diff options
Diffstat (limited to 'share')
-rw-r--r-- | share/libmsec.py | 479 |
1 files changed, 246 insertions, 233 deletions
diff --git a/share/libmsec.py b/share/libmsec.py index 330244a..e81d5b7 100644 --- a/share/libmsec.py +++ b/share/libmsec.py @@ -5,11 +5,13 @@ # Version : $Id$ # Author : Frederic Lepied # Created On : Mon Dec 10 22:52:17 2001 +# Purpose : all access points of the msec utility. #--------------------------------------------------------------- import ConfigFile import Config from Log import * + import os import grp import Perms @@ -57,6 +59,7 @@ PASSWD = '/etc/pam.d/passwd' POWEROFF = '/etc/security/console.apps/poweroff' REBOOT = '/etc/security/console.apps/reboot' SECURETTY = '/etc/securetty' +SECURITYCONF = '/etc/security/msec/security.conf' SHADOW = '/etc/shadow' SHUTDOWN = '/etc/security/console.apps/shutdown' SHUTDOWNALLOW = '/etc/shutdown.allow' @@ -66,6 +69,11 @@ SYSCTLCONF = '/etc/sysctl.conf' SYSLOGCONF = '/etc/syslog.conf' XDM = '/etc/pam.d/xdm' +# constants to keep in sync with shadow.py +NONE=0 +ALL=1 +LOCAL=2 + # config files => actions ConfigFile.add_config_assoc(INITTAB, '/sbin/telinit q') @@ -84,6 +92,7 @@ def set_secure_level(level): msec.set_shell_variable('SECURE_LEVEL', level) def get_secure_level(): + "D" msec = ConfigFile.get_config_file(MSEC) return msec.get_shell_variable('SECURE_LEVEL') @@ -97,169 +106,166 @@ def set_user_umask(umask): msec = ConfigFile.get_config_file(MSEC) msec.set_shell_variable('UMASK_USER', umask) -def allow_x_connections(): - _interactive and log(_('Allowing users to connect X server from everywhere')) - msec = ConfigFile.get_config_file(MSEC_XINIT) - msec.replace_line_matching('/usr/X11R6/bin/xhost', '/usr/X11R6/bin/xhost +', 1) - -def allow_local_x_connections(): - _interactive and log(_('Allowing users to connect X server from localhost')) - msec = ConfigFile.get_config_file(MSEC_XINIT) - msec.replace_line_matching('/usr/X11R6/bin/xhost', '/usr/X11R6/bin/xhost + localhost', 1) - -def restrict_x_connections(): - _interactive and log(_('Restricting X server connection to the console user')) +def allow_x_connections(arg): msec = ConfigFile.get_config_file(MSEC_XINIT) - msec.remove_line_matching('/usr/X11R6/bin/xhost', 1) + + if arg == ALL: + _interactive and log(_('Allowing users to connect X server from everywhere')) + msec.replace_line_matching('/usr/X11R6/bin/xhost', '/usr/X11R6/bin/xhost +', 1) + + elif arg == LOCAL: + _interactive and log(_('Allowing users to connect X server from localhost')) + msec.replace_line_matching('/usr/X11R6/bin/xhost', '/usr/X11R6/bin/xhost + localhost', 1) + elif arg == NONE: + _interactive and log(_('Restricting X server connection to the console user')) + msec.remove_line_matching('/usr/X11R6/bin/xhost', 1) + + else: + error(_('invalid allow_x_connections arg: %s') % arg) + def set_shell_timeout(val): _interactive and log(_('Setting shell timeout to %s') % val) msec = ConfigFile.get_config_file(MSEC) msec.set_shell_variable('TMOUT', val) def set_shell_history_size(size): + msec = ConfigFile.get_config_file(MSEC) + if size >= 0: _interactive and log(_('Setting shell history size to %s') % size) - msec = ConfigFile.get_config_file(MSEC) msec.set_shell_variable('HISTFILESIZE', size) else: _interactive and log(_('Removing limit on shell history size')) - msec = ConfigFile.get_config_file(MSEC) msec. remove_line_matching('^HISTFILESIZE=') -def allow_reboot(): - _interactive and log(_('Allowing reboot to the console user')) +def