summaryrefslogtreecommitdiffstats
path: root/perl-install/security
diff options
context:
space:
mode:
Diffstat (limited to 'perl-install/security')
-rw-r--r--perl-install/security/help.pm139
-rw-r--r--perl-install/security/l10n.pm66
-rw-r--r--perl-install/security/level.pm80
-rw-r--r--perl-install/security/libsafe.pm18
-rw-r--r--perl-install/security/main.pm298
-rw-r--r--perl-install/security/msec.pm431
-rw-r--r--perl-install/security/various.pm19
7 files changed, 435 insertions, 616 deletions
diff --git a/perl-install/security/help.pm b/perl-install/security/help.pm
new file mode 100644
index 000000000..ec934e067
--- /dev/null
+++ b/perl-install/security/help.pm
@@ -0,0 +1,139 @@
+package security::help;
+# This help was forked from msec internal function descriptions
+# They were then reworked in order to be targeted for end users, not msec developpers
+
+
+use strict;
+use common;
+
+our %help = (
+
+'accept_bogus_error_responses' => N("Accept bogus IPv4 error messages."),
+
+'accept_broadcasted_icmp_echo' => N("Accept broadcasted icmp echo."),
+
+'accept_icmp_echo' => N("Accept icmp echo."),
+
+'allow_autologin' => N("Allow autologin."),
+
+'allow_issues' =>
+ #-PO: here "ALL" is a value in a pull-down menu; translate it the same as "ALL" is
+ N("If set to \"ALL\", /etc/issue and /etc/issue.net are allowed to exist.
+
+If set to \"None\", no issues are allowed.
+
+Else only /etc/issue is allowed."),
+
+'allow_reboot' => N("Allow reboot by the console user."),
+
+'allow_remote_root_login' => N("Allow remote root login."),
+
+'allow_root_login' => N("Allow direct root login."),
+
+'allow_user_list' => N("Allow the list of users on the system on display managers (kdm and gdm)."),
+
+'allow_xauth_from_root' => N("Allow to export display when
+passing from the root account to the other users.
+
+See pam_xauth(8) for more details.'"),
+
+'allow_x_connections' => N("Allow X connections:
+
+- \"All\" (all connections are allowed),
+
+- \"Local\" (only connection from local machine),
+
+- \"None\" (no connection)."),
+
+'allow_xserver_to_listen' => N("The argument specifies if clients are authorized to connect
+to the X server from the network on the tcp port 6000 or not."),
+
+'authorize_services' =>
+ #-PO: here "ALL", "Local" and "None" are values in a pull-down menu; translate them the same as they're
+ N("Authorize:
+
+- all services controlled by tcp_wrappers (see hosts.deny(5) man page) if set to \"ALL\",
+
+- only local ones if set to \"Local\"
+
+- none if set to \"None\".
+
+To authorize the services you need, use /etc/hosts.allow (see hosts.allow(5))."),
+
+'create_server_link' => N("If SERVER_LEVEL (or SECURE_LEVEL if absent)
+is greater than 3 in /etc/security/msec/security.conf, creates the
+symlink /etc/security/msec/server to point to
+/etc/security/msec/server.<SERVER_LEVEL>.
+
+The /etc/security/msec/server is used by chkconfig --add to decide to
+add a service if it is present in the file during the installation of
+packages."),
+
+'enable_at_crontab' => N("Enable crontab and at for users.
+
+Put allowed users in /etc/cron.allow and /etc/at.allow (see man at(1)
+and crontab(1))."),
+
+'enable_console_log' => N("Enable syslog reports to console 12"),
+
+'enable_dns_spoofing_protection' => N("Enable name resolution spoofing protection. If
+\"%s\" is true, also reports to syslog.", N("Security Alerts:")),
+
+'enable_ip_spoofing_protection' => N("Enable IP spoofing protection."),
+
+'enable_libsafe' => N("Enable libsafe if libsafe is found on the system."),
+
+'enable_log_strange_packets' => N("Enable the logging of IPv4 strange packets."),
+
+'enable_msec_cron' => N("Enable msec hourly security check."),
+
+'enable_pam_wheel_for_su' => N("Enable su only from members of the wheel group. If set to no, allows su from any user."),
+
+'enable_password' => N("Use password to authenticate users."),
+
+'enable_promisc_check' => N("Activate Ethernet cards promiscuity check."),
+
+'enable_security_check' => N("Activate daily security check."),
+
+'enable_sulogin' => N("Enable sulogin(8) in single user level."),
+
+'no_password_aging_for' => N("Add the name as an exception to the handling of password aging by msec."),
+
+'password_aging' => N("Set password aging to \"max\" days and delay to change to \"inactive\"."),
+
+'password_history' => N("Set the password history length to prevent password reuse."),
+
+'password_length' => N("Set the password minimum length and minimum number of digit and minimum number of capitalized letters."),
+
+'set_root_umask' => N("Set the root's file mode creation mask."),
+CHECK_OPEN_PORT => N("if set to yes, check open ports."),
+CHECK_PASSWD => N("if set to yes, check for:
+
+- empty passwords,
+
+- no password in /etc/shadow
+
+- for users with the 0 id other than root."),
+CHECK_PERMS => N("if set to yes, check permissions of files in the users' home."),
+CHECK_PROMISC => N("if set to yes, check if the network devices are in promiscuous mode."),
+CHECK_SECURITY => N("if set to yes, run the daily security checks."),
+CHECK_SGID => N("if set to yes, check additions/removals of sgid files."),
+CHECK_SHADOW => N("if set to yes, check empty password in /etc/shadow."),
+CHECK_SUID_MD5 => N("if set to yes, verify checksum of the suid/sgid files."),
+CHECK_SUID_ROOT => N("if set to yes, check additions/removals of suid root files."),
+CHECK_UNOWNED => N("if set to yes, report unowned files."),
+CHECK_WRITABLE => N("if set to yes, check files/directories writable by everybody."),
+CHKROOTKIT_CHECK => N("if set to yes, run chkrootkit checks."),
+MAIL_USER => N("if set, send the mail report to this email address else send it to root."),
+MAIL_WARN => N("if set to yes, report check result by mail."),
+MAIL_EMPTY_CONTENT => N("Do not send mails if there's nothing to warn about"),
+RPM_CHECK => N("if set to yes, run some checks against the rpm database."),
+SYSLOG_WARN => N("if set to yes, report check result to syslog."),
