diff options
Diffstat (limited to 'perl-install/security')
| -rw-r--r-- | perl-install/security/help.pm | 139 | ||||
| -rw-r--r-- | perl-install/security/l10n.pm | 66 | ||||
| -rw-r--r-- | perl-install/security/level.pm | 91 | ||||
| -rw-r--r-- | perl-install/security/libsafe.pm | 18 | ||||
| -rw-r--r-- | perl-install/security/main.pm | 243 | ||||
| -rw-r--r-- | perl-install/security/msec.pm | 258 | ||||
| -rw-r--r-- | perl-install/security/various.pm | 19 |
7 files changed, 418 insertions, 416 deletions
diff --git a/perl-install/security/help.pm b/perl-install/security/help.pm new file mode 100644 index 000000000..ec934e067 --- /dev/null +++ b/perl-install/security/help.pm @@ -0,0 +1,139 @@ +package security::help; +# This help was forked from msec internal function descriptions +# They were then reworked in order to be targeted for end users, not msec developpers + + +use strict; +use common; + +our %help = ( + +'accept_bogus_error_responses' => N("Accept bogus IPv4 error messages."), + +'accept_broadcasted_icmp_echo' => N("Accept broadcasted icmp echo."), + +'accept_icmp_echo' => N("Accept icmp echo."), + +'allow_autologin' => N("Allow autologin."), + +'allow_issues' => + #-PO: here "ALL" is a value in a pull-down menu; translate it the same as "ALL" is + N("If set to \"ALL\", /etc/issue and /etc/issue.net are allowed to exist. + +If set to \"None\", no issues are allowed. + +Else only /etc/issue is allowed."), + +'allow_reboot' => N("Allow reboot by the console user."), + +'allow_remote_root_login' => N("Allow remote root login."), + +'allow_root_login' => N("Allow direct root login."), + +'allow_user_list' => N("Allow the list of users on the system on display managers (kdm and gdm)."), + +'allow_xauth_from_root' => N("Allow to export display when +passing from the root account to the other users. + +See pam_xauth(8) for more details.'"), + +'allow_x_connections' => N("Allow X connections: + +- \"All\" (all connections are allowed), + +- \"Local\" (only connection from local machine), + +- \"None\" (no connection)."), + +'allow_xserver_to_listen' => N("The argument specifies if clients are authorized to connect +to the X server from the network on the tcp port 6000 or not."), + +'authorize_services' => + #-PO: here "ALL", "Local" and "None" are values in a pull-down menu; translate them the same as they're + N("Authorize: + +- all services controlled by tcp_wrappers (see hosts.deny(5) man page) if set to \"ALL\", + +- only local ones if set to \"Local\" + +- none if set to \"None\". + +To authorize the services you need, use /etc/hosts.allow (see hosts.allow(5))."), + +'create_server_link' => N("If SERVER_LEVEL (or SECURE_LEVEL if absent) +is greater than 3 in /etc/security/msec/security.conf, creates the +symlink /etc/security/msec/server to point to +/etc/security/msec/server.<SERVER_LEVEL>. + +The /etc/security/msec/server is used by chkconfig --add to decide to +add a service if it is present in the file during the installation of +packages."), + +'enable_at_crontab' => N("Enable crontab and at for users. + +Put allowed users in /etc/cron.allow and /etc/at.allow (see man at(1) +and crontab(1))."), + +'enable_console_log' => N("Enable syslog reports to console 12"), + +'enable_dns_spoofing_protection' => N("Enable name resolution spoofing protection. If +\"%s\" is true, also reports to syslog.", N("Security Alerts:")), + +'enable_ip_spoofing_protection' => N("Enable IP spoofing protection."), + +'enable_libsafe' => N("Enable libsafe if libsafe is found on the system."), + +'enable_log_strange_packets' => N("Enable the logging of IPv4 strange packets."), + +'enable_msec_cron' => N("Enable msec hourly security check."), + +'enable_pam_wheel_for_su' => N("Enable su only from members of the wheel group. If set to no, allows su from any user."), + +'enable_password' => N("Use password to authenticate users."), + +'enable_promisc_check' => N("Activate Ethernet cards promiscuity check."), + +'enable_security_check' => N("Activate daily security check."), + +'enable_sulogin' => N("Enable sulogin(8) in single user