diff options
Diffstat (limited to 'perl-install/security')
-rw-r--r-- | perl-install/security/libsafe.pm | 18 | ||||
-rw-r--r-- | perl-install/security/main.pm | 66 | ||||
-rw-r--r-- | perl-install/security/msec.pm | 283 |
3 files changed, 0 insertions, 367 deletions
diff --git a/perl-install/security/libsafe.pm b/perl-install/security/libsafe.pm deleted file mode 100644 index 1001ce4db..000000000 --- a/perl-install/security/libsafe.pm +++ /dev/null @@ -1,18 +0,0 @@ -package security::libsafe; - -use diagnostics; -use strict; - -use common; - -sub config_libsafe { - my ($prefix, $libsafe) = @_; - my %t = getVarsFromSh("$prefix/etc/sysconfig/system"); - if (@_ > 1) { - $t{LIBSAFE} = bool2yesno($libsafe); - setVarsInSh("$prefix/etc/sysconfig/system", \%t); - } - text2bool($t{LIBSAFE}); -} - -1; diff --git a/perl-install/security/main.pm b/perl-install/security/main.pm deleted file mode 100644 index 3702b9636..000000000 --- a/perl-install/security/main.pm +++ /dev/null @@ -1,66 +0,0 @@ -package security::main; - -use diagnostics; -use strict; - -use common; -use log; - -use security::msec; -use security::libsafe; - -sub show_page { - my ($prefix, $in, $page) = @_; - my $signal = 9; - my $security = security::msec::get_secure_level(''); - my $key = ''; - my %options = (); - my ($sec_user, $libsafe) = ''; - - if($page == 0) { - $libsafe = security::libsafe::config_libsafe(''); - $sec_user = security::msec::config_security_user(''); - } - elsif($page == 1) { %options = security::msec::get_options('', "functions"); } - elsif($page == 2) { %options = security::msec::get_options('', "checks"); } - - if ($page == 2) { - if(security::msec::choose_checks($in, \%options, \$signal, $security)) { - foreach $key (keys %options) { - security::msec::config_option('', $key, $options{$key}, "checks"); - } } } - elsif ($page == 1) { - if(security::msec::choose_functions($in, \%options, \$signal, $security)) { - foreach $key (keys %options) { - security::msec::config_option('', $key, $options{$key}, "functions"); - } } } - elsif ($page == 0) { - if(security::msec::choose_security_level($in, \$security, \$libsafe, \$sec_user, \$signal)) { - security::libsafe::config_libsafe('', $libsafe); - security::msec::config_security_user('', $sec_user); - $ENV{LILO_PASSWORD} = ''; # make it non interactive - log::l("[draksec] Setting security level to $security"); - system "/usr/sbin/msec", $security; - } } - - $signal; -} - -sub main { - my ($prefix, $in) = @_; - my $signal = 0; - - while ($signal != 9) { - # signal 0 = basic page - # signal 1 = first advanced page (functions) - # signal 2 = checks page - # signal 3 = permissions page - # signal 4 = firewall page - # signal 5 = users page - # signal 9 = quit - - $signal = show_page($prefix, $in, $signal); - } -} - -1; diff --git a/perl-install/security/msec.pm b/perl-install/security/msec.pm deleted file mode 100644 index 1c7295a7f..000000000 --- a/perl-install/security/msec.pm +++ /dev/null @@ -1,283 +0,0 @@ -package security::msec; - -use diagnostics; -use strict; - -use common; -use log; - -sub get_secure_level { - my ($prefix) = @_; - - cat_("$prefix/etc/profile") =~ /export SECURE_LEVEL=(\d+)/ && $1 || #- 8.0 msec - cat_("$prefix/etc/profile.d/msec.sh") =~ /export SECURE_LEVEL=(\d+)/ && $1 || #- 8.1 msec - ${{ getVarsFromSh("$prefix/etc/sysconfig/msec") }}{SECURE_LEVEL} || #- 8.2 msec - $ENV{SECURE_LEVEL}; -} - -sub config_security_user { - my ($prefix, $sec_user) = @_; - my %t = getVarsFromSh("$prefix/etc/security/msec/security.conf"); - if (@_ > 1) { - $t{MAIL_USER} = $sec_user; - setVarsInSh("$prefix/etc/security/msec/security.conf", \%t); - } - $t{MAIL_USER}; -} - -sub get_functions { - my $prefix = $_; - my @functions = (); - ## TODO handle 3 last functions here so they can be removed from this list - my @ignore_list = qw(indirect commit_changes closelog error initlog log set_secure_level - set_security_conf set_server_level print_changes get_translation - enable_libsafe password_aging password_length create_server_link); - my $file = "$prefix/usr/share/msec/mseclib.py"; - my $function = ''; - - open F, $file; - while (<F>) { - if ($_ =~ /^def/) { - (undef, $function) = split(/ /, $_); - ($function, undef) = split(/\(/, $function); - if (!