allow_reboot(arg): shutdownallow = ConfigFile.get_config_file(SHUTDOWNALLOW) - shutdownallow.exists() and shutdownallow.move(SUFFIX) - for f in [SHUTDOWN, POWEROFF, REBOOT, HALT]: - ConfigFile.get_config_file(f).touch() - sysctlconf = ConfigFile.get_config_file(SYSCTLCONF) - sysctlconf.set_shell_variable('kernel.sysrq', 1) - kdmrc = ConfigFile.get_config_file(KDMRC) - kdmrc.exists() and kdmrc.set_shell_variable('AllowShutdown', 'All', 'X-:\*-Greeter', '^\s*$') - gdmconf = ConfigFile.get_config_file(GDMCONF) - gdmconf.exists() and gdmconf.set_shell_variable('SystemMenu', 'true', '\[greeter\]', '^\s*$') - -def forbid_reboot(): - _interactive and log(_('Forbidding reboot to the console user')) - ConfigFile.get_config_file(SHUTDOWNALLOW, SUFFIX).touch() - for f in [SHUTDOWN, POWEROFF, REBOOT, HALT]: - ConfigFile.get_config_file(f).unlink() sysctlconf = ConfigFile.get_config_file(SYSCTLCONF) - sysctlconf.set_shell_variable('kernel.sysrq', 0) kdmrc = ConfigFile.get_config_file(KDMRC) - kdmrc.exists() and kdmrc.set_shell_variable('AllowShutdown', 'None', 'X-:\*-Greeter', '^\s*$') gdmconf = ConfigFile.get_config_file(GDMCONF) - gdmconf.exists() and gdmconf.set_shell_variable('SystemMenu', 'false', '\[greeter\]', '^\s*$') -def allow_user_list(): - _interactive and log(_('Allowing the listing of users in display managers')) - kdmrc = ConfigFile.get_config_file(KDMRC) - kdmrc.exists() and kdmrc.set_shell_variable('ShowUsers', 'All') - gdmconf = ConfigFile.get_config_file(GDMCONF) - gdmconf.exists() and gdmconf.set_shell_variable('Browser', '1') - -def forbid_user_list(): - _interactive and log(_('Disabling the listing of users in display managers')) + if arg: + _interactive and log(_('Allowing reboot to the console user')) + shutdownallow.exists() and shutdownallow.move(SUFFIX) + for f in [SHUTDOWN, POWEROFF, REBOOT, HALT]: + ConfigFile.get_config_file(f).touch() + sysctlconf.set_shell_variable('kernel.sysrq', 1) + kdmrc.exists() and kdmrc.set_shell_variable('AllowShutdown', 'All', 'X-:\*-Greeter', '^\s*$') + gdmconf.exists() and gdmconf.set_shell_variable('SystemMenu', 'true', '\[greeter\]', '^\s*$') + else: + _interactive and log(_('Forbidding reboot to the console user')) + ConfigFile.get_config_file(SHUTDOWNALLOW, SUFFIX).touch() + for f in [SHUTDOWN, POWEROFF, REBOOT, HALT]: + ConfigFile.get_config_file(f).unlink() + sysctlconf.set_shell_variable('kernel.sysrq', 0) + kdmrc.exists() and kdmrc.set_shell_variable('AllowShutdown', 'None', 'X-:\*-Greeter', '^\s*$') + gdmconf.exists() and gdmconf.set_shell_variable('SystemMenu', 'false', '\[greeter\]', '^\s*$') + +def allow_user_list(arg): kdmrc = ConfigFile.get_config_file(KDMRC) - kdmrc.exists() and kdmrc.set_shell_variable('ShowUsers', 'None') gdmconf = ConfigFile.get_config_file(GDMCONF) - gdmconf.exists() and gdmconf.set_shell_variable('Browser', '0') - -def allow_root_login(): - _interactive and log(_('Allowing root login')) - sshd_config = ConfigFile.get_config_file(SSHDCONFIG) - sshd_config.exists() and sshd_config.replace_line_matching('^\s*PermitRootLogin\s+no', - 'PermitRootLogin yes') - kde = ConfigFile.get_config_file(KDE) - gdm = ConfigFile.get_config_file(GDM) - xdm = ConfigFile.get_config_file(XDM) - - for cnf in (kde, gdm, xdm): - cnf.exists() and cnf.remove_line_matching('^auth\s*required\s*/lib/security/pam_listfile.so.