level."), + +'no_password_aging_for' => N("Add the name as an exception to the handling of password aging by msec."), + +'password_aging' => N("Set password aging to \"max\" days and delay to change to \"inactive\"."), + +'password_history' => N("Set the password history length to prevent password reuse."), + +'password_length' => N("Set the password minimum length and minimum number of digit and minimum number of capitalized letters."), + +'set_root_umask' => N("Set the root's file mode creation mask."), +CHECK_OPEN_PORT => N("if set to yes, check open ports."), +CHECK_PASSWD => N("if set to yes, check for: + +- empty passwords, + +- no password in /etc/shadow + +- for users with the 0 id other than root."), +CHECK_PERMS => N("if set to yes, check permissions of files in the users' home."), +CHECK_PROMISC => N("if set to yes, check if the network devices are in promiscuous mode."), +CHECK_SECURITY => N("if set to yes, run the daily security checks."), +CHECK_SGID => N("if set to yes, check additions/removals of sgid files."), +CHECK_SHADOW => N("if set to yes, check empty password in /etc/shadow."), +CHECK_SUID_MD5 => N("if set to yes, verify checksum of the suid/sgid files."), +CHECK_SUID_ROOT => N("if set to yes, check additions/removals of suid root files."), +CHECK_UNOWNED => N("if set to yes, report unowned files."), +CHECK_WRITABLE => N("if set to yes, check files/directories writable by everybody."), +CHKROOTKIT_CHECK => N("if set to yes, run chkrootkit checks."), +MAIL_USER => N("if set, send the mail report to this email address else send it to root."), +MAIL_WARN => N("if set to yes, report check result by mail."), +MAIL_EMPTY_CONTENT => N("Do not send mails if there's nothing to warn about"), +RPM_CHECK => N("if set to yes, run some checks against the rpm database."), +SYSLOG_WARN => N("if set to yes, report check result to syslog."), +TTY_WARN => N("if set to yes, reports check result to tty."), + +'set_shell_history_size' => N("Set shell commands history size. A value of -1 means unlimited."), + +'set_shell_timeout' => N("Set the shell timeout. A value of zero means no timeout.") . "\n\n" . N("Timeout unit is second"), + +'set_user_umask' => N("Set the user's file mode creation mask."), +); diff --git a/perl-install/security/l10n.pm b/perl-install/security/l10n.pm new file mode 100644 index 000000000..355f1fff1 --- /dev/null +++ b/perl-install/security/l10n.pm @@ -0,0 +1,66 @@ +package security::l10n; +# This help was build from stripped from python description of msec functions +# soft/msec/share/libmsec.py +# +# It's used in draksec option labels + +use common; + +sub fields() { + return ( + 'accept_bogus_error_responses' => N("Accept bogus IPv4 error messages"), + 'accept_broadcasted_icmp_echo' => N("Accept broadcasted icmp echo"), + 'accept_icmp_echo' => N("Accept icmp echo"), + 'allow_autologin' => N("Autologin"), + 'allow_issues' => N("/etc/issue* exist"), + 'allow_reboot' => N("Reboot by the console user"), + 'allow_remote_root_login' => N("Allow remote root login"), + 'allow_root_login' => N("Direct root login"), + 'allow_user_list' => N("List users on display managers (kdm and gdm)"), + 'allow_xauth_from_root' => N("Export display when passing from root to the other users"), + 'allow_x_connections' => N("Allow X Window connections"), + 'allow_xserver_to_listen' => N("Authorize TCP connections to X Window"), + 'authorize_services' => N("Authorize all services controlled by tcp_wrappers"), + 'create_server_link' => N("Chkconfig obey msec rules"), + 'enable_at_crontab' => N("Enable \"crontab\" and \"at\" for users"), + 'enable_console_log' => N("Syslog reports to console 12"), + 'enable_dns_spoofing_protection' => N("Name resolution spoofing protection"), + 'enable_ip_spoofing_protection' => N("Enable IP spoofing protection"), + 'enable_libsafe' => N("Enable libsafe if libsafe is found on the system"), + 'enable_log_strange_packets' => N("Enable the logging of IPv4 strange packets"), + 'enable_msec_cron' => N("Enable msec hourly security check"), + 'enable_pam_wheel_for_su' => N("Enable su only from the wheel group members"), + 