summaryrefslogtreecommitdiffstats
path: root/perl-install/security
diff options
context:
space:
mode:
Diffstat (limited to 'perl-install/security')
-rw-r--r--perl-install/security/libsafe.pm18
-rw-r--r--perl-install/security/main.pm66
-rw-r--r--perl-install/security/msec.pm283
3 files changed, 0 insertions, 367 deletions
diff --git a/perl-install/security/libsafe.pm b/perl-install/security/libsafe.pm
deleted file mode 100644
index 1001ce4db..000000000
--- a/perl-install/security/libsafe.pm
+++ /dev/null
@@ -1,18 +0,0 @@
-package security::libsafe;
-
-use diagnostics;
-use strict;
-
-use common;
-
-sub config_libsafe {
- my ($prefix, $libsafe) = @_;
- my %t = getVarsFromSh("$prefix/etc/sysconfig/system");
- if (@_ > 1) {
- $t{LIBSAFE} = bool2yesno($libsafe);
- setVarsInSh("$prefix/etc/sysconfig/system", \%t);
- }
- text2bool($t{LIBSAFE});
-}
-
-1;
diff --git a/perl-install/security/main.pm b/perl-install/security/main.pm
deleted file mode 100644
index 3702b9636..000000000
--- a/perl-install/security/main.pm
+++ /dev/null
@@ -1,66 +0,0 @@
-package security::main;
-
-use diagnostics;
-use strict;
-
-use common;
-use log;
-
-use security::msec;
-use security::libsafe;
-
-sub show_page {
- my ($prefix, $in, $page) = @_;
- my $signal = 9;
- my $security = security::msec::get_secure_level('');
- my $key = '';
- my %options = ();
- my ($sec_user, $libsafe) = '';
-
- if($page == 0) {
- $libsafe = security::libsafe::config_libsafe('');
- $sec_user = security::msec::config_security_user('');
- }
- elsif($page == 1) { %options = security::msec::get_options('', "functions"); }
- elsif($page == 2) { %options = security::msec::get_options('', "checks"); }
-
- if ($page == 2) {
- if(security::msec::choose_checks($in, \%options, \$signal, $security)) {
- foreach $key (keys %options) {
- security::msec::config_option('', $key, $options{$key}, "checks");
- } } }
- elsif ($page == 1) {
- if(security::msec::choose_functions($in, \%options, \$signal, $security)) {
- foreach $key (keys %options) {
- security::msec::config_option('', $key, $options{$key}, "functions");
- } } }
- elsif ($page == 0) {
- if(security::msec::choose_security_level($in, \$security, \$libsafe, \$sec_user, \$signal)) {
- security::libsafe::config_libsafe('', $libsafe);
- security::msec::config_security_user('', $sec_user);
- $ENV{LILO_PASSWORD} = ''; # make it non interactive
- log::l("[draksec] Setting security level to $security");
- system "/usr/sbin/msec", $security;
- } }
-
- $signal;
-}
-
-sub main {
- my ($prefix, $in) = @_;
- my $signal = 0;
-
- while ($signal != 9) {
- # signal 0 = basic page
- # signal 1 = first advanced page (functions)
- # signal 2 = checks page
- # signal 3 = permissions page
- # signal 4 = firewall page
- # signal 5 = users page
- # signal 9 = quit
-
- $signal = show_page($prefix, $in, $signal);
- }
-}
-
-1;
diff --git a/perl-install/security/msec.pm b/perl-install/security/msec.pm
deleted file mode 100644
index 1c7295a7f..000000000
--- a/perl-install/security/msec.pm
+++ /dev/null
@@ -1,283 +0,0 @@
-package security::msec;
-
-use diagnostics;
-use strict;
-
-use common;
-use log;
-
-sub get_secure_level {
- my ($prefix) = @_;
-
- cat_("$prefix/etc/profile") =~ /export SECURE_LEVEL=(\d+)/ && $1 || #- 8.0 msec
- cat_("$prefix/etc/profile.d/msec.sh") =~ /export SECURE_LEVEL=(\d+)/ && $1 || #- 8.1 msec
- ${{ getVarsFromSh("$prefix/etc/sysconfig/msec") }}{SECURE_LEVEL} || #- 8.2 msec
- $ENV{SECURE_LEVEL};
-}
-
-sub config_security_user {
- my ($prefix, $sec_user) = @_;
- my %t = getVarsFromSh("$prefix/etc/security/msec/security.conf");
- if (@_ > 1) {
- $t{MAIL_USER} = $sec_user;
- setVarsInSh("$prefix/etc/security/msec/security.conf", \%t);
- }
- $t{MAIL_USER};
-}
-
-sub get_functions {
- my $prefix = $_;
- my @functions = ();
- ## TODO handle 3 last functions here so they can be removed from this list
- my @ignore_list = qw(indirect commit_changes closelog error initlog log set_secure_level
- set_security_conf set_server_level print_changes get_translation
- enable_libsafe password_aging password_length create_server_link);
- my $file = "$prefix/usr/share/msec/mseclib.py";