*bastille-no-login', 1) + if arg: + _interactive and log(_('Allowing the listing of users in display managers')) + kdmrc.exists() and kdmrc.set_shell_variable('ShowUsers', 'All') + gdmconf.exists() and gdmconf.set_shell_variable('Browser', '1') + else: + _interactive and log(_('Disabling the listing of users in display managers')) + kdmrc.exists() and kdmrc.set_shell_variable('ShowUsers', 'None') + gdmconf.exists() and gdmconf.set_shell_variable('Browser', '0') - securetty = ConfigFile.get_config_file(SECURETTY) - for n in range(1, 7): - s = 'tty' + str(n) - securetty.replace_line_matching(s, s, 1) - s = 'vc/' + str(n) - securetty.replace_line_matching(s, s, 1) - -def forbid_root_login(): - _interactive and log(_('Forbidding root login')) +def allow_root_login(arg): sshd_config = ConfigFile.get_config_file(SSHDCONFIG) - sshd_config.exists() and sshd_config.replace_line_matching('^\s*PermitRootLogin\s+yes', - 'PermitRootLogin no') - - bastillenologin = ConfigFile.get_config_file(BASTILLENOLOGIN) - bastillenologin.replace_line_matching('^\s*root', 'root', 1) - - kde = ConfigFile.get_config_file(KDE) - gdm = ConfigFile.get_config_file(GDM) - xdm = ConfigFile.get_config_file(XDM) - - for cnf in (kde, gdm, xdm): - cnf.exists() and (cnf.replace_line_matching('^auth\s*required\s*/lib/security/pam_listfile.so.*bastille-no-login', 'auth required /lib/security/pam_listfile.so onerr=succeed item=user sense=deny file=/etc/bastille-no-login') or \ - cnf.insert_at(0, 'auth required /lib/security/pam_listfile.so onerr=succeed item=user sense=deny file=/etc/bastille-no-login')) - - # TODO xdm support securetty = ConfigFile.get_config_file(SECURETTY) - securetty.remove_line_matching('.+', 1) - -def enable_pam_wheel_for_su(): - _interactive and log(_('Allowing su only from wheel group members')) - try: - ent = grp.getgrnam('wheel') - except KeyError: - error(_('no wheel group')) - return - members = ent[3] - if members == [] or members == ['root']: - error(_('wheel group is empty')) - return - su = ConfigFile.get_config_file(SU) - su.exists() and (su.replace_line_matching('^auth\s+required\s+/lib/security/pam_wheel.so\s+use_uid\s*$', - 'auth required /lib/security/pam_wheel.so use_uid') or \ - su.insert_after('^auth\s+required', - 'auth required /lib/security/pam_wheel.so use_uid')) + + if arg: + _interactive and log(_('Allowing root login')) + sshd_config.exists() and sshd_config.replace_line_matching('^\s*PermitRootLogin\s+no', + 'PermitRootLogin yes') + + kde = ConfigFile.get_config_file(KDE) + gdm = ConfigFile.get_config_file(GDM) + xdm = ConfigFile.get_config_file(XDM) + + for cnf in (kde, gdm, xdm): + cnf.exists() and cnf.remove_line_matching('^auth\s*required\s*/lib/security/pam_listfile.so.*bastille-no-login', 1) + + for n in range(1, 7): + s = 'tty' + str(n) + securetty.replace_line_matching(s, s, 1) + s = 'vc/' + str(n) + securetty.replace_line_matching(s, s, 1) + else: + _interactive and log(_('Forbidding root login')) + sshd_config.exists() and sshd_config.replace_line_matching('^\s*PermitRootLogin\s+yes', + 'PermitRootLogin no') + + bastillenologin = ConfigFile.get_config_file(BASTILLENOLOGIN) + bastillenologin.replace_line_matching('^\s*root', 'root', 1) + + kde = ConfigFile.get_config_file(KDE) + gdm = ConfigFile.get_config_file(GDM) + xdm = ConfigFile.get_config_file(XDM) + + for cnf in (kde, gdm, xdm): + cnf.exists() and (cnf.replace_line_matching('^auth\s*required\s*/lib/security/pam_listfile.so.*bastille-no-login', 'auth required /lib/security/pam_listfile.so onerr=succeed item=user sense=deny file=/etc/bastille-no-login') or \ + cnf.insert_at(0, 'auth required /lib/security/pam_listfile.so onerr=succeed item=user sense=deny file=/etc/bastille-no-login')) + + securetty.remove_line_matching('.