'enable_password' => N("Use password to authenticate users"), + 'enable_promisc_check' => N("Ethernet cards promiscuity check"), + 'enable_security_check' => N("Daily security check"), + 'enable_sulogin' => N("Sulogin(8) in single user level"), + 'no_password_aging_for' => N("No password aging for"), + 'password_aging' => N("Set password expiration and account inactivation delays"), + 'password_history' => N("Password history length"), + 'password_length' => N("Password minimum length and number of digits and upcase letters"), + 'set_root_umask' => N("Root umask"), + 'set_shell_history_size' => N("Shell history size"), + 'set_shell_timeout' => N("Shell timeout"), + 'set_user_umask' => N("User umask"), + CHECK_OPEN_PORT => N("Check open ports"), + CHECK_PASSWD => N("Check for unsecured accounts"), + CHECK_PERMS => N("Check permissions of files in the users' home"), + CHECK_PROMISC => N("Check if the network devices are in promiscuous mode"), + CHECK_SECURITY => N("Run the daily security checks"), + CHECK_SGID => N("Check additions/removals of sgid files"), + CHECK_SHADOW => N("Check empty password in /etc/shadow"), + CHECK_SUID_MD5 => N("Verify checksum of the suid/sgid files"), + CHECK_SUID_ROOT => N("Check additions/removals of suid root files"), + CHECK_UNOWNED => N("Report unowned files"), + CHECK_WRITABLE => N("Check files/directories writable by everybody"), + CHKROOTKIT_CHECK => N("Run chkrootkit checks"), + MAIL_EMPTY_CONTENT => N("Do not send empty mail reports"), + MAIL_USER => N("If set, send the mail report to this email address else send it to root"), + MAIL_WARN => N("Report check result by mail"), + RPM_CHECK => N("Run some checks against the rpm database"), + SYSLOG_WARN => N("Report check result to syslog"), + TTY_WARN => N("Reports check result to tty"), + ); +} + +1; diff --git a/perl-install/security/level.pm b/perl-install/security/level.pm index 7ea08a52c..bb3d9ddf2 100644 --- a/perl-install/security/level.pm +++ b/perl-install/security/level.pm @@ -2,46 +2,79 @@ package security::level; use strict; use common; +use run_program; +# perl_checker: require interactive -my %level_list = ( - 0 => N("Welcome To Crackers"), - 1 => N("Poor"), - 2 => N("Standard"), - 3 => N("High"), - 4 => N("Higher"), - 5 => N("Paranoid"), - ); - -my @sec_levels = map { $level_list{$_} } (0..5); # enforce order +sub level_list() { + ( + 0 => N("Disable msec"), + 1 => N("Standard"), + 2 => N("Secure"), + ); +} +sub to_string { +{ level_list() }->{$_[0]} } +sub from_string { +{ reverse level_list() }->{$_[0]} || 2 } -sub get_common_list { - map { $level_list{$_} } (2, 3, 4); +sub rawlevel_list() { + ( + 0 => 'none', + 1 => 'standard', + 2 => 'secure', + ); } -sub get_full_list { - +sub to_lowlevel_string { +{ rawlevel_list() }->{$_[0]} } +sub from_lowlevel_string { +{ reverse rawlevel_list() }->{$_[0]} || 2 } + +sub get_string() { to_string(get() || 2) } +sub get_common_list() { map { to_string($_) } (1, 2, 3, 4, 5) } + +sub get() { + my $level = ${{ getVarsFromSh("$::prefix/etc/security/msec/security.conf") }}{BASE_LEVEL} || #- 2009.1 msec + "standard"; + from_lowlevel_string($level); } -sub get { - cat_("$::prefix/etc/profile") =~ /export SECURE_LEVEL=(\d+)/ && $1 || #- 8.0 msec - cat_("$::prefix/etc/profile.d/msec.sh") =~ /export SECURE_LEVEL=(\d+)/ && $1 || #- 8.1 msec - ${{ getVarsFromSh("$::prefix/etc/sysconfig/msec") }}{SECURE_LEVEL} || #- 8.2 msec - $ENV{SECURE_LEVEL}; +sub set { + my ($security) = @_; + my @levelnames = ('none', 'standard', 'secure'); + # use Standard level if specified level is out of range + $security = 1 if $security > $#levelnames; + run_program::rooted($::prefix, 'msec', '-q', '-f', $levelnames[$security]); + run_program::rooted($::prefix, 'msecperms', '-q', '-e', $levelnames[$security]); } +sub level_choose { + my ($in, $security, $email) = @_; # perl_checker: $in = interactive->new -sub get_string { - return $sec_levels[get()] || 2 -} + my %help = ( + 0 => N("This level is to be used with care, as it disables all additional security +provided by msec. Use it only when you want to take care of all aspects of