+TTY_WARN => N("if set to yes, reports check result to tty."),
+
+'set_shell_history_size' => N("Set shell commands history size. A value of -1 means unlimited."),
+
+'set_shell_timeout' => N("Set the shell timeout. A value of zero means no timeout.") . "\n\n" . N("Timeout unit is second"),
+
+'set_user_umask' => N("Set the user's file mode creation mask."),
+);
diff --git a/perl-install/security/l10n.pm b/perl-install/security/l10n.pm
new file mode 100644
index 000000000..355f1fff1
--- /dev/null
+++ b/perl-install/security/l10n.pm
@@ -0,0 +1,66 @@
+package security::l10n;
+# This help was build from stripped from python description of msec functions
+# soft/msec/share/libmsec.py
+#
+# It's used in draksec option labels
+
+use common;
+
+sub fields() {
+ return (
+ 'accept_bogus_error_responses' => N("Accept bogus IPv4 error messages"),
+ 'accept_broadcasted_icmp_echo' => N("Accept broadcasted icmp echo"),
+ 'accept_icmp_echo' => N("Accept icmp echo"),
+ 'allow_autologin' => N("Autologin"),
+ 'allow_issues' => N("/etc/issue* exist"),
+ 'allow_reboot' => N("Reboot by the console user"),
+ 'allow_remote_root_login' => N("Allow remote root login"),
+ 'allow_root_login' => N("Direct root login"),
+ 'allow_user_list' => N("List users on display managers (kdm and gdm)"),
+ 'allow_xauth_from_root' => N("Export display when passing from root to the other users"),
+ 'allow_x_connections' => N("Allow X Window connections"),
+ 'allow_xserver_to_listen' => N("Authorize TCP connections to X Window"),
+ 'authorize_services' => N("Authorize all services controlled by tcp_wrappers"),
+ 'create_server_link' => N("Chkconfig obey msec rules"),
+ 'enable_at_crontab' => N("Enable \"crontab\" and \"at\" for users"),
+ 'enable_console_log' => N("Syslog reports to console 12"),
+ 'enable_dns_spoofing_protection' => N("Name resolution spoofing protection"),
+ 'enable_ip_spoofing_protection' => N("Enable IP spoofing protection"),
+ 'enable_libsafe' => N("Enable libsafe if libsafe is found on the system"),
+ 'enable_log_strange_packets' => N("Enable the logging of IPv4 strange packets"),
+ 'enable_msec_cron' => N("Enable msec hourly security check"),
+ 'enable_pam_wheel_for_su' => N("Enable su only from the wheel group members"),
+ 'enable_password' => N("Use password to authenticate users"),
+ 'enable_promisc_check' => N("Ethernet cards promiscuity check"),
+ 'enable_security_check' => N("Daily security check"),
+ 'enable_sulogin' => N("Sulogin(8) in single user level"),
+ 'no_password_aging_for' => N("No password aging for"),
+ 'password_aging' => N("Set password expiration and account inactivation delays"),
+ 'password_history' => N("Password history length"),
+ 'password_length' => N("Password minimum length and number of digits and upcase letters"),
+ 'set_root_umask' => N("Root umask"),
+ 'set_shell_history_size' => N("Shell history size"),
+ 'set_shell_timeout' => N("Shell timeout"),
+ 'set_user_umask' => N("User umask"),
+ CHECK_OPEN_PORT => N("Check open ports"),
+ CHECK_PASSWD => N("Check for unsecured accounts"),
+ CHECK_PERMS => N("Check permissions of files in the users' home"),
+ CHECK_PROMISC => N("Check if the network devices are in promiscuous mode"),
+ CHECK_SECURITY => N("Run the daily security checks"),
+ CHECK_SGID => N("Check additions/removals of sgid files"),
+ CHECK_SHADOW => N("Check empty password in /etc/shadow"),
+ CHECK_SUID_MD5 => N("Verify checksum of the suid/sgid files"),
+ CHECK_SUID_ROOT => N("Check additions/removals of suid root files"),
+ CHECK_UNOWNED => N("Report unowned files"),
+ CHECK_WRITABLE => N("Check files/directories writable by everybody"),
+ CHKROOTKIT_CHECK => N("Run chkrootkit checks"),
+ MAIL_EMPTY_CONTENT => N("Do not send empty mail reports"),
+ MAIL_USER => N("If set, send the mail report to this email address else send it to root"),
+ MAIL_WARN => N("Report check result by mail"),
+ RPM_CHECK => N("Run some checks against the rpm database"),
+ SYSLOG_WARN => N("Report check result to syslog"),
+ TTY_WARN => N("Reports check result to tty"),
+ );
+}
+
+1;
diff --git a/perl-install/security/level.pm b/perl-install/security/level.pm
new file mode 100644
index 000000000..bb3d9ddf2
--- /dev/null
+++ b/perl-install/security/level.pm
@@ -0,0 +1,80 @@
+package security::level;
+
+use strict;
+use common;
+use run_program;
+# perl_checker: require interactive
+
+sub level_list() {
+ (
+ 0 => N("Disable msec"),
+ 1 => N("Standard"),
+ 2 => N("Secure"),
+ );
+}
+
+sub to_string { +{ level_list() }->{$_[0]} }
+sub from_string { +{ reverse level_list() }->{$_[0]} || 2 }
+
+sub rawlevel_list() {
+ (
+ 0 => 'none',
+ 1 => 'standard',
+ 2 => 'secure',
+ );
+}
+
+sub to_lowlevel_string { +{ rawlevel_list() }->{$_[0]} }
+sub from_lowlevel_string { +{ reverse rawlevel_list() }->{$_[0]} || 2 }
+
+sub get_string() { to_string(get() || 2) }
+sub get_common_list() { map { to_string($_) } (1, 2, 3, 4, 5) }
+
+sub get() {
+ my $level = ${{ getVarsFromSh("$::prefix/etc/security/msec/security.conf") }}{BASE_LEVEL} || #- 2009.1 msec
+ "standard";
+ from_lowlevel_string($level);
+}
+
+sub set {
+ my ($security) = @_;
+ my @levelnames = ('none', 'standard', 'secure');
+ # use Standard level if specified level is out of range
+ $security = 1 if $security > $#levelnames;
+ run_program::rooted($::prefix, 'msec', '-q', '-f', $levelnames[$security]);
+ run_program::rooted($::prefix, 'msecperms', '-q', '-e', $levelnames[$security]);
+}
+
+sub level_choose {
+ my ($in, $security, $email) = @_; # perl_checker: $in = interactive->new
+
+ my %help = (
+ 0 => N("This level is to be used with care, as it disables all additional security
+provided by msec. Use it only when you want to take care of all aspects of system security
+on your own."),
+ 1 => N("This is the standard security recommended for a computer that will be used to connect to the Internet as a client."),
+ 2 => N("With this security level, the use of this system as a server becomes possible.
