diff options
Diffstat (limited to 'perl-install/security')
| -rw-r--r-- | perl-install/security/help.pm | 73 | ||||
| -rw-r--r-- | perl-install/security/l10n.pm | 5 | ||||
| -rw-r--r-- | perl-install/security/level.pm | 74 | ||||
| -rw-r--r-- | perl-install/security/msec.pm | 34 | ||||
| -rw-r--r-- | perl-install/security/various.pm | 21 |
5 files changed, 107 insertions, 100 deletions
diff --git a/perl-install/security/help.pm b/perl-install/security/help.pm index 3176c5749..ec934e067 100644 --- a/perl-install/security/help.pm +++ b/perl-install/security/help.pm @@ -8,46 +8,55 @@ use common; our %help = ( -'accept_bogus_error_responses' => N("Accept/Refuse bogus IPv4 error messages."), +'accept_bogus_error_responses' => N("Accept bogus IPv4 error messages."), -'accept_broadcasted_icmp_echo' => N(" Accept/Refuse broadcasted icmp echo."), +'accept_broadcasted_icmp_echo' => N("Accept broadcasted icmp echo."), -'accept_icmp_echo' => N(" Accept/Refuse icmp echo."), +'accept_icmp_echo' => N("Accept icmp echo."), -'allow_autologin' => N("Allow/Forbid autologin."), +'allow_autologin' => N("Allow autologin."), -'allow_issues' => N("If set to \"ALL\", /etc/issue and /etc/issue.net are allowed to exist. +'allow_issues' => + #-PO: here "ALL" is a value in a pull-down menu; translate it the same as "ALL" is + N("If set to \"ALL\", /etc/issue and /etc/issue.net are allowed to exist. -If set to NONE, no issues are allowed. +If set to \"None\", no issues are allowed. Else only /etc/issue is allowed."), -'allow_reboot' => N("Allow/Forbid reboot by the console user."), +'allow_reboot' => N("Allow reboot by the console user."), -'allow_remote_root_login' => N("Allow/Forbid remote root login."), +'allow_remote_root_login' => N("Allow remote root login."), -'allow_root_login' => N("Allow/Forbid direct root login."), +'allow_root_login' => N("Allow direct root login."), -'allow_user_list' => N("Allow/Forbid the list of users on the system on display managers (kdm and gdm)."), +'allow_user_list' => N("Allow the list of users on the system on display managers (kdm and gdm)."), -'allow_x_connections' => N("Allow/Forbid X connections: +'allow_xauth_from_root' => N("Allow to export display when +passing from the root account to the other users. -- ALL (all connections are allowed), +See pam_xauth(8) for more details.'"), -- LOCAL (only connection from local machine), +'allow_x_connections' => N("Allow X connections: -- NONE (no connection)."), +- \"All\" (all connections are allowed), + +- \"Local\" (only connection from local machine), + +- \"None\" (no connection)."), 'allow_xserver_to_listen' => N("The argument specifies if clients are authorized to connect to the X server from the network on the tcp port 6000 or not."), -'authorize_services' => N("Authorize: +'authorize_services' => + #-PO: here "ALL", "Local" and "None" are values in a pull-down menu; translate them the same as they're + N("Authorize: - all services controlled by tcp_wrappers (see hosts.deny(5) man page) if set to \"ALL\", -- only local ones if set to \"LOCAL\" +- only local ones if set to \"Local\" -- none if set to \"NONE\". +- none if set to \"None\". To authorize the services you need, use /etc/hosts.allow (see hosts.allow(5))."), @@ -60,33 +69,33 @@ The /etc/security/msec/server is used by chkconfig --add to decide to add a service if it is present in the file during the installation of packages."), -'enable_at_crontab' => N("Enable/Disable crontab and at for users. +'enable_at_crontab' => N("Enable crontab and at for users. Put allowed users in /etc/cron.allow and /etc/at.allow (see man at(1) and crontab(1))."), -'enable_console_log' => N("Enable/Disable syslog reports to console 12"), +'enable_console_log' => N("Enable syslog reports to console 12"), -'enable_dns_spoofing_protection' => N("Enable/Disable name resolution spoofing protection. If -\"alert\" is true, also reports to syslog."), +'enable_dns_spoofing_protection' => N("Enable name resolution spoofing protection. If +\"%s\" is true, also reports to syslog.", N("Security Alerts:")), -'enable_ip_spoofing_protection' => N("Enable/Disable IP spoofing protection."), +'enable_ip_spoofing_protection' => N("Enable IP spoofing protection."), -'enable_libsafe' => N("Enable/Disable