system security +on your own."), + 1 => N("This is the standard security recommended for a computer that will be used to connect to the Internet as a client."), + 2 => N("With this security level, the use of this system as a server becomes possible. +The security is now high enough to use the system as a server which can accept +connections from many clients. Note: if your machine is only a client on the Internet, you should choose a lower level."), + ); -sub set { - my %sec_levels = reverse %level_list; - my $run_level = $sec_levels{$_[0]}; - print "set level: $_[0] -> $run_level\n"; - print $::prefix, "/usr/sbin/msec ", $run_level ? $run_level : 3, "\n"; - require run_program; - run_program::rooted($::prefix, "/usr/sbin/msec", $run_level ? $run_level : 3); + my @l = 1 .. 2; + + $in->ask_from_({ title => $::isInstall ? N("Security") : N("DrakSec Basic Options"), + interactive_help_id => 'securityLevel', + }, [ + { label => N("Please choose the desired security level"), title => 1 }, + { val => $security, list => \@l, + format => sub { + #-PO: this string is used to properly format "<security level>: <level description>" + N("%s: %s", to_string($_[0]), formatAlaTeX($help{$_[0]})); + }, + type => 'list', gtk => { use_boxradio => 1 } }, + { label => N("Security Administrator:"), title => 1 }, + { label => N("Login or email:"), val => $email, }, + ], + ); } + 1; diff --git a/perl-install/security/libsafe.pm b/perl-install/security/libsafe.pm deleted file mode 100644 index 1001ce4db..000000000 --- a/perl-install/security/libsafe.pm +++ /dev/null @@ -1,18 +0,0 @@ -package security::libsafe; - -use diagnostics; -use strict; - -use common; - -sub config_libsafe { - my ($prefix, $libsafe) = @_; - my %t = getVarsFromSh("$prefix/etc/sysconfig/system"); - if (@_ > 1) { - $t{LIBSAFE} = bool2yesno($libsafe); - setVarsInSh("$prefix/etc/sysconfig/system", \%t); - } - text2bool($t{LIBSAFE}); -} - -1; diff --git a/perl-install/security/main.pm b/perl-install/security/main.pm deleted file mode 100644 index 76cbdf83a..000000000 --- a/perl-install/security/main.pm +++ /dev/null @@ -1,243 +0,0 @@ -package security::main; - -use strict; - -use standalone; -use common; -use ugtk2 qw(:helpers :wrappers :ask :create); -use run_program; - -use security::level; -use security::msec; - -my $w; - -# factorize this with rpmdrake and harddrake2 -sub wait_msg { - my $mainw = ugtk2->new('wait', ( modal => 1, transient => $w->{rwindow})); - my $label = new Gtk2::Label($_[0]); - $mainw->{window}->add($label); - $mainw->{window}->show_all; - $mainw->{window}->realize; - $label->signal_connect(expose_event => sub { $mainw->{displayed} = 1 }); - $mainw->sync until $mainw->{displayed}; - $mainw->show; - gtkset_mousecursor_wait($mainw->{rwindow}->window); - $mainw->flush; - $mainw; -} - -sub remove_wait_msg { $_[0]->destroy } - -sub basic_seclevel_explanations { - my $text = new Gtk2::TextView; - $text->set_editable(0); - gtktext_insert($text, - formatAlaTeX(N("Standard: This is the standard security recommended for a computer that will be used to connect - to the Internet as a client. - -High: There are already some restrictions, and more automatic checks are run every night. - -Higher: The security is now high enough to use the system as a server which can accept - connections from many clients. If your machine is only a client on the Internet, you - should choose a lower level. - -Paranoid: This is similar to the previous level, but the system is entirely closed and security - features are at their maximum - -Security Administrator: - If the 'Security Alerts' option is set, security alerts will be sent to this user (username or - email)"))); - - gtkpack_(gtkshow(new Gtk2::HBox(0, 0)), 1, $text); -} - -sub basic_seclevel_option { - my ($seclevel_entry, $_msec) = @_; - my @sec_levels = security::level::get_common_list(); - my $current_level = security::level::get_string(); - - push(@sec_levels, $current_level) unless member($current_level, @sec_levels); - - $$seclevel_entry->entry->set_editable(0); - $$seclevel_entry->set_popdown_strings(@sec_levels); - $$seclevel_entry->entry->set_text($current_level); - - new