+The security is now high enough to use the system as a server which can accept
+connections from many clients. Note: if your machine is only a client on the Internet, you should choose a lower level."),
+ );
+
+ my @l = 1 .. 2;
+
+ $in->ask_from_({ title => $::isInstall ? N("Security") : N("DrakSec Basic Options"),
+ interactive_help_id => 'securityLevel',
+ }, [
+ { label => N("Please choose the desired security level"), title => 1 },
+ { val => $security, list => \@l,
+ format => sub {
+ #-PO: this string is used to properly format "<security level>: <level description>"
+ N("%s: %s", to_string($_[0]), formatAlaTeX($help{$_[0]}));
+ },
+ type => 'list', gtk => { use_boxradio => 1 } },
+ { label => N("Security Administrator:"), title => 1 },
+ { label => N("Login or email:"), val => $email, },
+ ],
+ );
+}
+
+
+1;
diff --git a/perl-install/security/libsafe.pm b/perl-install/security/libsafe.pm
deleted file mode 100644
index 1d6436b86..000000000
--- a/perl-install/security/libsafe.pm
+++ /dev/null
@@ -1,18 +0,0 @@
-package draksec::libsafe;
-
-use diagnostics;
-use strict;
-
-use common;
-
-sub config_libsafe {
- my ($prefix, $libsafe) = @_;
- my %t = getVarsFromSh("$prefix/etc/sysconfig/system");
- if (@_ > 1) {
- $t{LIBSAFE} = bool2yesno($libsafe);
- setVarsInSh("$prefix/etc/sysconfig/system", \%t);
- }
- text2bool($t{LIBSAFE});
-}
-
-1;
diff --git a/perl-install/security/main.pm b/perl-install/security/main.pm
deleted file mode 100644
index 3e23a8ce9..000000000
--- a/perl-install/security/main.pm
+++ /dev/null
@@ -1,298 +0,0 @@
-use strict;
-use standalone;
-
-use standalone;
-use MDK::Common;
-use my_gtk qw(:helpers :wrappers :ask);
-use log;
-
-use security::libsafe;
-use security::msec;
-
-sub myexit { my_gtk::exit @_ }
-
-sub wait_msg {
- my $mainw = my_gtk->new('wait');
- my $label = new Gtk::Label($_[0]);
- gtkadd($mainw->{window}, gtkpack(gtkadd(create_vbox(), $label)));
- $label->signal_connect(expose_event => sub { $mainw->{displayed} = 1 });
- $mainw->sync until $mainw->{displayed};
- gtkset_mousecursor_wait($mainw->{rwindow}->window);
- $mainw->flush;
- $mainw;
-}
-
-sub remove_wait_msg { $_[0]->destroy }
-
-sub show_msec_help {
- my $command = $_[0];
-}
-
-sub basic_seclevel_explanations {
- my $msec = $_[0];
- my $seclevel_explain = $msec->seclevel_explain();
-
- my $text = new Gtk::Text(undef, undef);
- $text->set_editable(0);
- $text->insert(undef, $text->style->black, undef, $seclevel_explain);
-
- gtkpack_(gtkshow(new Gtk::HBox(0, 0)), 1, $text);
-}
-
-sub basic_seclevel_option {
- my ($seclevel_entry, $msec) = @_;
- my @sec_levels = $msec->get_seclevel_list();
- my $current_level = $msec->get_secure_level();
-
- push(@sec_levels, $current_level) if ($current_level eq "Dangerous" || $current_level eq "Poor");
-
- $$seclevel_entry->entry->set_editable(0);
- $$seclevel_entry->set_popdown_strings(@sec_levels);
- $$seclevel_entry->entry->set_text($current_level);
-
- my $hbox = new Gtk::HBox(0, 0);
- new Gtk::Label(_("Security Level:")), $$seclevel_entry;
-}
-
-sub basic_secadmin_check {
- my ($secadmin_check, $msec) = @_;
-
- $$secadmin_check->set_active(1) if ($msec->get_check_value('', "MAIL_WARN") eq "yes");
-
- new Gtk::Label(_("Security Alerts:")), $$secadmin_check;
-}
-
-sub basic_secadmin_entry {
- my ($secadmin_entry, $msec) = @_;
-
- $$secadmin_entry->set_text($msec->get_check_value('', "MAIL_USER"));
-
- my $hbox = new Gtk::HBox(0, 0);
- new Gtk::Label(_("Security Administrator:")), $$secadmin_entry;
-}
-
-sub network_generate_page {
- my ($rsecurity_net_hash, $msec) = @_;
- my @network_options = $msec->get_functions('', "network");
- my @yesno_choices = qw(yes no default);
- my @alllocal_choices = qw(ALL LOCAL NONE default);
-
- my @items;
-
- foreach my $tmp (@network_options) {
-# my $hbutton = gtksignal_connect(new Gtk::Button(_('Help')),
-# 'clicked' => sub { show_msec_help($tmp) } );
- my $default = $msec->get_function_default('', $tmp);
- if (member($default, @yesno_choices) || member($default, @alllocal_choices)) {
- $$rsecurity_net_hash{$tmp} = new Gtk::Combo();
- $$rsecurity_net_hash{$tmp}->entry->set_editable(0);
- }
- else {
- $$rsecurity_net_hash{$tmp} = new Gtk::Entry();
- $$rsecurity_net_hash{$tmp}->set_text($msec->get_check_value('', $tmp));
- }
- if (member($default, @yesno_choices)) {
- $$rsecurity_net_hash{$tmp}->set_popdown_strings(@yesno_choices);
- $$rsecurity_net_hash{$tmp}->entry->set_text($msec->get_check_value('', $tmp));
- }
- elsif (member($default, @alllocal_choices)) {
- $$rsecurity_net_hash{$tmp}->set_popdown_strings(@alllocal_choices);
- $$rsecurity_net_hash{$tmp}->entry->set_text($msec->get_check_value('', $tmp));
- }
- push @items, [ new Gtk::Label(_($tmp." (default: ".$default.")")), $$rsecurity_net_hash{$tmp} ]; #, $hbutton];
