(<PASSWD>) {
- my ($login_name, undef, $uid) = split(/:/,$_);
- if($uid >= 500) { push(@user_list, $login_name); }
- }
- @user_list;
+use strict;
+use MDK::Common;
+
+
+#-------------------------------------------------------------
+# msec options managment methods
+
+
+#-------------------------------------------------------------
+# option defaults
+
+sub load_defaults {
+ my ($msec, $category) = @_;
+ my $separator = $msec->{$category}{def_separator};
+ map {
+ my ($opt, $val) = split(/$separator/, $_, 2);
+ chop $val;
+ if_($opt ne 'set_security_conf', $opt => $val);
+ } cat_($msec->{$category}{defaults_file}), if_($category eq "checks", 'MAIL_USER');
+}
+
+
+# get_XXX_default(function) -
+# return the default of the function|check passed in argument.
+
+sub get_check_default {
+ my ($msec, $check) = @_;
+ $msec->{checks}{default}{$check};
+}
+
+sub get_function_default {
+ my ($msec, $function) = @_;
+ $msec->{functions}{default}{$function};
+}
+
+
+
+#-------------------------------------------------------------
+# option values
+
+sub load_values {
+ my ($msec, $category) = @_;
+ my $separator = $msec->{$category}{val_separator};
+ map {
+ my ($opt, $val) = split /$separator/;
+ chop $val;
+ $val =~ s/[()]//g;
+ chop $opt if $separator eq '\('; # $opt =~ s/ //g if $separator eq '\(';
+ if_(defined($val), $opt => $val);
+ } cat_($msec->{$category}{values_file});
+}
+
+
+# get_XXX_value(check|function) -
+# return the value of the function|check passed in argument.
+# If no value is set, return "default".
+
+sub get_function_value {
+ my ($msec, $function) = @_;
+ exists $msec->{functions}{value}{$function} ? $msec->{functions}{value}{$function} : "default";
+}
+
+sub get_check_value {
+ my ($msec, $check) = @_;
+ $msec->{checks}{value}{$check} || "default";
+}
+
+
+
+#-------------------------------------------------------------
+# get list of check|functions
+
+# list_(functions|checks) -
+# return a list of functions|checks handled by level.local|security.conf
+
+sub raw_checks_list {
+ my ($msec) = @_;
+ keys %{$msec->{checks}{default}};
+}
+
+sub list_checks {
+ my ($msec) = @_;
+ difference2([ $msec->raw_checks_list ], [ qw(MAIL_WARN MAIL_USER) ]);
+}
+
+sub list_functions {
+ my ($msec, $category) = @_;
+
+ ## TODO handle 3 last functions here so they can be removed from this list
+ my @ignore_list = qw(indirect commit_changes closelog error initlog log set_secure_level
+ set_security_conf set_server_level print_changes get_translation create_server_link);
+
+ my %options = (
+ 'network' => [qw(accept_bogus_error_responses accept_broadcasted_icmp_echo accept_icmp_echo
+ enable_dns_spoofing_protection enable_ip_spoofing_protection
+ enable_log_strange_packets enable_promisc_check no_password_aging_for)],
+ 'system' => [qw(allow_autologin allow_issues allow_reboot allow_remote_root_login
+ allow_root_login allow_user_list allow_xauth_from_root allow_x_connections allow_xserver_to_listen
+ authorize_services enable_at_crontab enable_console_log
+ enable_msec_cron enable_pam_wheel_for_su enable_password enable_security_check
+ enable_sulogin password_aging password_history password_length set_root_umask
+ set_shell_history_size set_shell_timeout set_user_umask)]);
+
+ # get all function names; filter out those which are in the ignore
+ # list, return what lefts.