- my $function = '';
-
- open F, $file;
- while (<F>) {
- if ($_ =~ /^def/) {
- (undef, $function) = split(/ /, $_);
- ($function, undef) = split(/\(/, $function);
- if (!(member($function, @ignore_list))) { push(@functions, $function); }
- }
- }
- close F;
-
- @functions;
-}
-
-sub get_value {
- my ($prefix, $function) = @_;
- my $value = '';
- my $msec_options = "$prefix/etc/security/msec/level.local";
- my $msec_defaults = "$prefix/etc/security/msec/msec.defaults";
- my $found = 0;
-
- if (-e $msec_options) {
- open F, $msec_options;
- while(<F>) {
- if($_ =~ /^$function/) {
- (undef, $value) = split(/\(/, $_);
- chop $value; chop $value;
- $found = 1;
- }
- if ($found == 0) { $value = "default"; }
- }
- close F;
- }
- else { $value = "default"; }
- $value;
-}
-
-sub get_checks {
- my ($prefix) = $_;
- my %checks = ();
- my $check_file = "$prefix/etc/security/msec/security.conf";
- my $def_check = "$prefix/var/lib/msec/security.conf";
- my @ignore_list = qw(MAIL_USER);
- my $key = '';
-
- open F, $def_check;
- while (<F>) {
- ($key, undef) = split(/=/, $_);
- if(!(member($key, @ignore_list))) { $checks{$key} = "default"; }
- }
- close F;
-
- if (-e $check_file) {
- open F, $check_file;
- while (<F>) {
- ($key, undef) = split(/=/, $_);
- if(!(member($key, @ignore_list))) {
- (undef, $checks{$key}) = split(/=/, $_);
- chop $checks{$key};
- }
- }
- close F;
- }
-
- %checks;
-}
-
-sub config_option {
- my ($prefix, $option, $value, $category) =@_;
- my %options_hash = ( );
- my $key = "";
- my $options_file = "";
-
- if($category eq "functions") { $options_file = "$prefix/etc/security/msec/level.local"; }
- elsif($category eq "checks") { $options_file ="$prefix/etc/security/msec/security.conf"; }
-
- if(-e $options_file) {
- open F, $options_file;
- if($category eq "functions") {
- while(<F>) {
- if (!($_ =~ /^from mseclib/) && $_ ne "\n") {
- my ($name, $value_set) = split (/\(/, $_);
- chop $value_set; chop $value_set;
- $options_hash{$name} = $value_set;
- }
- }
- }
- elsif($category eq "checks") {
- %options_hash = getVarsFromSh($options_file);
- }
- close F;
- }
-
- $options_hash{$option} = $value;
-
- open F, '>'.$options_file;
- if ($category eq "functions") { print F "from mseclib import *\n\n"; }
- foreach $key (keys %options_hash) {
- if ($options_hash{$key} ne "default") {
- if($category eq "functions") { print F "$key"."($options_hash{$key})\n"; }
- elsif($category eq "checks") { print F "$key=$options_hash{$key}\n"; }
- }
- }
- close F;
-}
-
-sub get_options {
- my ($prefix, $category) = @_;
- my %options = ();
- my @functions = ();
- my @checks = ();
- my $key = "";
-
- if ($category eq "functions") {
- @functions = get_functions($prefix);
- foreach $key (@functions) {
- $options{$key} = get_value($prefix, $key);
- }
- }
- elsif ($category eq "checks") {
- %options = get_checks($prefix);
- }
-
- %options;
-}
-
-sub get_default {
- my ($prefix, $function, $security) = @_;
- my $default_file = "$prefix/usr/share/msec/level.".$security;
- my $default_value = "";
-
- open F, $default_file;
- while(<F>) {
- if ($_ =~ /^$function/) { (undef, $default_value) = split(/ /, $_); }
- }
- close F;
- chop $default_value;
- $default_value;
-}
-
-sub choose_security_level {
- my ($in, $security, $libsafe, $email, $signal) = @_;
-
- my %l = (
- 0 => _("Welcome To Crackers"),
- 1 => _("Poor"),
- 2 => _("Standard"),
- 3 => _("High"),
- 4 => _("Higher"),
- 5 => _("Paranoid"),
- );
-
- my %help = (
- 0 => _("This level is to be used with care. It makes your system more easy to use,
- but very sensitive: it must not be used for a machine connected to others
- or to the Internet. There is no password access."),
- 1 => _("Password are now enabled, but use as a networked computer is still not recommended."),
- 2 => _("This is the standard security recommended for a computer that will be used to connect to the Internet as a client."),
- 3 => _("There are already some restrictions, and more automatic checks are run every night."),
- 4 => _("With this security level, the use of this system as a server becomes possible.