- }
-
- gtkpack(new Gtk::VBox(0, 0),
- new Gtk::Label(_("The following options can be set to customize your\nsystem security. If you need explanations, click on Help.\n")),
- create_packtable({ col_spacings => 10, row_spacings => 5 }, @items));
-}
-
-sub system_generate_page {
- my ($rsecurity_system_hash, $msec) = @_;
- my @system_options = $msec->get_functions('', "system");
- my @yesno_choices = qw(yes no default);
- my @alllocal_choices = qw(ALL LOCAL NONE default);
-
- my @items;
-
- foreach my $tmp (@system_options) {
-# my $hbutton = gtksignal_connect(new Gtk::Button(_('Help')),
-# 'clicked' => sub { show_msec_help($tmp) } );
- my $default = $msec->get_function_default('', $tmp);
- my $item_hbox = new Gtk::HBox(0, 0);
- if (member($default, @yesno_choices) || member($default, @alllocal_choices)) {
- $$rsecurity_system_hash{$tmp} = new Gtk::Combo();
- $$rsecurity_system_hash{$tmp}->entry->set_editable(0);
- } else {
- $$rsecurity_system_hash{$tmp} = new Gtk::Entry();
- $$rsecurity_system_hash{$tmp}->set_text($msec->get_check_value('', $tmp));
- }
- if (member($default, @yesno_choices)) {
- $$rsecurity_system_hash{$tmp}->set_popdown_strings(@yesno_choices);
- $$rsecurity_system_hash{$tmp}->entry->set_text($msec->get_check_value('', $tmp));
- }
- elsif (member($default, @alllocal_choices)) {
- $$rsecurity_system_hash{$tmp}->set_popdown_strings(@alllocal_choices);
- $$rsecurity_system_hash{$tmp}->entry->set_text($msec->get_check_value('', $tmp));
- }
- push @items, [ new Gtk::Label(_($tmp." (default: ".$default.")")), $$rsecurity_system_hash{$tmp} ]; #, $hbutton ];
- }
-
- createScrolledWindow(gtkpack(new Gtk::VBox(0, 0),
- new Gtk::Label(_("The following options can be set to customize your\nsystem security. If you need explanations, click on Help.\n")),
- create_packtable({ col_spacings => 10, row_spacings => 5 }, @items)));
-}
-
-# TODO: Format label & entry in a table to make it nice to see
-sub checks_generate_page {
- my ($rsecurity_checks_hash, $msec) = @_;
- my @security_checks = $msec->get_checks('');
- my @choices = qw(yes no default);
- my @ignore_list = qw(MAIL_WARN MAIL_USER);
-
- my @items;
- foreach my $tmp (@security_checks) {
- if (!member(@ignore_list, $tmp)) {
-# my $hbutton = gtksignal_connect(new Gtk::Button(_('Help')),
-# 'clicked' => sub { show_msec_help($tmp) } );
- $$rsecurity_checks_hash{$tmp} = new Gtk::Combo();
- $$rsecurity_checks_hash{$tmp}->entry->set_editable(0);
- $$rsecurity_checks_hash{$tmp}->set_popdown_strings(@choices);
- $$rsecurity_checks_hash{$tmp}->entry->set_text($msec->get_check_value('', $tmp));
- push @items, [ new Gtk::Label(_($tmp)), $$rsecurity_checks_hash{$tmp} ]; #, $hbutton ];
- }
- }
-
- createScrolledWindow(gtkpack(new Gtk::VBox(0, 0),
- new Gtk::Label(_("The following options can be set to customize your\nsystem security. If you need explanations, click on Help.\n")),
- create_packtable({ col_spacings => 10, row_spacings => 5 }, @items)));
-}
-
-sub draksec_main {
- # Variable Declarations
- my $msec = new security::msec;
- my $w = my_gtk->new('draksec');
- my $window = $w->{window};
-
- ############################ MAIN WINDOW ###################################
- # Set different options to Gtk::Window
- unless ($::isEmbedded) {
- $w->{rwindow}->set_policy(1,1,1);
- $w->{rwindow}->set_position(1);
- $w->{rwindow}->set_title("DrakSec - Basic Options" );
- $window->set_usize( 598,490);
- }
-
- # Connect the signals
- $window->signal_connect("delete_event", sub { $window->destroy(); } );
- $window->signal_connect("destroy", sub { my_gtk->exit(); } );
- $window->realize();
-
- $window->add(my $vbox = gtkshow(new Gtk::VBox(0, 0)));
-
- # Create the notebook (for bookmarks at the top)
- my $notebook = create_notebook();
- $notebook->set_tab_pos('top');
-
- ######################## BASIC OPTIONS PAGE ################################
- my $seclevel_entry = new Gtk::Combo();
- my $secadmin_check = new Gtk::CheckButton();
- my $secadmin_entry = new Gtk::Entry();
-
- $notebook->append_page(gtkpack__(gtkshow(my $basic_page = new Gtk::VBox(0, 0)),
- basic_seclevel_explanations($msec),
- create_packtable ({ col_spacings => 10, row_spacings => 5 },
- [ basic_seclevel_option(\$seclevel_entry, $msec) ],
- [ basic_secadmin_check(\$secadmin_check, $msec) ],
- [ basic_secadmin_entry(\$secadmin_entry, $msec) ] )),
- gtkshow(new Gtk::Label("Basic")));
-
- ######################### NETWORK OPTIONS ##################################
- my %network_options_value;
- $notebook->append_page(gtkpack__(gtkshow(new Gtk::VBox(0, 0)),
- network_generate_page(\%network_options_value, $msec)),
- gtkshow(new Gtk::Label("Network Options")));
-
-