(member($function, @ignore_list))) { push(@functions, $function); } - } - } - close F; - - @functions; -} - -sub get_value { - my ($prefix, $function) = @_; - my $value = ''; - my $msec_options = "$prefix/etc/security/msec/level.local"; - my $msec_defaults = "$prefix/etc/security/msec/msec.defaults"; - my $found = 0; - - if (-e $msec_options) { - open F, $msec_options; - while(<F>) { - if($_ =~ /^$function/) { - (undef, $value) = split(/\(/, $_); - chop $value; chop $value; - $found = 1; - } - if ($found == 0) { $value = "default"; } - } - close F; - } - else { $value = "default"; } - $value; -} - -sub get_checks { - my ($prefix) = $_; - my %checks = (); - my $check_file = "$prefix/etc/security/msec/security.conf"; - my $def_check = "$prefix/var/lib/msec/security.conf"; - my @ignore_list = qw(MAIL_USER); - my $key = ''; - - open F, $def_check; - while (<F>) { - ($key, undef) = split(/=/, $_); - if(!(member($key, @ignore_list))) { $checks{$key} = "default"; } - } - close F; - - if (-e $check_file) { - open F, $check_file; - while (<F>) { - ($key, undef) = split(/=/, $_); - if(!(member($key, @ignore_list))) { - (undef, $checks{$key}) = split(/=/, $_); - chop $checks{$key}; - } - } - close F; - } - - %checks; -} - -sub config_option { - my ($prefix, $option, $value, $category) =@_; - my %options_hash = ( ); - my $key = ""; - my $options_file = ""; - - if($category eq "functions") { $options_file = "$prefix/etc/security/msec/level.local"; } - elsif($category eq "checks") { $options_file ="$prefix/etc/security/msec/security.conf"; } - - if(-e $options_file) { - open F, $options_file; - if($category eq "functions") { - while(<F>) { - if (!($_ =~ /^from mseclib/) && $_ ne "\n") { - my ($name, $value_set) = split (/\(/, $_); - chop $value_set; chop $value_set; - $options_hash{$name} = $value_set; - } - } - } - elsif($category eq "checks") { - %options_hash = getVarsFromSh($options_file); - } - close F; - } - - $options_hash{$option} = $value; - - open F, '>'.$options_file; - if ($category eq "functions") { print F "from mseclib import *\n\n"; } - foreach $key (keys %options_hash) { - if ($options_hash{$key} ne "default") { - if($category eq "functions") { print F "$key"."($options_hash{$key})\n"; } - elsif($category eq "checks") { print F "$key=$options_hash{$key}\n"; } - } - } - close F; -} - -sub get_options { - my ($prefix, $category) = @_; - my %options = (); - my @functions = (); - my @checks = (); - my $key = ""; - - if ($category eq "functions") { - @functions = get_functions($prefix); - foreach $key (@functions) { - $options{$key} = get_value($prefix, $key); - } - } - elsif ($category eq "checks") { - %options = get_checks($prefix); - } - - %options; -} - -sub get_default { - my ($prefix, $function, $security) = @_; - my $default_file = "$prefix/usr/share/msec/level.".$security; - my $default_value = ""; - - open F, $default_file; - while(<F>) { - if ($_ =~ /^$function/) { (undef, $default_value) = split(/ /, $_); } - } - close F; - chop $default_value; - $default_value; -} - -sub choose_security_level { - my ($in, $security, $libsafe, $email, $signal) = @_; - - my %l = ( - 0 => _("Welcome To Crackers"), - 1 => _("Poor"), - 2 => _("Standard"), - 3 => _("High"), - 4 => _("Higher"), - 5 => _("Paranoid"), - ); - - my %help = ( - 0 => _("This level is to be used with care. It makes your system more easy to use, - but very sensitive: it must not be used for a machine connected