Gtk2::Label(N("Security Level:")), $$seclevel_entry; -} - -sub new_editable_combo { - my $w = new Gtk2::Combo(); - $w->entry->set_editable(0); - $w; -} - -sub set_default_tip { - my ($entry, $default) = @_; - gtkset_tip(new Gtk2::Tooltips, $entry, N(" (default value: %s)", $default)); -} - -sub draksec_main { - my $msec = new security::msec; - $w = ugtk2->new('draksec'); - my $window = $w->{window}; - - ############################ MAIN WINDOW ################################### - # Set different options to Gtk2::Window - unless ($::isEmbedded) { -# $w->{rwindow}->set_policy(1, 1, 1); - $w->{rwindow}->set_position('center'); - $w->{rwindow}->set_title("DrakSec"); - $window->set_size_request(598, 590); - } - - # Connect the signals - $window->signal_connect('delete_event', sub { $window->destroy() }); - $window->signal_connect('destroy', sub { ugtk2->exit() }); - - $window->add(my $vbox = gtkshow(new Gtk2::VBox(0, 0))); - - # Create the notebook (for bookmarks at the top) - my $notebook = create_notebook(); - $notebook->set_tab_pos('top'); - - my $common_opts = { col_spacings => 10, row_spacings => 5 }; - - ######################## BASIC OPTIONS PAGE ################################ - my $seclevel_entry = new Gtk2::Combo(); - - $notebook->append_page(gtkpack(new Gtk2::VBox(0, 0), - basic_seclevel_explanations($msec), - create_packtable($common_opts, - [ basic_seclevel_option(\$seclevel_entry, $msec) ], - [ new Gtk2::Label(N("Security Alerts:")), - my $secadmin_check = new Gtk2::CheckButton ], - [ new Gtk2::Label(N("Security Administrator:")), - my $secadmin_entry = new Gtk2::Entry ])), - new Gtk2::Label(N("Basic"))); - - $secadmin_entry->set_text($msec->get_check_value("MAIL_USER")); - $secadmin_check->set_active(1) if $msec->get_check_value("MAIL_WARN") eq "yes"; - - ######################### NETWORK & SYSTEM OPTIONS ######################### - my @yesno_choices = qw(yes no default ignore); - my @alllocal_choices = qw(ALL LOCAL NONE default); - my @all_choices = (@yesno_choices, @alllocal_choices); - my %options_values; - - foreach ([ 'network', N("Network Options") ], [ 'system', N("System Options") ]) { - my ($domain, $label) = @$_; - my %values; - - $notebook->append_page(gtkshow(create_scrolled_window(gtkpack(new Gtk2::VBox(0, 0), - new Gtk2::Label(N("The following options can be set to customize your\nsystem security. If you need explanations, click on Help.\n")), - create_packtable($common_opts, - map { - my $i = $_; - - my $entry; - my $default = $msec->get_function_default($i); - if (member($default, @all_choices)) { - $values{$i} = new_editable_combo(); - $entry = $values{$i}->entry; - if (member($default, @yesno_choices)) { - $values{$i}->set_popdown_strings(@yesno_choices); - } elsif (member($default, @alllocal_choices)) { - $values{$i}->set_popdown_strings(@alllocal_choices); - } - } else { - $values{$i} = new Gtk2::Entry(); - $entry = $values{$i}; - } - $entry->set_text($msec->get_function_value($i)); - set_default_tip($entry, $default); - [ new Gtk2::Label($i), $values{$i} ]; - } $msec->get_functions($domain))))), - new Gtk2::Label($label)); - $options_values{$domain} = \%values; - } - - ######################## PERIODIC CHECKS ################################### - my %security_checks_value; - - $notebook->append_page(gtkshow(create_scrolled_window(gtkpack(new Gtk2::VBox(0, 0), - new Gtk2::Label(N("The following options can be set to customize your\nsystem security. If you need explanations, click on Help.