- ########################## SYSTEM OPTIONS ##################################
- my %system_options_value;
-
- $notebook->append_page(gtkpack_(
- gtkshow(new Gtk::VBox(0, 0)),
- 1, system_generate_page(\%system_options_value, $msec)),
- gtkshow(new Gtk::Label("System Options")));
-
- ######################## PERIODIC CHECKS ###################################
- my %security_checks_value;
-
- $notebook->append_page(gtkpack(gtkshow(new Gtk::VBox(0, 0)),
- checks_generate_page(\%security_checks_value, $msec)),
- gtkshow(new Gtk::Label("Periodic Checks")));
-
-
- ####################### OK CANCEL BUTTONS ##################################
- my $bok = gtksignal_connect(new Gtk::Button(_("Ok")),
- 'clicked' => sub {
- my $seclevel_value = $seclevel_entry->entry->get_text();
- my $secadmin_check_value = $secadmin_check->get_active();
- my $secadmin_value = $secadmin_entry->get_text();
- my $w;
-
- standalone::explanations("Configuring msec");
-
- if($seclevel_value ne $msec->get_secure_level()) {
- $w = wait_msg(_("Please wait, setting security level..."));
- standalone::explanations("Setting security level");
- $msec->set_secure_level($seclevel_value);
- remove_wait_msg($w);
- }
-
- $w = wait_msg(_("Please wait, setting security options..."));
- standalone::explanations("Setting security administrator option");
- if($secadmin_check_value == 1) { $msec->config_check('', 'MAIL_WARN', 'yes') }
- else { $msec->config_check('', 'MAIL_WARN', 'no') }
-
- standalone::explanations("Setting security administrator contact");
- if($secadmin_value ne $msec->get_check_value('', 'MAIL_USER') && $secadmin_check_value) {
- $msec->config_check('', 'MAIL_USER', $secadmin_value);
- }
-
- standalone::explanations("Setting security periodic checks");
- foreach my $key (keys %security_checks_value) {
- if ($security_checks_value{$key}->entry->get_text() ne $msec->get_check_value('', $key)) {
- $msec->config_check('', $key, $security_checks_value{$key}->entry->get_text());
- }
- }
-
- standalone::explanations("Setting msec functions related to networking");
- foreach my $key (keys %network_options_value) {
- if($network_options_value{$key} =~ /Combo/) { $msec->config_function('', $key, $network_options_value{$key}->entry->get_text()) }
- else { $msec->config_check('', $key, $network_options_value{$key}->get_text()) }
- }
-
- standalone::explanations("Setting msec functions related to the system");
- foreach my $key (keys %system_options_value) {
- if($system_options_value{$key} =~ /Combo/) { $msec->config_function('', $key, $system_options_value{$key}->entry->get_text()) }
- else { $msec->config_check('', $key, $system_options_value{$key}->get_text()) }
- }
- remove_wait_msg($w);
-
- my_gtk->exit(0);
- } );
-
- my $bcancel = gtksignal_connect(new Gtk::Button(_("Cancel")),
- 'clicked' => sub { my_gtk->exit(0) } );
- gtkpack_($vbox,
- 1, gtkshow($notebook),
- 0, gtkadd(gtkadd(gtkshow(new Gtk::HBox(0, 0)),
- gtkshow($bok)),
- gtkshow($bcancel)));
- $bcancel->can_default(1);
- $bcancel->grab_default();
-
- $w->main;
- my_gtk->exit(0);
-
-}
-
-1;
diff --git a/perl-install/security/msec.pm b/perl-install/security/msec.pm
index 4e105f264..4258653ef 100644
--- a/perl-install/security/msec.pm
+++ b/perl-install/security/msec.pm
@@ -1,356 +1,187 @@
package security::msec;
use strict;
-use vars qw($VERSION);
-
-$VERSION = "0.2";
-
-=head1 NAME
-
-msec - Perl functions to handle msec configuration files
-
-=head1 SYNOPSYS
-
- require security::msec;
+use MDK::Common;
- my $msec = new msec;
- $secure_level = get_secure_level($prefix);
+#-------------------------------------------------------------
+# msec options managment methods
- @functions = $msec->get_functions($prefix);
- foreach @functions { %options{$_} = $msec->get_function_value($prefix, $_) }
- foreach @functions { %defaults{$_} = $msec->get_function_default($prefix, $_) }
- foreach @functions { $msec->config_function($prefix, $_, %options{$_}) }
- @checks = $msec->get_checks($prefix);
- foreach @checks { %options{$_} = $msec->get_check_value($prefix, $_) }
- foreach @checks { %defaults{$_} = $msec->get_check_default($prefix, $_) }
- foreach @checks { $msec->config_check($prefix, $_, %options{$_}) }
+#-------------------------------------------------------------
+# option defaults
-=head1 DESCRIPTION
+sub load_defaults {
+ my ($msec, $category) = @_;
+ my $separator = $msec->{$category}{def_separator};
+ map {
+ my ($opt, $val) = split(/$separator/, $_, 2);
+ chop $val;
+ if_($opt ne 'set_security_conf', $opt => $val);
+ } cat_($msec->{$category}{defaults_file}), if_($category eq "checks", 'MAIL_USER');
+}
-C<msec> is a perl module used by draksec to customize the different options
-that can be set in msec's configuration files.