+', 1) -def disable_pam_wheel_for_su(): - _interactive and log(_('Allowing su for all')) +def enable_pam_wheel_for_su(arg): su = ConfigFile.get_config_file(SU) - su.exists() and su.remove_line_matching('^auth\s+required\s+/lib/security/pam_wheel.so\s+use_uid\s*$') -def forbid_issues(allow_local=0): - if not allow_local: - _interactive and log(_('Disabling pre-login message')) - issue = ConfigFile.get_config_file(ISSUE) - issue.exists() and issue.move(SUFFIX) and issue.modified() + if arg: + _interactive and log(_('Allowing su only from wheel group members')) + try: + ent = grp.getgrnam('wheel') + except KeyError: + error(_('no wheel group')) + return + members = ent[3] + if members == [] or members == ['root']: + error(_('wheel group is empty')) + return + su.exists() and (su.replace_line_matching('^auth\s+required\s+/lib/security/pam_wheel.so\s+use_uid\s*$', + 'auth required /lib/security/pam_wheel.so use_uid') or \ + su.insert_after('^auth\s+required', + 'auth required /lib/security/pam_wheel.so use_uid')) else: - _interactive and log(_('Allowing pre-login message')) - issue = ConfigFile.get_config_file(ISSUE, SUFFIX) - issue.exists() and issue.get_lines() - _interactive and log(_('Disabling network pre-login message')) - issuenet = ConfigFile.get_config_file(ISSUENET) - issuenet.exists() and issuenet.move(SUFFIX) - -def allow_issues(): - _interactive and log(_('Allowing RemoteRoot pre-login messages')) + _interactive and log(_('Allowing su for all')) + su.exists() and su.remove_line_matching('^auth\s+required\s+/lib/security/pam_wheel.so\s+use_uid\s*$') + +def allow_issues(arg): issue = ConfigFile.get_config_file(ISSUE, SUFFIX) - issue.exists() and issue.get_lines() issuenet = ConfigFile.get_config_file(ISSUENET, SUFFIX) - issuenet.exists() and issuenet.get_lines() - -def allow_autologin(): - _interactive and log(_('Allowing autologin')) - autologin = ConfigFile.get_config_file(AUTOLOGIN) - autologin.exists() and autologin.set_shell_variable('AUTOLOGIN', 'yes') -def forbid_autologin(): - _interactive and log(_('Forbidding autologin')) + if arg == ALL: + _interactive and log(_('Allowing RemoteRoot pre-login messages')) + issue.exists() and issue.get_lines() + issuenet.exists() and issuenet.get_lines() + else: + if arg == NONE: + _interactive and log(_('Disabling pre-login message')) + issue.exists() and issue.move(SUFFIX) and issue.modified() + else: + _interactive and log(_('Allowing pre-login message')) + issue.exists() and issue.get_lines() + _interactive and log(_('Disabling network pre-login message')) + issuenet.exists() and issuenet.move(SUFFIX) + +def allow_autologin(arg): autologin = ConfigFile.get_config_file(AUTOLOGIN) - autologin.exists() and autologin.set_shell_variable('AUTOLOGIN', 'no') + + if arg: + _interactive and log(_('Allowing autologin')) + autologin.exists() and autologin.set_shell_variable('AUTOLOGIN', 'yes') + else: + _interactive and log(_('Forbidding autologin')) + autologin.exists() and autologin.set_shell_variable('AUTOLOGIN', 'no') def password_loader(value): + "D" _interactive and log(_('Activating password in boot loader')) liloconf = ConfigFile.get_config_file(LILOCONF) liloconf.exists() and (liloconf.replace_line_matching('^password=', 'password="' + value + '"', 0, 1) or \ @@ -273,116 +279,117 @@ def password_loader(value): # TODO add yaboot support def nopassword_loader(): + "D" _interactive