\n")), - create_packtable($common_opts, - map { - unless (member(qw(MAIL_WARN MAIL_USER), $_)) { - my $i = $_; - $security_checks_value{$i} = new_editable_combo(); - my $entry = $security_checks_value{$i}->entry; - set_default_tip($entry, $msec->get_check_default); - $security_checks_value{$i}->set_popdown_strings(qw(yes no default)); - $entry->set_text($msec->get_check_value($i)); - [ gtkshow(new Gtk2::Label(translate($i))), $security_checks_value{$i} ]; - } else { undef } - } ($msec->get_default_checks))))), - new Gtk2::Label(N("Periodic Checks"))); - - - ####################### OK CANCEL BUTTONS ################################## - my $bok = gtksignal_connect(new Gtk2::Button(N("Ok")), - 'clicked' => sub { - my $seclevel_value = $seclevel_entry->entry->get_text(); - my $secadmin_check_value = $secadmin_check->get_active(); - my $secadmin_value = $secadmin_entry->get_text(); - my $w; - - standalone::explanations("Configuring msec"); - - if ($seclevel_value ne security::level::get_string()) { - $w = wait_msg(N("Please wait, setting security level...")); - standalone::explanations("Setting security level"); - security::level::set($seclevel_value); - remove_wait_msg($w); - } - - $w = wait_msg(N("Please wait, setting security options...")); - standalone::explanations("Setting security administrator option"); - $msec->config_check('MAIL_WARN', $secadmin_check_value == 1 ? 'yes' : 'no'); - - if ($secadmin_value ne $msec->get_check_value('MAIL_USER') && $secadmin_check_value) { - standalone::explanations("Setting security administrator contact"); - $msec->config_check('MAIL_USER', $secadmin_value); - } - - standalone::explanations("Setting security periodic checks"); - foreach my $key (keys %security_checks_value) { - if ($security_checks_value{$key}->entry->get_text() ne $msec->get_check_value($key)) { - $msec->config_check($key, $security_checks_value{$key}->entry->get_text()); - } - } - - foreach my $domain (keys %options_values) { - standalone::explanations("Setting msec functions related to $domain"); - foreach my $key (keys %{$options_values{$domain}}) { - my $opt = $options_values{$domain}{$key}; - $msec->config_function($key, $opt =~ /Combo/ ? $opt->entry->get_text() : $opt->get_text()); - } - } - standalone::explanations("Applying msec changes"); - run_program::rooted($::prefix, "/usr/sbin/msec"); - - remove_wait_msg($w); - - ugtk2->exit(0); - }); - - my $bcancel = gtksignal_connect(new Gtk2::Button(N("Cancel")), - 'clicked' => sub { ugtk2->exit(0) }); - gtkpack_($vbox, - 1, gtkshow($notebook), - 0, gtkadd(gtkadd(gtkshow(new Gtk2::HBox(0, 0)), - $bok), - $bcancel)); - $bcancel->can_default(1); - $bcancel->grab_default(); - - $w->main; - ugtk2->exit(0); - -} - -1; diff --git a/perl-install/security/msec.pm b/perl-install/security/msec.pm index 35d229a4d..4258653ef 100644 --- a/perl-install/security/msec.pm +++ b/perl-install/security/msec.pm @@ -1,88 +1,92 @@ package security::msec; use strict; -use vars qw($VERSION); -use MDK::Common::File; use MDK::Common; -$VERSION = "0.2"; +#------------------------------------------------------------- +# msec options managment methods -my $check_file = "$::prefix/etc/security/msec/security.conf"; +#------------------------------------------------------------- +# option defaults +sub load_defaults { + my ($msec, $category) = @_; + my $separator = $msec->{$category}{def_separator}; + map { + my ($opt, $val) = split(/$separator/, $_, 2); + chop $val; + if_($opt ne 'set_security_conf', $opt => $val); + } cat_($msec->{$category}{defaults_file}), if_($category eq "checks", 'MAIL_USER'); +} + + +# get_XXX_default(function) - +# return the default of the function|check passed in argument. + +sub get_check_default { + my ($msec, $check) = @_; + $msec->{checks}{default}{$check}; +} + +sub get_function_default { + my ($msec, $function) = @_; + $msec->{functions}{default}{$function}; +} -# *********************************************** -# PRIVATE FUNCTIONS -# *********************************************** -my $num_level; +#------------------------------------------------------------- +# option values + +sub load_values { + my ($msec, $category) = @_; + my $separator = $msec->{$category}{val_separator}; + map { + my ($opt, $val) = split /$separator/; + chop $val; + $val =~ s/[()]//g; + chop $opt if $separator eq '\('; # $opt =~ s/ //g if $separator eq '\('; + if_(defined($val), $opt => $val); + } cat_($msec->{$category}{values_file}); +} -sub get_default { - my ($option, $category) = @_; - my $default_file = ""; - my $default_value = ""; - my $num_level = 0; - if ($category eq "functions") { - require security::level; - $num_level ||= security::level::get(); - $default_file = "$::prefix/usr/share/msec/level.".