+ grep { !member($_, @ignore_list) && member($_, @{$options{$category}}) } keys %{$msec->{functions}{default}};
+}
+
+
+#-------------------------------------------------------------
+# set back checks|functions values
+
+sub set_function {
+ my ($msec, $function, $value) = @_;
+ $msec->{functions}{value}{$function} = $value;
+}
+
+sub set_check {
+ my ($msec, $check, $value) = @_;
+ $msec->{checks}{value}{$check} = $value;
+}
+
+
+#-------------------------------------------------------------
+# apply configuration
+
+# config_(check|function)(check|function, value) -
+# Apply the configuration to 'prefix'/etc/security/msec/security.conf||/etc/security/msec/level.local
+
+sub apply_functions {
+ my ($msec) = @_;
+ my @list = sort($msec->list_functions('system'), $msec->list_functions('network'));
+ touch($msec->{functions}{values_file}) if !-e $msec->{functions}{values_file};
+ substInFile {
+ foreach my $function (@list) { s/^$function.*\n// }
+ if (eof) {
+ $_ .= join("\n", if_(!$_, ''), (map {
+ my $value = $msec->get_function_value($_);
+ if_($value ne 'default', "$_ ($value)");
+ } @list), "");
+ }
+ } $msec->{functions}{values_file};
+}
+
+sub apply_checks {
+ my ($msec) = @_;
+ my @list = sort $msec->raw_checks_list;
+ setVarsInSh($msec->{checks}{values_file},
+ {
+ map {
+ my $value = $msec->get_check_value($_);
+ if_($value ne 'default', $_ => $value);
+ } @list
+ }
+ );
}
-sub add_config {
- my ($prefix, $config_option, @values) = @_;
- my $tmp_file = "$prefix/etc/security/msec/level.local.tmp";
- my $result = "";
-
- $result = $config_option.'(';
- foreach $value (@values) {
- $result .= $value.',';
- }
- chop $result;
- $result .= ')';
-
- open(TMP_CONFIG, '>>'.$tmp_file);
- print TMP_CONFIG "$result\n";
- close TMP_CONFIG;
+sub reload {
+ my ($msec) = @_;
+ require security::level;
+ my $num_level = security::level::get();
+ $msec->{functions}{defaults_file} = "$::prefix/usr/share/msec/level.$num_level";
+ $msec->{functions}{default} = { $msec->load_defaults('functions') };
}
-sub commit_changes {
- my ($prefix) = $_;
- my $tmp_file = "$prefix/etc/security/msec/level.local.tmp";
- my $config_file = "$prefix/etc/security/msec/level.local";
- my %config_data;
- my $config_option = "";
-
- open (TMP_CONFIG, $tmp_file);
-
- if (!(-x $config_file)) {
- open(CONFIG_FILE, '>'.$config_file);
- print CONFIG_FILE "from mseclib import *\n\n";
- while(<TMP_CONFIG>) { print CONFIG_FILE $_; }
- }
- else {
- open(CONFIG_FILE, $config_file);
- while(<CONFIG_FILE>) {
- if($_ =~ /\(/) {
- ($config_option, undef) = split(/\(/, $_);
- (undef, $config_data{$config_option}) = split(/\(/, $_);
- }
- }
- close CONFIG_FILE;
-
- while(<TMP_CONFIG>) {
- ($config_option, undef) = split(/\(/, $_);
- (undef, $config_data{$config_option}) = split(/\(/, $_);
- }
-
- open(CONFIG_FILE, '>'.$config_file);
- print CONFIG_FILE "from mseclib import *\n\n";
- foreach $config_option (keys %config_data) {
- print CONFIG_FILE $config_option.'('.$config_data{$config_option}.'\n';
- }
- }
-
- close CONFIG_FILE;
- close TMP_CONFIG;
-
- standalone::rm_rf($tmp_file);
-}
-
-sub get_config {
- my ($prefix, $security) = @_;
-
- my (%net_options_defaults) = (
- accept_bogus_error_responses => [ 0, 0, 0, 0, 1, 1 ],
- accept_icmp_echo => [ 1, 1, 1, 1, 0, 0 ],
- enable_ip_spoofing_protection => [ 0, 0, 0, 1, 1, 1 ],
- enable_log_strange_packets => [ 0, 0, 0, 0, 1, 1 ] );
-
- my (%user_options_defaults) = (
- allow_autologin => [ 1, 1, 1, 0, 0, 0 ],
- allow_issues => [ "ALL", "ALL", "ALL", "LOCAL", "LOCAL", "NONE" ],
- allow_reboot => [ 1, 1, 1, 1, 0, 0 ],
- allow_root_login => [ 1, 1, 1, 1, 0, 0 ],
- allow_user_list => [ 1, 1, 1, 1, 0, 0 ],
- enable_at_crontab => [ 1, 1, 1, 1, 0, 0 ],
- enable_pam_wheel_for_su => [ 0, 0, 0, 0, 0, 0 ],
- enable_password => [ 0, 1, 1, 1, 1, 1 ],
- enable_sulogin => [ 0, 0, 0, 0, 1, 1 ],
- password_aging => [ "99999,-1", "99999,-1", "99999,-1", "99999,-1", "60,-1", "30,-1" ],
- password_length => [ "0,0,0", "0,0,0", "0,0,0", "0,0,0", "0,0,0", "0,0,0" ],
- set_root_umask => [ "002", "002", "022", "022", "022", "077" ],
- set_user_umask => [ "002", "002", "022", "022", "077", "077" ],
- set_shell_history_size => [ "-1", "-1", "-1", "-1", "10", "10" ],