and log(_('Removing password in boot loader')) liloconf = ConfigFile.get_config_file(LILOCONF) liloconf.exists() and liloconf.remove_line_matching('^password=', 1) menulst = ConfigFile.get_config_file(MENULST) menulst.exists() and menulst.remove_line_matching('^password\s') -def enable_console_log(): - _interactive and log(_('Enabling log on console 12')) +def enable_console_log(arg): syslogconf = ConfigFile.get_config_file(SYSLOGCONF) - syslogconf.exists() and syslogconf.replace_line_matching('\s*[^#]+/dev/tty12', '*.* /dev/tty12', 1) -def disable_console_log(): - _interactive and log(_('Disabling log on console 12')) - syslogconf = ConfigFile.get_config_file(SYSLOGCONF) - syslogconf.exists() and syslogconf.remove_line_matching('\*\.\*\s*/dev/tty12') - -def enable_promisc_check(): - _interactive and log(_('Activating periodic promiscuity check')) - cron = ConfigFile.get_config_file(CRON) - cron.replace_line_matching('[^#]+/usr/share/msec/promisc_check.sh', '*/1 * * * * root /usr/share/msec/promisc_check.sh', 1) + if arg: + _interactive and log(_('Enabling log on console 12')) + syslogconf.exists() and syslogconf.replace_line_matching('\s*[^#]+/dev/tty12', '*.* /dev/tty12', 1) + else: + _interactive and log(_('Disabling log on console 12')) + syslogconf.exists() and syslogconf.remove_line_matching('\*\.\*\s*/dev/tty12') -def disable_promisc_check(): - _interactive and log(_('Disabling periodic promiscuity check')) +def enable_promisc_check(arg): cron = ConfigFile.get_config_file(CRON) - cron.remove_line_matching('[^#]+/usr/share/msec/promisc_check.sh') -def enable_security_check(): - _interactive and log(_('Activating daily security check')) - cron = ConfigFile.get_config_file(CRON) - cron.replace_line_matching('[^#]+/usr/share/msec/security.sh', '0 4 * * * root /usr/share/msec/security.sh', 1) + if arg: + _interactive and log(_('Activating periodic promiscuity check')) + cron.replace_line_matching('[^#]+/usr/share/msec/promisc_check.sh', '*/1 * * * * root /usr/share/msec/promisc_check.sh', 1) + else: + _interactive and log(_('Disabling periodic promiscuity check')) + cron.remove_line_matching('[^#]+/usr/share/msec/promisc_check.sh') -def disable_security_check(): - _interactive and log(_('Disabling daily security check')) +def enable_security_check(arg): cron = ConfigFile.get_config_file(CRON) - cron.remove_line_matching('[^#]+/usr/share/msec/security.sh') -def deny_all_services(): - _interactive and log(_('Disabling all services')) - hostsdeny = ConfigFile.get_config_file(HOSTSDENY) - hostsdeny.remove_line_matching('^ALL:ALL EXCEPT localhost:DENY', 1) - hostsdeny.replace_line_matching('^ALL:ALL:DENY$', 'ALL:ALL:DENY', 1) + if arg: + _interactive and log(_('Activating daily security check')) + cron.replace_line_matching('[^#]+/usr/share/msec/security.sh', '0 4 * * * root /usr/share/msec/security.sh', 1) + else: + _interactive and log(_('Disabling daily security check')) + cron.remove_line_matching('[^#]+/usr/share/msec/security.sh') -def deny_non_local_services(): - _interactive and log(_('Disabling non local services')) +def authorize_services(arg): hostsdeny = ConfigFile.get_config_file(HOSTSDENY) - hostsdeny.remove_line_matching('^ALL:ALL:DENY', 1) - hostsdeny.replace_line_matching('^ALL:ALL EXCEPT localhost:DENY$', 'ALL:ALL EXCEPT localhost:DENY', 1) -def authorize_all_services(): - _interactive and log(_('Authorizing all services')) - hostsdeny = ConfigFile.get_config_file(HOSTSDENY) - hostsdeny.remove_line_matching('^ALL:ALL:DENY', 