-=head1 COPYRIGHT
+# get_XXX_default(function) -
+# return the default of the function|check passed in argument.
-Copyright (C) 2000,2001,2002 MandrakeSoft <cbelisle@mandrakesoft.com>
+sub get_check_default {
+ my ($msec, $check) = @_;
+ $msec->{checks}{default}{$check};
+}
-This program is free software; you can redistribute it and/or modify
-it under the terms of the GNU General Public License as published by
-the Free Software Foundation; either version 2, or (at your option)
-any later version.
+sub get_function_default {
+ my ($msec, $function) = @_;
+ $msec->{functions}{default}{$function};
+}
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-GNU General Public License for more details.
-You should have received a copy of the GNU General Public License
-along with this program; if not, write to the Free Software
-Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-=cut
+#-------------------------------------------------------------
+# option values
-use MDK::Common;
+sub load_values {
+ my ($msec, $category) = @_;
+ my $separator = $msec->{$category}{val_separator};
+ map {
+ my ($opt, $val) = split /$separator/;
+ chop $val;
+ $val =~ s/[()]//g;
+ chop $opt if $separator eq '\('; # $opt =~ s/ //g if $separator eq '\(';
+ if_(defined($val), $opt => $val);
+ } cat_($msec->{$category}{values_file});
+}
-# ***********************************************
-# PRIVATE FUNCTIONS
-# ***********************************************
-sub config_option {
- my ($prefix, $option, $value, $category) =@_;
- my %options_hash = ( );
- my $key = "";
- my $options_file = "";
-
- if($category eq "functions") { $options_file = "$prefix/etc/security/msec/level.local"; }
- elsif($category eq "checks") { $options_file ="$prefix/etc/security/msec/security.conf"; }
-
- if(-e $options_file) {
- open F, $options_file;
- if($category eq "functions") {
- while(<F>) {
- if (!($_ =~ /^from mseclib/) && $_ ne "\n") {
- my ($name, $value_set) = split (/\(/, $_);
- chop $value_set; chop $value_set;
- $options_hash{$name} = $value_set;
- }
- }
- }
- elsif($category eq "checks") {
- %options_hash = getVarsFromSh($options_file);
- }
- close F;
- }
- $options_hash{$option} = $value;
+# get_XXX_value(check|function) -
+# return the value of the function|check passed in argument.
+# If no value is set, return "default".
- open F, '>'.$options_file;
- if ($category eq "functions") { print F "from mseclib import *\n\n"; }
- foreach $key (keys %options_hash) {
- if ($options_hash{$key} ne "default") {
- if($category eq "functions") { print F "$key"."($options_hash{$key})\n"; }
- elsif($category eq "checks") { print F "$key=$options_hash{$key}\n"; }
- }
- }
- close F;
+sub get_function_value {
+ my ($msec, $function) = @_;
+ exists $msec->{functions}{value}{$function} ? $msec->{functions}{value}{$function} : "default";
}
-sub get_default {
- my ($prefix, $option, $category) = @_;
- my $default_file = "";
- my $default_value = "";
- my $num_level = 0;
-
- if ($category eq "functions") {
- my $word_level = get_secure_level($prefix);
- if ($word_level eq "Dangerous") { $num_level = 0 }
- elsif ($word_level eq "Poor") { $num_level = 1 }
- elsif ($word_level eq "Standard") { $num_level = 2 }
- elsif ($word_level eq "High") { $num_level = 3 }
- elsif ($word_level eq "Higher") { $num_level = 4 }
- elsif ($word_level eq "Paranoid") { $num_level = 5 }
- $default_file = "$prefix/usr/share/msec/level.".$num_level;
- }
- elsif ($category eq "checks") { $default_file = "$prefix/var/lib/msec/security.conf"; }
-
- open F, $default_file;
- if($category eq "functions") {
- while(<F>) {
- if ($_ =~ /^$option/) { (undef, $default_value) = split(/ /, $_); }
- }
- }
- elsif ($category eq "checks") {
- while(<F>) {
- if ($_ =~ /^$option/) { (undef, $default_value) = split(/=/, $_); }
- }
- }
- close F;
- chop $default_value;
-
- $default_value;
+sub get_check_value {
+ my ($msec, $check) = @_;
+ $msec->{checks}{value}{$check} || "default";
}
-# ***********************************************
-# EXPLANATIONS
-# ***********************************************
-sub seclevel_explain {
-"Standard: This is the standard security recommended for a computer that will be used to connect
- to the Internet as a client.
