package security::msec; use diagnostics; use strict; use common; use log; sub get_secure_level { my ($prefix) = @_; cat_("$prefix/etc/profile") =~ /export SECURE_LEVEL=(\d+)/ && $1 || #- 8.0 msec cat_("$prefix/etc/profile.d/msec.sh") =~ /export SECURE_LEVEL=(\d+)/ && $1 || #- 8.1 msec ${{ getVarsFromSh("$prefix/etc/sysconfig/msec") }}{SECURE_LEVEL} || #- 8.2 msec $ENV{SECURE_LEVEL}; } sub config_security_user { my ($prefix, $sec_user) = @_; my %t = getVarsFromSh("$prefix/etc/security/msec/security.conf"); if (@_ > 1) { $t{MAIL_USER} = $sec_user; setVarsInSh("$prefix/etc/security/msec/security.conf", \%t); } $t{MAIL_USER}; } sub get_functions { my $prefix = $_; my @functions = (); ## TODO handle 3 last functions here so they can be removed from this list my @ignore_list = qw(indirect commit_changes closelog error initlog log set_secure_level set_security_conf set_server_level print_changes get_translation enable_libsafe password_aging password_length create_server_link); my $file = "$prefix/usr/share/msec/mseclib.py"; my $function = ''; open F, $file; while () { if ($_ =~ /^def/) { (undef, $function) = split(/ /, $_); ($function, undef) = split(/\(/, $function); if (!(member($function, @ignore_list))) { push(@functions, $function); } } } close F; @functions; } sub get_value { my ($prefix, $function) = @_; my $value = ''; my $msec_options = "$prefix/etc/security/msec/level.local"; my $msec_defaults = "$prefix/etc/security/msec/msec.defaults"; my $found = 0; if (-e $msec_options) { open F, $msec_options; while() { if($_ =~ /^$function/) { (undef, $value) = split(/\(/, $_); chop $value; chop $value; $found = 1; } if ($found == 0) { $value = "default"; } } close F; } else { $value = "default"; } $value; } sub get_checks { my ($prefix) = $_; my %checks = (); my $check_file = "$prefix/etc/security/msec/security.conf"; my $def_check = "$prefix/var/lib/msec/security.conf"; my @ignore_list = qw(MAIL_USER); my $key = ''; open F, $def_check; while () { ($key, undef) = split(/=/, $_); if(!(member($key, @ignore_list))) { $checks{$key} = "default"; } } close F; if (-e $check_file) { open F, $check_file; while () { ($key, undef) = split(/=/, $_); if(!(member($key, @ignore_list))) { (undef, $checks{$key}) = split(/=/, $_); chop $checks{$key}; } } close F; } %checks; } sub config_option { my ($prefix, $option, $value, $category) =@_; my %options_hash = ( ); my $key = ""; my $options_file = ""; if($category eq "functions") { $options_file = "$prefix/etc/security/msec/level.local"; } elsif($category eq "checks") { $options_file ="$prefix/etc/security/msec/security.conf"; } if(-e $options_file) { open F, $options_file; if($category eq "functions") { while() { if (!($_ =~ /^from mseclib/) && $_ ne "\n") { my ($name, $value_set) = split (/\(/, $_); chop $value_set; chop $value_set; $options_hash{$name} = $value_set; } } } elsif($category eq "checks") { %options_hash = getVarsFromSh($options_file); } close F; } $options_hash{$option} = $value; open F, '>'.$options_file; if ($category eq "functions") { print F "from mseclib import *\n\n"; } foreach $key (keys %options_hash) { if ($options_hash{$key} ne "default") { if($category eq "functions") { print F "$key"."($options_hash{$key})\n"; } elsif($category eq "checks") { print F "$key=$options_hash{$key}\n"; } } } close F; } sub get_options { my ($prefix, $category) = @_; my %options = (); my @functions = (); my @checks = (); my $key = ""; if ($category eq "functions") { @functions = get_functions($prefix); foreach $key (@functions) { $options{$key} = get_value($prefix, $key); } } elsif ($category eq "checks") { %options = get_checks($prefix); } %options; } sub get_default { my ($prefix, $function, $security) = @_; my $default_file = "$prefix/usr/share/msec/level.".