to others - or to the Internet. There is no password access."), - 1 => _("Password are now enabled, but use as a networked computer is still not recommended."), - 2 => _("This is the standard security recommended for a computer that will be used to connect to the Internet as a client."), - 3 => _("There are already some restrictions, and more automatic checks are run every night."), - 4 => _("With this security level, the use of this system as a server becomes possible. - The security is now high enough to use the system as a server which can accept - connections from many clients. Note: if your machine is only a client on the Internet, you should choose a lower level."), - 5 => _("This is similar to the previous level, but the system is entirely closed and security features are at their maximum."), - ); - - delete @l{0,1}; - delete $l{5} if !$::expert; - - $in->ask_from( - ("DrakSec Basic Options"), - ("Please choose the desired security level") . "\n\n" . - join('', map { "$l{$_}: " . formatAlaTeX($help{$_}) . "\n\n" } keys %l), - [ - { label => _("Security level"), val => $security, list => [ sort keys %l ], format => sub { $l{$_} } }, - if_($in->do_pkgs->is_installed('libsafe') && arch() =~ /^i.86/, - { label => _("Use libsafe for servers"), val => $libsafe, type => 'bool', text => - _("A library which defends against buffer overflow and format string attacks.") } ), - { label => _("Security Administrator (login or email)"), val => $email }, - { val => _("Advanced Options"), type => 'button', clicked_may_quit => sub { $$signal = 1; } } - ], - ); -} - -sub choose_functions { - my ($in, $rfunctions, $signal, $security) = @_; - my $i = 0; - my @display = (); - my $key = ""; - my $default = ""; - - foreach $key (keys %$rfunctions) { - $default = get_default('', $key, $security); - if ($default eq "yes" || $default eq "no") { - $display[$i] = { label => $key." (default=$default)", val =>\$$rfunctions{$key}, list => ["yes", "no", "default"] }; - } - elsif ($default eq "ALL" || $default eq "NONE" || $default eq "LOCAL") { - $display[$i] = { label => $key." (default=$default)", val =>\$$rfunctions{$key}, list => ["ALL", "NONE", "LOCAL", "default"] }; - } - else { - $display[$i] = { label => $key." (default=$default)", val => \$$rfunctions{$key} }; - } - $i++; - } - - # TODO find a way to add the button outside of the scrolling zone - $in->ask_from( - ("DrakSec - Advanced Options"), - ("You can customize the following options. For more information, see the mseclib manual page."), - [ - { val => _("Basic Options"), type => 'button', clicked_may_quit => sub { $$signal = 0; print ""; } }, - { val => _("Security Checks"), type => 'button', clicked_may_quit => sub {$$signal = 2; print ""; } }, - @display - ], - ); -} - -sub choose_checks { - my ($in, $roptions, $signal, $security) = @_; - my $i = 0; - my @display = (); - my $key = ''; - my $def_checks = "/var/lib/msec/security.conf"; - - my %defaults = getVarsFromSh($def_checks); - - foreach $key (keys %$roptions) { - if ($defaults{$key} eq "yes" || $defaults{$key} eq "no") { - $display[$i] = { label => $key." (default=$defaults{$key})", val => \$$roptions{$key}, list => ["yes", "no", "default"] }; - } - else { $display[$i] = { label => $key." (default=$defaults{$key})", val => \$$roptions{$key} }; - } - $i++; - } - - $in->ask_from( - ("DrakSec - Security Checks"), - ("You can customize the following security checks. For more information, see the mseclib manual page."), - [ - { val => _("Basic Options"), type => 'button', clicked_may_quit => sub { $$signal = 0; print ""; } }, - { val => _("Advanced Options"), type => 'button', clicked_may_quit => sub { $$signal = 1; print ""; } }, -# { val => _("Firewall Configuration"), type => 'button', clicked_may_quit => sub { $$signal = 3; print ""; } }, - @display - ], - ); -} - -1; |