-
-High: There are already some restrictions, and more automatic checks are run every night.
-Higher: The security is now high enough to use the system as a server which can accept
- connections from many clients. If your machine is only a client on the Internet, you
- should choose a lower level.
-Paranoid: This is similar to the previous level, but the system is entirely closed and security
- features are at their maximum
+#-------------------------------------------------------------
+# get list of check|functions
-Security Administrator:
- If the 'Security Alerts' option is set, security alerts will be sent to this user (username or
- email)";
-}
-
-# ***********************************************
-# SPECIFIC OPTIONS
-# ***********************************************
-
-# get_secure_level(prefix) - Get the secure level
-sub get_secure_level {
- shift @_;
- my $prefix = $_;
- my $num_level = 2;
-
- $num_level = cat_("$prefix/etc/profile") =~ /export SECURE_LEVEL=(\d+)/ && $1 ||
- cat_("$prefix/etc/profile.d/msec.sh") =~ /export SECURE_LEVEL=(\d+)/ && $1 ||
- ${{ getVarsFromSh("$prefix/etc/sysconfig/msec") }}{SECURE_LEVEL};
- # || $ENV{SECURE_LEVEL};
-
- if ($num_level == 0) { return "Dangerous" }
- elsif ($num_level == 1) { return "Poor" }
- elsif ($num_level == 2) { return "Standard" }
- elsif ($num_level == 3) { return "High" }
- elsif ($num_level == 4) { return "Higher" }
- elsif ($num_level == 5) { return "Paranoid" }
-}
+# list_(functions|checks) -
+# return a list of functions|checks handled by level.local|security.conf
-sub get_seclevel_list {
- qw(Standard High Higher Paranoid);
+sub raw_checks_list {
+ my ($msec) = @_;
+ keys %{$msec->{checks}{default}};
}
-sub set_secure_level {
- my $word_level = $_[1];
- my $num_level = 0;
-
- if ($word_level eq "Dangerous") { $num_level = 0 }
- elsif ($word_level eq "Poor") { $num_level = 1 }
- elsif ($word_level eq "Standard") { $num_level = 2 }
- elsif ($word_level eq "High") { $num_level = 3 }
- elsif ($word_level eq "Higher") { $num_level = 4 }
- elsif ($word_level eq "Paranoid") { $num_level = 5 }
-
- system "/usr/sbin/msec", $num_level;
+sub list_checks {
+ my ($msec) = @_;
+ difference2([ $msec->raw_checks_list ], [ qw(MAIL_WARN MAIL_USER) ]);
}
-# ***********************************************
-# FUNCTIONS (level.local) RELATED
-# ***********************************************
-
-# get_functions(prefix) -
-# return a list of functions handled by level.local (see
-# man mseclib for more info).
-sub get_functions {
- shift;
- my ($prefix, $category) = @_;
- my @functions = ();
- my (@tmp_network_list, @tmp_system_list);
+sub list_functions {
+ my ($msec, $category) = @_;
## TODO handle 3 last functions here so they can be removed from this list
my @ignore_list = qw(indirect commit_changes closelog error initlog log set_secure_level
- set_security_conf set_server_level print_changes get_translation
- create_server_link);
-
- my @network_list = qw(accept_bogus_error_responses accept_broadcasted_icmp_echo accept_icmp_echo
- enable_dns_spoofing_protection enable_ip_spoofing_protection
- enable_log_strange_packets enable_promisc_check no_password_aging_for);
-
- my @system_list = qw(allow_autologin allow_issues allow_reboot allow_remote_root_login
- allow_root_login allow_user_list allow_x_connections allow_xserver_to_listen
- authorize_services enable_at_crontab enable_console_log enable_libsafe
+ set_security_conf set_server_level print_changes get_translation create_server_link);
+
+ my %options = (
+ 'network' => [qw(accept_bogus_error_responses accept_broadcasted_icmp_echo accept_icmp_echo
+ enable_dns_spoofing_protection enable_ip_spoofing_protection
+ enable_log_strange_packets enable_promisc_check no_password_aging_for)],
+ 'system' => [qw(allow_autologin allow_issues allow_reboot allow_remote_root_login
+ allow_root_login allow_user_list allow_xauth_from_root allow_x_connections allow_xserver_to_listen
+ authorize_services enable_at_crontab enable_console_log
enable_msec_cron enable_pam_wheel_for_su enable_password enable_security_check
enable_sulogin password_aging password_history password_length set_root_umask
- set_shell_history_size set_shell_timeout set_user_umask);
-
- my $file = "$prefix/usr/share/msec/mseclib.py";
- my $function = '';
-
- print "$prefix\n";
- # read mseclib.py to get each function's name and if it's
- # not in the ignore list, add it to the returned list.
- open F, $file;
- while (<F>) {
- if ($_ =~ /^def/) {
- (undef, $function) = split(/ /, $_);
- ($function, undef) = split(/\(/, $function);
- if (!(member($function, @ignore_list))) {
- if($category eq "network" && member($function, @network_list)) { push(@functions, $function) }
- elsif($category eq "system" && member($function, @system_list)) { push(@functions, $function) }
- }
- }
- }
- close F;
+ set_shell_history_size set_shell_timeout set_user_umask)]);
- @functions;
+ # get all function names; filter out those which are in the ignore
+ # list, return what lefts.
+ grep { !member($_, @ignore_list) && member($_, @{$options{$category}}) } keys %{$msec->{functions}{default}};
}
-# get_function_value(prefix, function) -
-# return the value of the function passed in argument. If no value is set,
-# return "default".