libsafe if libsafe is found on the system."), +'enable_libsafe' => N("Enable libsafe if libsafe is found on the system."), -'enable_log_strange_packets' => N("Enable/Disable the logging of IPv4 strange packets."), +'enable_log_strange_packets' => N("Enable the logging of IPv4 strange packets."), -'enable_msec_cron' => N("Enable/Disable msec hourly security check."), +'enable_msec_cron' => N("Enable msec hourly security check."), -'enable_pam_wheel_for_su' => N(" Enabling su only from members of the wheel group or allow su from any user."), +'enable_pam_wheel_for_su' => N("Enable su only from members of the wheel group. If set to no, allows su from any user."), 'enable_password' => N("Use password to authenticate users."), -'enable_promisc_check' => N("Activate/Disable ethernet cards promiscuity check."), +'enable_promisc_check' => N("Activate Ethernet cards promiscuity check."), -'enable_security_check' => N(" Activate/Disable daily security check."), +'enable_security_check' => N("Activate daily security check."), -'enable_sulogin' => N(" Enable/Disable sulogin(8) in single user level."), +'enable_sulogin' => N("Enable sulogin(8) in single user level."), 'no_password_aging_for' => N("Add the name as an exception to the handling of password aging by msec."), @@ -96,9 +105,9 @@ and crontab(1))."), 'password_length' => N("Set the password minimum length and minimum number of digit and minimum number of capitalized letters."), -'set_root_umask' => N("Set the root umask."), +'set_root_umask' => N("Set the root's file mode creation mask."), CHECK_OPEN_PORT => N("if set to yes, check open ports."), -CHECK_PASSWD => N("if set to yes, check for : +CHECK_PASSWD => N("if set to yes, check for: - empty passwords, @@ -126,5 +135,5 @@ TTY_WARN => N("if set to yes, reports check result to tty."), 'set_shell_timeout' => N("Set the shell timeout. A value of zero means no timeout.") . "\n\n" . N("Timeout unit is second"), -'set_user_umask' => N("Set the user umask."), +'set_user_umask' => N("Set the user's file mode creation mask."), ); diff --git a/perl-install/security/l10n.pm b/perl-install/security/l10n.pm index 17e9bb017..355f1fff1 100644 --- a/perl-install/security/l10n.pm +++ b/perl-install/security/l10n.pm @@ -17,6 +17,7 @@ sub fields() { 'allow_remote_root_login' => N("Allow remote root login"), 'allow_root_login' => N("Direct root login"), 'allow_user_list' => N("List users on display managers (kdm and gdm)"), + 'allow_xauth_from_root' => N("Export display when passing from root to the other users"), 'allow_x_connections' => N("Allow X Window connections"), 'allow_xserver_to_listen' => N("Authorize TCP connections to X Window"), 'authorize_services' => N("Authorize all services controlled by tcp_wrappers"), @@ -28,7 +29,7 @@ sub fields() { 'enable_libsafe' => N("Enable libsafe if libsafe is found on the system"), 'enable_log_strange_packets' => N("Enable the logging of IPv4 strange packets"), 'enable_msec_cron' => N("Enable msec hourly security check"), - 'enable_pam_wheel_for_su' => N("Enable su only from the wheel group members or for any user"), + 'enable_pam_wheel_for_su' => N("Enable su only from the wheel group members"), 'enable_password' => N("Use password to authenticate users"), 'enable_promisc_check' => N("Ethernet cards promiscuity check"), 'enable_security_check' => N("Daily security check"), @@ -53,7 +54,7 @@ sub fields() { CHECK_UNOWNED => N("Report unowned files"), CHECK_WRITABLE => N("Check files/directories writable by everybody"), CHKROOTKIT_CHECK => N("Run chkrootkit checks"), - MAIL_EMPTY_CONTENT => N("Do not send mails when unneeded"), + MAIL_EMPTY_CONTENT => N("Do not send empty mail reports"), MAIL_USER => N("If set, send the mail report to this email address else send it to root"), MAIL_WARN => N("Report check result by mail"), RPM_CHECK => N("Run some checks against the rpm database"), diff --git a/perl-install/security/level.pm b/perl-install/security/level.pm index 2c5d299f4..bb3d9ddf2 100644 --- a/perl-install/security/level.pm +++ b/perl-install/security/level.pm @@ -3,65 +3,75 @@ package security::level; use strict; use common; use run_program; - +# perl_checker: require interactive sub level_list() { ( - 0 => N("Welcome To Crackers"), - 1 => N("Poor"), - 2 => N("Standard"), - 3 => N("High"), - 4 => N("Higher"), - 5 => N("Paranoid"), + 0 => N("Disable msec"), + 1 => N("Standard"), + 2 => N("Secure"), ); } sub to_string { +{ level_list() }->{$_[0]} } sub from_string { +{ reverse level_list() }->{$_[0]} || 2 } +sub rawlevel_list() { + ( + 0 => 'none', + 1 => 'standard', + 2 => 'secure', + ); +} + +sub to_lowlevel_string { +{ rawlevel_list() }->{$_[0]} } +sub from_lowlevel_string { +{ reverse rawlevel_list() }->{$_[0]} || 2 } + sub get_string() { to_string(get() || 2) } sub get_common_list() { map { to_string($_) } (1, 2, 3, 4, 5) } sub get() { - cat_("$::prefix/etc/profile") =~ /export SECURE_LEVEL=(\d+)/ && $1 || #- 8.0 msec - cat_("$::prefix/etc/profile.d/msec.sh") =~ /export SECURE_LEVEL=(\d+)/ && $1 || #- 8.1 msec - ${{ getVarsFromSh("$::prefix/etc/sysconfig/msec") }}{SECURE_LEVEL} || #- 8.2 msec - $ENV{SECURE_LEVEL}; + my $level = ${{ getVarsFromSh("$::prefix/etc/security/msec/security.conf") }}{BASE_LEVEL} || #- 2009.1 msec + "standard"; + from_lowlevel_string($level); } sub set { my ($security) = @_; - run_program::rooted($::prefix, 'msec', '-o', 'run_commands=0', '-o', 'log=stderr', $security || 3); + my @levelnames = ('none', 'standard', 'secure'); + # use Standard level if specified level is out of range + $security = 1 if $security > $#levelnames; + run_program::rooted($::prefix, 'msec', '-q', '-f', $levelnames[$security]); + run_program::rooted($::prefix, 'msecperms', '-q', '-e', $levelnames[$security]); } sub level_choose { - my ($in, $security, $libsafe, $email) = @_; + my ($in, $security, $email) = @_; # perl_checker: $in = interactive->new my %help = ( - 0 => N("This level is to be used with care. It makes your system more easy to use, -but very sensitive. It must not be used for a machine connected to others -or to the Internet. There is no password access."), - 1 => N("Passwords are now enabled, but use as a networked computer is still not recommended."), - 2 => N("This is the standard security recommended for a computer that will be used to connect to the Internet as a client."), - 3 => N("There are already some restrictions, and more automatic checks are run every night."), - 4 => N("With this security level, the use of this system as a server becomes possible. + 0 => N("This level is to be used with care, as it disables all additional security +provided by msec. Use it only when you want to take care of all aspects of system security +on your own."), + 1 => N("This is the standard security recommended for a computer that will be used to connect to the Internet as a client."), + 2 => N("With this security level, the use of this system as a server becomes possible. The security is now high enough to use the system as a server which can accept connections from many clients. Note: if your machine is only a client on the Internet, you should choose a lower level."), - 5 => N("This is similar to the previous level, but the system is entirely closed and security features are at their maximum."), ); - my @l = 2 .. 5; + my @l = 1 .. 2; - $in->ask_from_({ title => N("DrakSec Basic Options"), - messages => N("Please choose the desired security level") . "\n\n" . - join('', map { to_string($_) . ": " . formatAlaTeX($help{$_}) . "\n\n" } @l), - interactive_help_id => 'miscellaneous', - }, [ - { label => N("Security level"), val => $security, list => \@l, format => \&to_string }, - if_($in->do_pkgs->is_installed('libsafe') && arch() =~ /^i.86/, - { label => N("Use libsafe for servers"), val => $libsafe, type => 'bool', text => - N("A library which defends against buffer overflow and format string attacks.") }), - { label => N("Security Administrator (login or email)"), val => $email, }, + $in->ask_from_({ title => $::isInstall ? N("Security") : N("DrakSec Basic Options"), + interactive_help_id => 'securityLevel', + }, [ + { label => N("Please choose the desired security level"), title => 1 }, + { val => $security, list => \@l, + format => sub { + #-PO: this string is used to properly format "<security level>: <level description>" + N("%s: %s", to_string($_[0]), formatAlaTeX($help{$_[0]})); + }, + type => 'list', gtk => { use_boxradio => 1 } }, + { label => N("Security Administrator:"), title => 1 }, + { label => N("Login or email:"), val => $email, }, ], ); } diff --git a/perl-install/security/msec.pm b/perl-install/security/msec.pm index 791ad8ef0..4258653ef 100644 --- a/perl-install/security/msec.pm +++ b/perl-install/security/msec.pm @@ -1,7 +1,6 @@ package security::msec; use strict; -use MDK::Common::File; use MDK::Common; @@ -49,7 +48,7 @@ sub load_values { chop $val; $val =~ s/[()]//g; chop $opt if $separator eq '\('; # $opt =~ s/ //g if $separator eq '\('; - if_($val, $opt => $val); + if_(defined($val), $opt => $val); } cat_($msec->{$category}{values_file}); } @@ -60,7 +59,7 @@ sub load_values { sub get_function_value { my ($msec, $function) = @_; - $msec->{functions}{value}{$function} || "default"; + exists $msec->{functions}{value}{$function} ? $msec->{functions}{value}{$function} : "default"; } sub get_check_value { @@ -83,7 +82,7 @@ sub raw_checks_list { sub list_checks { my ($msec) = @_; - grep { !member($_, qw(MAIL_WARN MAIL_USER)) } $msec->raw_checks_list; + difference2([ $msec->raw_checks_list ], [ qw(MAIL_WARN MAIL_USER) ]); } sub list_functions { @@ -98,7 +97,7 @@ sub list_functions { enable_dns_spoofing_protection enable_ip_spoofing_protection enable_log_strange_packets enable_promisc_check no_password_aging_for)], 'system' => [qw(allow_autologin allow_issues allow_reboot allow_remote_root_login - allow_root_login allow_user_list allow_x_connections allow_xserver_to_listen + allow_root_login allow_user_list allow_xauth_from_root allow_x_connections allow_xserver_to_listen authorize_services enable_at_crontab enable_console_log enable_msec_cron enable_pam_wheel_for_su enable_password enable_security_check enable_sulogin password_aging password_history password_length set_root_umask @@ -133,6 +132,7 @@ sub set_check { sub apply_functions { my ($msec) = @_; my @list = sort($msec->list_functions('system'), $msec->list_functions('network')); + touch($msec->{functions}{values_file}) if !-e $msec->{functions}{values_file}; substInFile { foreach my $function (@list) { s/^$function.*\n// } if (eof) { @@ -147,28 +147,26 @@ sub apply_functions { sub apply_checks { my ($msec) = @_; my @list = sort $msec->raw_checks_list; - substInFile { - foreach my $check (@list) { s/^$check.*\n// } - if (eof) { - print "\n", join("\n", map { - my $value = $msec->get_check_value($_); - if_($value ne 'default', $_ . '=' . $value); - } @list), "\n"; - } - } $msec->{checks}{values_file}; + setVarsInSh($msec->{checks}{values_file}, + { + map { + my $value = $msec->get_check_value($_); + if_($value ne 'default', $_ => $value); + } @list + } + ); } sub reload { my ($msec) = @_; - my $num_level = 0; require security::level; - $num_level ||= security::level::get(); - $msec->{functions}{defaults_file} = "$::prefix/usr/share/msec/level.".$num_level; + my $num_level = security::level::get(); + $msec->{functions}{defaults_file} = "$::prefix/usr/share/msec/level.$num_level"; $msec->{functions}{default} = { $msec->load_defaults('functions') }; } sub new { - my $type = shift; + my ($type) = @_; my $msec = bless {}, $type; $msec->{functions}{values_file} = "$::prefix/etc/security/msec/level.local"; diff --git a/perl-install/security/various.pm b/perl-install/security/various.pm index 23b9174ef..2e4abd397 100644 --- a/perl-install/security/various.pm +++ b/perl-install/security/various.pm @@ -1,30 +1,19 @@ -package security::various; # $Id$ +package security::various; use diagnostics; use strict; use common; -sub config_libsafe { - my $setting = @_ > 1; - my ($prefix, $libsafe) = @_; - my %t = getVarsFromSh("$prefix/etc/sysconfig/system"); - if ($setting) { - $t{LIBSAFE} = bool2yesno($libsafe); - setVarsInSh("$prefix/etc/sysconfig/system", \%t); - } - text2bool($t{LIBSAFE}); -} - sub config_security_user { my $setting = @_ > 1; my ($prefix, $sec_user) = @_; - my %t = getVarsFromSh("$prefix/etc/security/msec/security.conf"); if ($setting) { - $t{MAIL_USER} = $sec_user; - setVarsInSh("$prefix/etc/security/msec/security.conf", \%t); + addVarsInSh("$prefix/etc/security/msec/security.conf", { MAIL_USER => $sec_user }); + } else { + my %t = getVarsFromSh("$prefix/etc/security/msec/security.conf"); + $t{MAIL_USER}; } - $t{MAIL_USER}; } 1; |