diff options
| -rw-r--r-- | conf/level.default | 2 | ||||
| -rw-r--r-- | src/msec/config.py | 2 | ||||
| -rwxr-xr-x | src/msec/libmsec.py | 176 |
3 files changed, 6 insertions, 174 deletions
diff --git a/conf/level.default b/conf/level.default index 3c5d40e..20fa9fc 100644 --- a/conf/level.default +++ b/conf/level.default @@ -35,7 +35,7 @@ NOTIFY_WARN=yes WIN_PARTS_UMASK=no CHECK_OPEN_PORT=yes SHELL_TIMEOUT=0 -ALLOW_REMOTE_ROOT_LOGIN=without_password +ALLOW_REMOTE_ROOT_LOGIN=without-password ENABLE_LOG_STRANGE_PACKETS=yes USER_UMASK=022 CHECK_RPM=yes diff --git a/src/msec/config.py b/src/msec/config.py index a5baef1..e60c4fa 100644 --- a/src/msec/config.py +++ b/src/msec/config.py @@ -79,7 +79,7 @@ SETTINGS = {'BASE_LEVEL': ("base_level", 'ACCEPT_ICMP_ECHO': ("accept_icmp_echo", ['yes', 'no']), 'ALLOW_AUTOLOGIN': ("allow_autologin", ['yes', 'no']), 'ALLOW_REBOOT': ("allow_reboot", ['yes', 'no']), - 'ALLOW_REMOTE_ROOT_LOGIN': ("allow_remote_root_login", ['yes', 'no', 'without_password']), + 'ALLOW_REMOTE_ROOT_LOGIN': ("allow_remote_root_login", ['yes', 'no', 'without-password']), 'ALLOW_ROOT_LOGIN': ("allow_root_login", ['yes', 'no']), 'ALLOW_USER_LIST': ("allow_user_list", ['yes', 'no']), 'ALLOW_X_CONNECTIONS': ("allow_x_connections", ['yes', 'no', 'local']), diff --git a/src/msec/libmsec.py b/src/msec/libmsec.py index dbc1e81..b8ca925 100755 --- a/src/msec/libmsec.py +++ b/src/msec/libmsec.py @@ -1089,6 +1089,9 @@ class MSEC: ''' Allow/Forbid remote root login via sshd. You can specify yes, no and without-password. See sshd_config(5) man page for more information.''' sshd_config = self.configfiles.get_config_file(SSHDCONFIG) + if not sshd_config.exists(): + return + val = sshd_config.get_match(PERMIT_ROOT_LOGIN_REGEXP, '@1') if val != arg: @@ -1100,7 +1103,7 @@ class MSEC: self.log.info(_('Forbidding remote root login')) sshd_config.exists() and sshd_config.replace_line_matching(PERMIT_ROOT_LOGIN_REGEXP, 'PermitRootLogin no', 1) - elif arg == "without_password": + elif arg == "without-password": self.log.info(_('Allowing remote root login only by passphrase')) sshd_config.exists() and sshd_config.replace_line_matching(PERMIT_ROOT_LOGIN_REGEXP, 'PermitRootLogin without-password', 1) @@ -1573,177 +1576,6 @@ class MSEC: """ Enables checking for dangerous options in users' .rhosts/.shosts files.""" pass - def get_app_auth(self, app): - ''' Determine PAM authentication scheme for an application. Returns: - - None: if file is not found, or unknown authentication scheme - - without_password: if no password is required - - <user>: if user password is required - - root: if root password is required''' - authfile = self.configfiles.get_config_file("%s/%s" % (AUTH_PAM, app)) - - if not authfile.exists(): - # file not found - self.log.error(_("Unable to find PAM authentication for: %s") % app) - return None - - # what kind of link is if - link = authfile.is_link() - - if not link: - # It is not a symlink... - self.log.error(_("Unknown PAM authentication for: %s") % app) - return None - - # no password - if link.find(AUTH_LINK_CONSOLE) != -1: - return "without_password" - - if link.find(AUTH_LINK_SIMPLE) != -1: - authfile_console = self.configfiles.get_config_file("%s/%s" % (AUTH_CONSOLE, app)) - if not authfile_console.exists(): - self.log.error(_("Unable to find console authentication for: %s") % app) - return None - auth = authfile_console.get_shell_variable("USER") - if auth: - return auth - - # if we got here, no authentication was discovered - self.log.error(_("Unknown authentication for: %s") % app) - - def set_app_auth(self, app, auth): - ''' Configures PAM authentication scheme for an application. Valid schemes: - - without_password: if no password is required - - user: if user password is required - - root: if root password is required''' - authfile = self.configfiles.get_config_file("%s/%s" % (AUTH_PAM, app)) - - if not authfile.exists(): - # file not found - self.log.error(_("Unable to find PAM authentication for: %s") % app) - return None - - # what kind of link is if - link = authfile.is_link() - - if not link: - # It is not a symlink... - self.log.error(_("Unknown PAM authentication for: %s") % app) - return None - - # let's set auth - if auth == "without_password": - if link.find(AUTH_LINK_CONSOLE) != -1: - self.log.info(_("Configuring %s for password-less authentication") % app) - authfile.symlink("%s/%s" % (AUTH_PAM, AUTH_LINK_CONSOLE)) - elif auth == "user" or auth == "root": - if link.find(AUTH_LINK_SIMPLE) != -1: - authfile.symlink("%s/%s" % (AUTH_PAM, AUTH_LINK_SIMPLE)) - - authfile_console = self.configfiles.get_config_file("%s/%s" % (AUTH_CONSOLE, app)) - curauth = authfile.get_shell_variable("USER") - if not curauth: - # file not created? something wrong with the file - self.log.error(_("Unable to find console authentication for: %s") % app) - return None - if auth == "user": - newauth = "<user>" - else: - newauth = auth - if newauth != curauth: - self.log.info(_("Configuring %s for %s authentication") % (app, auth)) - authfile_console.set_shell_variable("USER", newauth) - else: - # if we got here, no authentication was discovered - self.log.error(_("Unknown authentication for: %s") % app) - - def auth_rpmdrake(self, param): - """Authentication for rpmdrake""" - pass - - def auth_mandrivaupdate(self, param): - """Authentication for MandrivaUpdate""" - pass - - def auth_drakrpm_edit_media(self, param): - """Authentication for drakrpm-edit-media""" - pass - - def auth_drak3d(self, param): - """Authentication for drak3d""" - pass - - def auth_xfdrake(self, param): - """Authentication for xfdrake""" - pass - - def auth_drakmouse(self, param): - """Authentication for drakmouse""" - pass - - def auth_drakkeyboard(self, param): - """Authentication for drakkeyboard""" - pass - - def auth_drakups(self, param): - """Authentication for drakups""" - pass - - def auth_drakconnect(self, param): - """Authentication for drakconnect""" - pass - - def auth_drakhosts(self, param): - """Authentication for drakhosts""" - pass - - def auth_draknetcenter(self, param): - """Authentication for draknetcenter""" - pass - - def auth_drakvpn(self, param): - """Authentication for drakvpn""" - pass - - def auth_drakproxy(self, param): - """Authentication for drakproxy""" - pass - - def auth_drakgw(self, param): - """Authentication for drakgw""" - pass - - def auth_drakauth(self, param): - """Authentication for drakauth""" - pass - - def auth_drakbackup(self, param): - """Authentication for drakbackup""" - pass - - def auth_drakfont(self, param): - """Authentication for drakfont""" - pass - - def auth_draklog(self, param): - """Authentication for draklog""" - pass - - def auth_drakxservices(self, param): - """Authentication for drakxservices""" - pass - - def auth_userdrake(self, param): - """Authentication for userdrake""" - pass - - def auth_drakclock(self, param): - """Authentication for drakclock""" - pass - - def auth_drakboot(self, param): - """Authentication for drakboot""" - pass - # TODO: unfinished def enable_apparmor(self, param): """Enables support for AppArmor security framework""" |