diff options
Diffstat (limited to 'share/msec.py')
-rwxr-xr-x | share/msec.py | 195 |
1 files changed, 195 insertions, 0 deletions
diff --git a/share/msec.py b/share/msec.py new file mode 100755 index 0000000..8ab0a3f --- /dev/null +++ b/share/msec.py @@ -0,0 +1,195 @@ +#!/usr/bin/python -O +#--------------------------------------------------------------- +# Project : Mandrake Linux +# Module : msec/share +# File : msec.py +# Version : $Id$ +# Author : Frederic Lepied +# Created On : Wed Dec 5 20:20:21 2001 +#--------------------------------------------------------------- + +from libmsec import * +from Log import * +from Log import _name +import Config +import sys +import os +import string +import getopt +import gettext + +try: + cat = gettext.Catalog('msec') + _ = cat.gettext +except IOError: + _ = str + +# program +_name = 'msec' + +sys.argv[0] = os.path.basename(sys.argv[0]) + +try: + (opt, args) = getopt.getopt(sys.argv[1:], 'o:', + ['option']) +except getopt.error: + error(_('Invalid option. Use %s (-o var=<val>...) ([0-5])') % sys.argv[0]) + sys.exit(1) + + +for o in opt: + if o[0] == '-o' or o[0] == '--option': + pair = string.split(o[1], '=') + if len(pair) != 2: + error(_('Invalid option format %s %s: use -o var=<val>') % (o[0], o[1])) + sys.exit(1) + else: + Config.set_config(pair[0], pair[1]) + +interactive = sys.stdin.isatty() +set_interactive(interactive) + +# initlog must be done after processing the option because we can change +# the way to report log with options... +if interactive: + import syslog + + initlog('msec', syslog.LOG_LOCAL1) +else: + initlog('msec') + +if len(args) == 0: + level = get_secure_level() + if level == None: + error(_('Secure level not set. Use %s <secure level> to set it.') % sys.argv[0]) + sys.exit(1) +else: + level = args[0] + +try: + level = int(level) +except ValueError: + error(_('Invalid secure level %s. Use %s [0-5] to set it.') % (level, sys.argv[0])) + sys.exit(1) + +if level < 0 or level > 5: + error(_('Invalid secure level %s. Use %s [0-5] to set it.') % (level, sys.argv[0])) + sys.exit(1) + +set_secure_level(level) + +server=(level in range(3, 6)) + +# for all levels: min length = 2 * (level - 1) and for level 4,5 makes mandatory +# to have at least one upper case character and one digit. +if level > 1: + password_length = (level - 1) * 2 +else: + password_length = 0 + +password_length(password_length, level / 4, level / 4) + +enable_ip_spoofing_protection(server) + +# differences between level 5 and others +if level == 5: + set_root_umask('077') + set_shell_timeout(900) + deny_all_services() + enable_pam_wheel_for_su() +else: + set_root_umask('022') + if level == 4: + set_shell_timeout(3600) + deny_non_local_services() + else: + set_shell_timeout(0) + authorize_all_services() + disable_pam_wheel_for_su() + +# differences between level 4,5 and others +if level >= 4: + set_user_umask('077') + set_shell_history_size(10) + forbid_root_login() + enable_sulogin() + forbid_user_list() + enable_promisc_check() + ignore_icmp_echo() + ignore_bogus_error_responses() + enable_libsafe() + forbid_reboot() + disable_at_crontab() + if level == 4: + password_aging(60) + else: + password_aging(30) +else: + set_user_umask('022') + set_shell_history_size(-1) + allow_root_login() + disable_sulogin() + allow_user_list() + disable_promisc_check() + accept_icmp_echo() + accept_bogus_error_responses() + disable_libsafe() + allow_reboot() + enable_at_crontab() + password_aging(99999) + +# differences between level 3,4,5 and others +if server: + forbid_autologin() + enable_console_log() + forbid_issues((level != 5)) + enable_log_strange_packets() +else: + allow_autologin() + disable_console_log() + allow_issues() + disable_log_strange_packets() + +# differences between level 0 and others +if level != 0: + enable_security_check() + if level < 3: + allow_local_x_connections() + else: + restrict_x_connections() +else: + disable_security_check() + allow_x_connections() + +# msec cron +enable_msec_cron() + +# 0 1 2 3 4 5 +FILE_CHECKS = {'CHECK_SECURITY' : ('no', 'yes', 'yes', 'yes', 'yes', 'yes', ), + 'CHECK_PERMS' : ('no', 'no', 'no', 'yes', 'yes', 'yes', ), + 'CHECK_SUID_ROOT' : ('no', 'no', 'yes', 'yes', 'yes', 'yes', ), + 'CHECK_SUID_MD5' : ('no', 'no', 'yes', 'yes', 'yes', 'yes', ), + 'CHECK_SUID_GROUP' : ('no', 'no', 'yes', 'yes', 'yes', 'yes', ), + 'CHECK_WRITEABLE' : ('no', 'no', 'yes', 'yes', 'yes', 'yes', ), + 'CHECK_UNOWNED' : ('no', 'no', 'no', 'no', 'yes', 'yes', ), + 'CHECK_PROMISC' : ('no', 'no', 'no', 'no', 'yes', 'yes', ), + 'CHECK_OPEN_PORT' : ('no', 'no', 'no', 'yes', 'yes', 'yes', ), + 'CHECK_PASSWD' : ('no', 'no', 'no', 'yes', 'yes', 'yes', ), + 'CHECK_SHADOW' : ('no', 'no', 'no', 'yes', 'yes', 'yes', ), + 'TTY_WARN' : ('no', 'no', 'no', 'no', 'yes', 'yes', ), + 'MAIL_WARN' : ('no', 'no', 'no', 'yes', 'yes', 'yes', ), + 'SYSLOG_WARN' : ('no', 'no', 'yes', 'yes', 'yes', 'yes', ), + 'RPM_CHECK' : ('no', 'no', 'no', 'yes', 'yes', 'yes', ), + } + +interactive and log(_('Configuring periodic files checks')) +securityconf = ConfigFile.get_config_file('/etc/security/msec/security.conf') +for k in FILE_CHECKS.keys(): + securityconf.set_shell_variable(k, FILE_CHECKS[k][level]) + +interactive and log(_('Writing config files and then taking needed actions')) +ConfigFile.write_files() + +closelog() + +# msec.py ends here |