$num_level; - } - elsif ($category eq "checks") { $default_file = "$::prefix/var/lib/msec/security.conf" } +# get_XXX_value(check|function) - +# return the value of the function|check passed in argument. +# If no value is set, return "default". - foreach (cat_($default_file)) { - if ($category eq 'functions') { - (undef, $default_value) = split / / if /^$option/; - } elsif ($category eq 'checks') { - (undef, $default_value) = split /=/ if /^$option/; - } - } - chop $default_value; - $default_value; +sub get_function_value { + my ($msec, $function) = @_; + exists $msec->{functions}{value}{$function} ? $msec->{functions}{value}{$function} : "default"; } -sub get_value { - my ($item, $category) = @_; - my $value = ''; - my $item_file = - $category eq 'functions' ? "$::prefix/etc/security/msec/level.local" : - $category eq 'checks' ? $check_file : ''; - - foreach (cat_($item_file)) { - /^$item/ or next; - - if ($category eq 'functions') { - my $i = $_; - (undef, $_) = split /\(/; - s/[()]//g; - $value = $_; - $_ = $i; - } elsif ($category eq 'checks') { - (undef, $value) = split(/=/, $_); - } - chop $value; - return $value; - } - "default"; +sub get_check_value { + my ($msec, $check) = @_; + $msec->{checks}{value}{$check} || "default"; } -# *********************************************** -# SPECIFIC OPTIONS -# *********************************************** -# *********************************************** -# FUNCTIONS (level.local) RELATED -# *********************************************** +#------------------------------------------------------------- +# get list of check|functions + +# list_(functions|checks) - +# return a list of functions|checks handled by level.local|security.conf -# get_functions() - -# return a list of functions handled by level.local (see -# man mseclib for more info). -sub get_functions { - my (undef, $category) = @_; - my @functions; +sub raw_checks_list { + my ($msec) = @_; + keys %{$msec->{checks}{default}}; +} + +sub list_checks { + my ($msec) = @_; + difference2([ $msec->raw_checks_list ], [ qw(MAIL_WARN MAIL_USER) ]); +} + +sub list_functions { + my ($msec, $category) = @_; ## TODO handle 3 last functions here so they can be removed from this list my @ignore_list = qw(indirect commit_changes closelog error initlog log set_secure_level @@ -93,89 +97,91 @@ sub get_functions { enable_dns_spoofing_protection enable_ip_spoofing_protection enable_log_strange_packets enable_promisc_check no_password_aging_for)], 'system' => [qw(allow_autologin allow_issues allow_reboot allow_remote_root_login - allow_root_login allow_user_list allow_x_connections allow_xserver_to_listen + allow_root_login allow_user_list allow_xauth_from_root allow_x_connections allow_xserver_to_listen authorize_services enable_at_crontab enable_console_log enable_msec_cron enable_pam_wheel_for_su enable_password enable_security_check enable_sulogin password_aging password_history password_length set_root_umask set_shell_history_size set_shell_timeout set_user_umask)]); - my $file = "$::prefix/usr/share/msec/mseclib.py"; - my $function; - - # read mseclib.py to get each function's name and if it's - # not in the ignore list, add it to the returned list. - foreach (cat_($file)) { - if (/^def/) { - (undef, $function) = split / /; - ($function, undef) = split(/\(/, $function); - if (!member($function, @ignore_list) && member($function, @{$options{$category}})) { - push(@functions, $function) - } - } - } - - @functions; + # get all function names; filter out those which are in the ignore + # list, return what lefts. + grep { !member($_, @ignore_list) && member($_, @{$options{$category}}) } keys %{$msec->{functions}{default}}; } -# get_function_value(function) - -# return the value of the function passed in argument. If no value is set, -# return "default". -sub get_function_value { - shift; - get_value(@_, 'functions'); + +#------------------------------------------------------------- +# set back checks|functions values + +sub set_function { + my ($msec, $function, $value) = @_; + $msec->{functions}{value}{$function} = $value; } -# get_function_default(function) - -# return the default value of the function according to the security level -sub get_function_default { - shift; - return get_default(@_, "functions"); +sub set_check { + my ($msec, $check, $value) = @_; + $msec->{checks}{value}{$check} = $value; } -# config_function(function, value) - -# Apply the configuration to 'prefix'/etc/security/msec/level.local -sub config_function { - my (undef, $function, $value) = @_; - my $options_file = "$::prefix/etc/security/msec/level.local"; - substInFile { s/^$function.