-sub get_function_value {
- my ($prefix, $function) = @_;
- my $value = '';
- my $msec_options = "$prefix/etc/security/msec/level.local";
- my $found = 0;
-
- if (-e $msec_options) {
- open F, $msec_options;
- while(<F>) {
- if($_ =~ /^$function/) {
- (undef, $value) = split(/\(/, $_);
- chop $value; chop $value;
- $found = 1;
- }
- }
- close F;
- if ($found == 0) { $value = "default" }
- }
- else { $value = "default" }
- $value;
-}
+#-------------------------------------------------------------
+# set back checks|functions values
-# get_function_default(prefix, function) -
-# return the default value of the function according to the security level
-sub get_function_default {
- shift;
- my ($prefix, $function) = @_;
- return get_default($prefix, $function, "functions");
+sub set_function {
+ my ($msec, $function, $value) = @_;
+ $msec->{functions}{value}{$function} = $value;
}
-# config_function(prefix, function, value) -
-# Apply the configuration to 'prefix'/etc/security/msec/level.local
-sub config_function {
- my ($prefix, $function, $value) = @_;
- config_option($prefix, $function, $value, "functions");
+sub set_check {
+ my ($msec, $check, $value) = @_;
+ $msec->{checks}{value}{$check} = $value;
}
-# ***********************************************
-# PERIODIC CHECKS (security.conf) RELATED
-# ***********************************************
-
-# get_checks(prefix) -
-# return a list of periodic checks handled by security.conf
-sub get_checks {
- my $prefix = $_;
- my $check;
- my @checks = ();
-
- my $check_file = "$prefix/var/lib/msec/security.conf";
- my @ignore_list = qw(MAIL_USER);
-
- if (-e $check_file) {
- open F, $check_file;
- while (<F>) {
- ($check, undef) = split(/=/, $_);
- if(!(member($check, @ignore_list))) { push(@checks, $check) }
- }
- close F;
- }
- @checks;
-}
+#-------------------------------------------------------------
+# apply configuration
-# get_check_value(prefix, check)
-# return the value of the check passed in argument
-sub get_check_value {
- shift @_;
- my ($prefix, $check) = @_;
- my $check_file = "$prefix/etc/security/msec/security.conf";
- my $value = '';
- my $found = 0;
-
- if (-e $check_file) {
- open F, $check_file;
- while(<F>) {
- if($_ =~ /^$check/) {
- (undef, $value) = split(/=/, $_);
- chop $value;
- $found = 1;
- }
+# config_(check|function)(check|function, value) -
+# Apply the configuration to 'prefix'/etc/security/msec/security.conf||/etc/security/msec/level.local
+
+sub apply_functions {
+ my ($msec) = @_;
+ my @list = sort($msec->list_functions('system'), $msec->list_functions('network'));
+ touch($msec->{functions}{values_file}) if !-e $msec->{functions}{values_file};
+ substInFile {
+ foreach my $function (@list) { s/^$function.*\n// }
+ if (eof) {
+ $_ .= join("\n", if_(!$_, ''), (map {
+ my $value = $msec->get_function_value($_);
+ if_($value ne 'default', "$_ ($value)");
+ } @list), "");
}
- close F;
- if ($found == 0) { $value = "default" }
- }
- else { $value = "default" }
+ } $msec->{functions}{values_file};
+}
- $value;
+sub apply_checks {
+ my ($msec) = @_;
+ my @list = sort $msec->raw_checks_list;
+ setVarsInSh($msec->{checks}{values_file},
+ {
+ map {
+ my $value = $msec->get_check_value($_);
+ if_($value ne 'default', $_ => $value);
+ } @list
+ }
+ );
}
-# get_check_default(prefix, check)
-# Get the default value according to the security level
-sub get_check_default {
- my ($prefix, $check) = @_;
- return get_default($prefix, $check, "checks");
+sub reload {
+ my ($msec) = @_;
+ require security::level;
+ my $num_level = security::level::get();
+ $msec->{functions}{defaults_file} = "$::prefix/usr/share/msec/level.$num_level";
+ $msec->{functions}{default} = { $msec->load_defaults('functions') };
}
-# config_check(prefix, check, value)
-# Apply the configuration to "prefix"/etc/security/msec/security.conf
-sub config_check {
- shift @_;
- my ($prefix, $check, $value) = @_;
- config_option($prefix, $check, $value, "checks");
+sub new {
+ my ($type) = @_;
+ my $msec = bless {}, $type;
+
+ $msec->{functions}{values_file} = "$::prefix/etc/security/msec/level.local";
+ $msec->{checks}{values_file} = "$::prefix/etc/security/msec/security.conf";
+ $msec->{checks}{defaults_file} = "$::prefix/var/lib/msec/security.conf";
+ $msec->{checks}{val_separator} = '=';
+ $msec->{functions}{val_separator} = '\(';
+ $msec->{checks}{def_separator} = '=';
+ $msec->{functions}{def_separator} = ' ';
+ $msec->reload;
+
+ $msec->{checks}{default} = { $msec->load_defaults('checks') };
+ $msec->{functions}{value} = { $msec->load_values('functions') };
+ $msec->{checks}{value} = { $msec->load_values('checks') };
+ $msec;
}
-sub new { shift }
1;
diff --git a/perl-install/security/various.pm b/perl-install/security/various.pm
new file mode 100644
index 000000000..2e4abd397
--- /dev/null
+++ b/perl-install/security/various.pm
@@ -0,0 +1,19 @@
+package security::various;
+
+use diagnostics;
+use strict;
+
+use common;
+
+sub config_security_user {
+ my $setting = @_ > 1;
+ my ($prefix, $sec_user) = @_;
+ if ($setting) {
+ addVarsInSh("$prefix/etc/security/msec/security.conf", { MAIL_USER => $sec_user });
+ } else {
+ my %t = getVarsFromSh("$prefix/etc/security/msec/security.conf");
+ $t{MAIL_USER};
+ }
+}
+
+1;
generated by cgit v1.2.1 (git 2.21.0) at 2025-10-26 04:37:59 +0000