- set_shell_timeout => [ "0", "0", "0", "0", "3600", "900" ] );
-
- my (%server_options_defaults) = (
- allow_x_connections => [ "ALL", "LOCAL", "LOCAL", "LOCAL", "LOCAL", "NONE" ],
- authorize_services => [ "ALL", "ALL", "ALL", "ALL", "LOCAL", "NONE" ],
- enable_libsafe => [ 0, 0, 0, 0, 0, 0 ] );
-
- my (%net_options) = (
- accept_bogus_error_responses => $net_options_defaults{accept_bogus_error_responses}[$security],
- accept_icmp_echo => $net_options_defaults{accept_icmp_echo}[$security],
- enable_ip_spoofing_protection => $net_options_defaults{enable_ip_spoofing_protection}[$security],
- enable_log_strange_packets => $net_options_defaults{enable_log_strange_packets}[$security]
- );
-
- my (%net_options_matrix) = (
- accept_bogus_error_responses => { label => _("Accept/Refuse bogus IPV4 error messages"),
- val => \$net_options{accept_bogus_error_responses},
- type => "bool" },
- accept_icmp_echo => { label => _("Accept/Refuse ICMP echo"),
- val => \$net_options{accept_icmp_echo},
- type => "bool" },
- enable_ip_spoofing_protection => { label => _("Enable/Disable IP spoofing protection. If alert is true, also reports to syslog"),
- val => \$net_options{enable_ip_spoofing_protection},
- type=> "bool" },
- enable_log_strange_packets => { label => _("Enable/Disable the logging of IPv4 strange packets"),
- val => \$net_options{enable_log_strange_packets},
- type => "bool" }
- );
-
- my (%user_options) = (
- allow_autologin => $user_options_defaults{allow_autologin}[$security],
- allow_issues => $user_options_defaults{allow_issues}[$security],
- allow_reboot => $user_options_defaults{allow_reboot}[$security],
- allow_root_login => $user_options_defaults{allow_root_login}[$security],
- allow_user_list => $user_options_defaults{allow_user_list}[$security],
- enable_at_crontab => $user_options_defaults{enable_at_crontab}[$security],
- enable_pam_wheel_for_su => $user_options_defaults{enable_pam_wheel_for_su}[$security],
- enable_password => $user_options_defaults{enable_password}[$security],
- enable_sulogin => $user_options_defaults{enable_sulogin}[$security],
- password_aging => $user_options_defaults{password_aging}[$security],
- password_length => $user_options_defaults{password_length}[$security],
- set_root_umask => $user_options_defaults{set_root_umask}[$security],
- set_user_umask => $user_options_defaults{set_user_umask}[$security],
- set_shell_history_size => $user_options_defaults{set_shell_history_size}[$security],
- set_shell_timeout => $user_options_defaults{set_shell_timeout}[$security]
- );
-
- my (%user_options_matrix) = (
- allow_autologin => { label => _("Allow/Forbid autologin"),
- val => \$user_options{allow_autologin},
- type => "bool" },
- allow_issues => { label => _("Allow/Forbid pre-login message : If ALL, allow remote and local pre-login message (/etc/issue[.net]).\n If LOCAL, allow local pre-login message (/etc/issue). If NONE, disable pre-login message."),
- val => \$user_options{allow_issues},
- list => ["ALL", "LOCAL", "NONE"] },
- allow_reboot => { label => _("Allow/Forbid reboot by the console user"),
- val => \$user_options{allow_reboot},
- type => "bool" },
- allow_root_login => { label => _("Allow/Forbid direct root login"),
- val => \$user_options{allow_root_login},
- type => "bool" },
- allow_user_list => { label => _("Allow/Forbid the list of users on the system in the display managers (kdm and gdm)"),
- val => \$user_options{allow_user_list},
- type => "bool" },
- enable_at_crontab => { label => _("Enable/Disable crontab and at for users. Put allowed users in /etc/cron.allow\n and /etc/at.allow (see at(1) and crontab(1))"),
- val => \$user_options{enable_at_crontab},
- type => "bool" },
- enable_pam_wheel_for_su => { label => _("Enable su only for members of the wheel group or allow su from any user"),
- val => \$user_options{enable_pam_wheel_for_su},
- type => "bool" },
- enable_password => { label => _("Use password to authenticate users"),
- val => \$user_options{enable_password},
- type => "bool" },
- enable_sulogin => { label => _("Enable/Disable sulogin in single user level (see sulogin(8))"),
- val => \$user_options{enable_sulogin},
- type => "bool" },