- The security is now high enough to use the system as a server which can accept
- connections from many clients. Note: if your machine is only a client on the Internet, you should choose a lower level."),
- 5 => _("This is similar to the previous level, but the system is entirely closed and security features are at their maximum."),
- );
-
- delete @l{0,1};
- delete $l{5} if !$::expert;
-
- $in->ask_from(
- ("DrakSec Basic Options"),
- ("Please choose the desired security level") . "\n\n" .
- join('', map { "$l{$_}: " . formatAlaTeX($help{$_}) . "\n\n" } keys %l),
- [
- { label => _("Security level"), val => $security, list => [ sort keys %l ], format => sub { $l{$_} } },
- if_($in->do_pkgs->is_installed('libsafe') && arch() =~ /^i.86/,
- { label => _("Use libsafe for servers"), val => $libsafe, type => 'bool', text =>
- _("A library which defends against buffer overflow and format string attacks.") } ),
- { label => _("Security Administrator (login or email)"), val => $email },
- { val => _("Advanced Options"), type => 'button', clicked_may_quit => sub { $$signal = 1; } }
- ],
- );
-}
-
-sub choose_functions {
- my ($in, $rfunctions, $signal, $security) = @_;
- my $i = 0;
- my @display = ();
- my $key = "";
- my $default = "";
-
- foreach $key (keys %$rfunctions) {
- $default = get_default('', $key, $security);
- if ($default eq "yes" || $default eq "no") {
- $display[$i] = { label => $key." (default=$default)", val =>\$$rfunctions{$key}, list => ["yes", "no", "default"] };
- }
- elsif ($default eq "ALL" || $default eq "NONE" || $default eq "LOCAL") {
- $display[$i] = { label => $key." (default=$default)", val =>\$$rfunctions{$key}, list => ["ALL", "NONE", "LOCAL", "default"] };
- }
- else {
- $display[$i] = { label => $key." (default=$default)", val => \$$rfunctions{$key} };
- }
- $i++;
- }
-
- # TODO find a way to add the button outside of the scrolling zone
- $in->ask_from(
- ("DrakSec - Advanced Options"),
- ("You can customize the following options. For more information, see the mseclib manual page."),
- [
- { val => _("Basic Options"), type => 'button', clicked_may_quit => sub { $$signal = 0; print ""; } },
- { val => _("Security Checks"), type => 'button', clicked_may_quit => sub {$$signal = 2; print ""; } },
- @display
- ],
- );
-}
-
-sub choose_checks {
- my ($in, $roptions, $signal, $security) = @_;
- my $i = 0;
- my @display = ();
- my $key = '';
- my $def_checks = "/var/lib/msec/security.conf";
-
- my %defaults = getVarsFromSh($def_checks);
-
- foreach $key (keys %$roptions) {
- if ($defaults{$key} eq "yes" || $defaults{$key} eq "no") {
- $display[$i] = { label => $key." (default=$defaults{$key})", val => \$$roptions{$key}, list => ["yes", "no", "default"] };
- }
- else { $display[$i] = { label => $key." (default=$defaults{$key})", val => \$$roptions{$key} };
- }
- $i++;
- }
-
- $in->ask_from(
- ("DrakSec - Security Checks"),
- ("You can customize the following security checks. For more information, see the mseclib manual page."),
- [
- { val => _("Basic Options"), type => 'button', clicked_may_quit => sub { $$signal = 0; print ""; } },
- { val => _("Advanced Options"), type => 'button', clicked_may_quit => sub { $$signal = 1; print ""; } },
-# { val => _("Firewall Configuration"), type => 'button', clicked_may_quit => sub { $$signal = 3; print ""; } },
- @display
- ],
- );
-}
-
-1;