*\n// } $options_file; - append_to_file($options_file, "$function ($value)") if $value ne 'default'; -} +#------------------------------------------------------------- +# apply configuration -# *********************************************** -# PERIODIC CHECKS (security.conf) RELATED -# *********************************************** +# config_(check|function)(check|function, value) - +# Apply the configuration to 'prefix'/etc/security/msec/security.conf||/etc/security/msec/level.local -# get_default_checks() - -# return a list of periodic checks handled by security.conf -sub get_default_checks { - map { if_(/(.*?)=/, $1) } cat_("$::prefix/var/lib/msec/security.conf"); +sub apply_functions { + my ($msec) = @_; + my @list = sort($msec->list_functions('system'), $msec->list_functions('network')); + touch($msec->{functions}{values_file}) if !-e $msec->{functions}{values_file}; + substInFile { + foreach my $function (@list) { s/^$function.*\n// } + if (eof) { + $_ .= join("\n", if_(!$_, ''), (map { + my $value = $msec->get_function_value($_); + if_($value ne 'default', "$_ ($value)"); + } @list), ""); + } + } $msec->{functions}{values_file}; } -# get_check_value(check) -# return the value of the check passed in argument -sub get_check_value { - shift; - get_value(@_, 'checks'); +sub apply_checks { + my ($msec) = @_; + my @list = sort $msec->raw_checks_list; + setVarsInSh($msec->{checks}{values_file}, + { + map { + my $value = $msec->get_check_value($_); + if_($value ne 'default', $_ => $value); + } @list + } + ); } -# get_check_default(check) -# Get the default value according to the security level -sub get_check_default { - my ($check) = @_; - return get_default($check, 'checks'); +sub reload { + my ($msec) = @_; + require security::level; + my $num_level = security::level::get(); + $msec->{functions}{defaults_file} = "$::prefix/usr/share/msec/level.$num_level"; + $msec->{functions}{default} = { $msec->load_defaults('functions') }; } -# config_check(check, value) -# Apply the configuration to "$::prefix"/etc/security/msec/security.conf -sub config_check { - my (undef, $check, $value) = @_; - if ($value eq 'default') { - substInFile { s/^$check.*\n// } $check_file; - } else { - setVarsInSh($check_file, { $check => $value }); - } +sub new { + my ($type) = @_; + my $msec = bless {}, $type; + + $msec->{functions}{values_file} = "$::prefix/etc/security/msec/level.local"; + $msec->{checks}{values_file} = "$::prefix/etc/security/msec/security.conf"; + $msec->{checks}{defaults_file} = "$::prefix/var/lib/msec/security.conf"; + $msec->{checks}{val_separator} = '='; + $msec->{functions}{val_separator} = '\('; + $msec->{checks}{def_separator} = '='; + $msec->{functions}{def_separator} = ' '; + $msec->reload; + + $msec->{checks}{default} = { $msec->load_defaults('checks') }; + $msec->{functions}{value} = { $msec->load_values('functions') }; + $msec->{checks}{value} = { $msec->load_values('checks') }; + $msec; } -sub new { shift } 1; diff --git a/perl-install/security/various.pm b/perl-install/security/various.pm new file mode 100644 index 000000000..2e4abd397 --- /dev/null +++ b/perl-install/security/various.pm @@ -0,0 +1,19 @@ +package security::various; + +use diagnostics; +use strict; + +use common; + +sub config_security_user { + my $setting = @_ > 1; + my ($prefix, $sec_user) = @_; + if ($setting) { + addVarsInSh("$prefix/etc/security/msec/security.conf", { MAIL_USER => $sec_user }); + } else { + my %t = getVarsFromSh("$prefix/etc/security/msec/security.conf"); + $t{MAIL_USER}; + } +} + +1; |