- password_aging => { label => _("Set password aging to max days, Set delay before inactive\n (99999 to disable password aging, -1 to disable de-activation"),
- val => \$user_options{password_aging} },
- password_length => { label => _("Set the password minimum length, the minimum number of digits and the minimum number of capitalized letters"),
- val => \$user_options{password_length} },
- set_root_umask => { label => _("Set the root umask"),
- val => \$user_options{set_root_umask} },
- set_user_umask => { label => _("Set the user umask"),
- val => \$user_options{set_user_umask} },
- set_shell_history_size => { label => _("Set shell commands history size (-1 for unlimited)"),
- val => \$user_options{set_shell_history_size} },
- set_shell_timeout => { label => _("Set the shell timeout in seconds (0 for unlimited)"),
- val => \$user_options{set_shell_timeout} }
- );
-
- my (%server_options) = (
- allow_x_connections => $server_options_defaults{allow_x_connections}[$security],
- authorize_services => $server_options_defaults{authorize_services}[$security],
- enable_libsafe => $server_options_defaults{enable_libsafe}[$security]
- );
-
- my (%server_options_matrix) = (
- allow_x_connections => { label => ("Allow/Forbid X connections : If ALL, all connections allowed. If LOCAL, local connections allowed.\n If NONE, only console connections allowed"),
- val => \$server_options{allow_x_connections},
- list => [ "ALL", "LOCAL", "NONE" ] },
- authorize_services => { label => _("Allow/Forbid services : If ALL, authorize all services. If LOCAL, authorize only local services.\n If NONE, disable all services. (see hosts.deny(5)). To authorize a service, see hosts.allow(5)."),
- val => \$server_options{authorize_services},
- list => [ "ALL", "LOCAL", "NONE" ] },
- enable_libsafe => { label => _("Enable/Disable libsafe if it's installed on the system."),
- val => \$server_options{enable_libsafe},
- type => "bool" },
- );
-
- my $config_file = "$prefix/etc/security/msec/level.local";
- my $values = "";
- my $config_option = "";
-
- open CONFIGFILE, $config_file;
- while(<CONFIGFILE>) {
- if($_ =~ /\(/) {
- ($config_option, undef) = split(/\(/, $_);
- (undef, $values) = split(/\(/, $_);
- chop $values;
-
- if ($config_option ne "set_security_conf") {
- if ($net_options_matrix{$config_option}{description} eq "") {
- (undef, $net_options_matrix{$config_option}{value}) = $values;
- } elsif ($user_options_matrix{$config_option}{description} eq "") {
- (undef, $user_options_matrix{$config_option}{value}) = $values;
- } elsif ($server_options_matrix{$config_option}{description} eq "") {
- (undef, $server_options_matrix{$config_option}{value}) = $values;
- }
- }
- else {
- # TODO : Add code to handle set_security_conf
- }
- }
- }
-
- close CONFIGFILE;
-
- return (\%net_options_matrix, \%user_options_matrix, \%server_options_matrix);
+sub new {
+ my ($type) = @_;
+ my $msec = bless {}, $type;
+
+ $msec->{functions}{values_file} = "$::prefix/etc/security/msec/level.local";
+ $msec->{checks}{values_file} = "$::prefix/etc/security/msec/security.conf";
+ $msec->{checks}{defaults_file} = "$::prefix/var/lib/msec/security.conf";
+ $msec->{checks}{val_separator} = '=';
+ $msec->{functions}{val_separator} = '\(';
+ $msec->{checks}{def_separator} = '=';
+ $msec->{functions}{def_separator} = ' ';
+ $msec->reload;
+
+ $msec->{checks}{default} = { $msec->load_defaults('checks') };
+ $msec->{functions}{value} = { $msec->load_values('functions') };
+ $msec->{checks}{value} = { $msec->load_values('checks') };
+ $msec;
}
1;
diff --git a/perl-install/security/various.pm b/perl-install/security/various.pm
new file mode 100644
index 000000000..2e4abd397
--- /dev/null
+++ b/perl-install/security/various.pm
@@ -0,0 +1,19 @@
+package security::various;
+
+use diagnostics;
+use strict;
+
+use common;
+
+sub config_security_user {
+ my $setting = @_ > 1;
+ my ($prefix, $sec_user) = @_;
+ if ($setting) {
+ addVarsInSh("$prefix/etc/security/msec/security.conf", { MAIL_USER => $sec_user });
+ } else {
+ my %t = getVarsFromSh("$prefix/etc/security/msec/security.conf");
+ $t{MAIL_USER};
+ }
+}
+
+1;
generated by cgit v1.2.1 (git 2.21.0) at 2025-11-12 03:37:13 +0000