$security; my $default_value = ""; open F, $default_file; while() { if ($_ =~ /^$function/) { (undef, $default_value) = split(/ /, $_); } } close F; chop $default_value; $default_value; } sub choose_security_level { my ($in, $security, $libsafe, $email, $signal) = @_; my %l = ( 0 => _("Welcome To Crackers"), 1 => _("Poor"), 2 => _("Standard"), 3 => _("High"), 4 => _("Higher"), 5 => _("Paranoid"), ); my %help = ( 0 => _("This level is to be used with care. It makes your system more easy to use, but very sensitive: it must not be used for a machine connected to others or to the Internet. There is no password access."), 1 => _("Password are now enabled, but use as a networked computer is still not recommended."), 2 => _("This is the standard security recommended for a computer that will be used to connect to the Internet as a client."), 3 => _("There are already some restrictions, and more automatic checks are run every night."), 4 => _("With this security level, the use of this system as a server becomes possible. The security is now high enough to use the system as a server which can accept connections from many clients. Note: if your machine is only a client on the Internet, you should choose a lower level."), 5 => _("This is similar to the previous level, but the system is entirely closed and security features are at their maximum."), ); delete @l{0,1}; delete $l{5} if !$::expert; $in->ask_from( ("DrakSec Basic Options"), ("Please choose the desired security level") . "\n\n" . join('', map { "$l{$_}: " . formatAlaTeX($help{$_}) . "\n\n" } keys %l), [ { label => _("Security level"), val => $security, list => [ sort keys %l ], format => sub { $l{$_} } }, if_($in->do_pkgs->is_installed('libsafe') && arch() =~ /^i.86/, { label => _("Use libsafe for servers"), val => $libsafe, type => 'bool', text => _("A library which defends against buffer overflow and format string attacks.") } ), { label => _("Security Administrator (login or email)"), val => $email }, { val => _("Advanced Options"), type => 'button', clicked_may_quit => sub { $$signal = 1; } } ], ); } sub choose_functions { my ($in, $rfunctions, $signal, $security) = @_; my $i = 0; my @display = (); my $key = ""; my $default = ""; foreach $key (keys %$rfunctions) { $default = get_default('', $key, $security); if ($default eq "yes" || $default eq "no") { $display[$i] = { label => $key." (default=$default)", val =>\$$rfunctions{$key}, list => ["yes", "no", "default"] }; } elsif ($default eq "ALL" || $default eq "NONE" || $default eq "LOCAL") { $display[$i] = { label => $key." (default=$default)", val =>\$$rfunctions{$key}, list => ["ALL", "NONE", "LOCAL", "default"] }; } else { $display[$i] = { label => $key." (default=$default)", val => \$$rfunctions{$key} }; } $i++; } # TODO find a way to add the button outside of the scrolling zone $in->ask_from( ("DrakSec - Advanced Options"), ("You can customize the following options. For more information, see the mseclib manual page."), [ { val => _("Basic Options"), type => 'button', clicked_may_quit => sub { $$signal = 0; print ""; } }, { val => _("Security Checks"), type => 'button', clicked_may_quit => sub {$$signal = 2; print ""; } }, @display ], ); } sub choose_checks { my ($in, $roptions, $signal, $security) = @_; my $i = 0; my @display = (); my $key = ''; my $def_checks = "/var/lib/msec/security.conf"; my %defaults = getVarsFromSh($def_checks); foreach $key (keys %$roptions) { if ($defaults{$key} eq "yes" || $defaults{$key} eq "no") { $display[$i] = { label => $key." (default=$defaults{$key})", val => \$$roptions{$key}, list => ["yes", "no", "default"] }; } else { $display[$i] = { label => $key." (default=$defaults{$key})", val => \$$roptions{$key} }; } $i++; } $in->ask_from( ("DrakSec - Security Checks"), ("You can customize the following security checks. For more information, see the mseclib manual page."), [ { val => _("Basic Options"), type => 'button', clicked_may_quit => sub { $$signal = 0; print ""; } }, { val => _("Advanced Options"), type => 'button', clicked_may_quit => sub { $$signal = 1; print ""; } }, # { val => _("Firewall Configuration"), type => 'button', clicked_may_quit => sub { $$signal = 3; print ""; } }, @display ], ); } 1;