1) - hostsdeny.remove_line_matching('^ALL:ALL EXCEPT localhost:DENY', 1) + if arg == ALL: + _interactive and log(_('Authorizing all services')) + hostsdeny.remove_line_matching('^ALL:ALL:DENY', 1) + hostsdeny.remove_line_matching('^ALL:ALL EXCEPT localhost:DENY', 1) + elif arg == NONE: + _interactive and log(_('Disabling all services')) + hostsdeny.remove_line_matching('^ALL:ALL EXCEPT localhost:DENY', 1) + hostsdeny.replace_line_matching('^ALL:ALL:DENY$', 'ALL:ALL:DENY', 1) + elif arg == LOCAL: + _interactive and log(_('Disabling non local services')) + hostsdeny.remove_line_matching('^ALL:ALL:DENY', 1) + hostsdeny.replace_line_matching('^ALL:ALL EXCEPT localhost:DENY$', 'ALL:ALL EXCEPT localhost:DENY', 1) + else: + error(_('authorize_services invalid argument: %s') % arg) -def enable_ip_spoofing_protection(alert): - _interactive and log(_('Enabling ip spoofing protection')) +def enable_ip_spoofing_protection(arg, alert=1): hostconf = ConfigFile.get_config_file(HOSTCONF) - hostconf.replace_line_matching('nospoof', 'nospoof on', 1) - hostconf.replace_line_matching('spoofalert', 'spoofalert on', (alert != 0)) - sysctlconf = ConfigFile.get_config_file(SYSCTLCONF) - sysctlconf.set_shell_variable('net.ipv4.conf.all.rp_filter', 1) -def disable_ip_spoofing_protection(): - _interactive and log(_('Disabling ip spoofing protection')) - hostconf = ConfigFile.get_config_file(HOSTCONF) - hostconf.remove_line_matching('nospoof') - hostconf.remove_line_matching('spoofalert') + if arg: + _interactive and log(_('Enabling ip spoofing protection')) + hostconf.replace_line_matching('nospoof', 'nospoof on', 1) + hostconf.replace_line_matching('spoofalert', 'spoofalert on', (alert != 0)) + sysctlconf = ConfigFile.get_config_file(SYSCTLCONF) + sysctlconf.set_shell_variable('net.ipv4.conf.all.rp_filter', 1) + else: + _interactive and log(_('Disabling ip spoofing protection')) + hostconf.remove_line_matching('nospoof') + hostconf.remove_line_matching('spoofalert') -def ignore_icmp_echo(): - _interactive and log(_('Ignoring icmp echo')) +def accept_icmp_echo(arg): sysctlconf = ConfigFile.get_config_file(SYSCTLCONF) - sysctlconf.set_shell_variable('net.ipv4.icmp_echo_ignore_all', 1) - sysctlconf.set_shell_variable('net.ipv4.icmp_echo_ignore_broadcasts', 1) - -def accept_icmp_echo(): - _interactive and log(_('Accepting icmp echo')) - sysctlconf = ConfigFile.get_config_file(SYSCTLCONF) - sysctlconf.set_shell_variable('net.ipv4.icmp_echo_ignore_all', 0) - sysctlconf.set_shell_variable('net.ipv4.icmp_echo_ignore_broadcasts', 0) -def ignore_bogus_error_responses(): - _interactive and log(_('Ignoring bogus icmp error responses')) - sysctlconf = ConfigFile.get_config_file(SYSCTLCONF) - sysctlconf.set_shell_variable('net.ipv4.icmp_ignore_bogus_error_responses', 1) - -def accept_bogus_error_responses(): - _interactive and log(_('Accepting bogus icmp error responses')) - sysctlconf = ConfigFile.get_config_file(SYSCTLCONF) - sysctlconf.set_shell_variable('net.ipv4.icmp_ignore_bogus_error_responses', 0) + if arg: + _interactive and log(_('Accepting icmp echo')) + sysctlconf.set_shell_variable('net.ipv4.icmp_echo_ignore_all', 0) + sysctlconf.set_shell_variable('net.ipv4.icmp_echo_ignore_broadcasts', 0) + else: + _interactive and log(_('Ignoring icmp echo')) + sysctlconf.set_shell_variable('net.ipv4.icmp_echo_ignore_all', 1) + sysctlconf.set_shell_variable('net.ipv4.icmp_echo_ignore_broadcasts', 1) -def enable_log_strange_packets(): - _interactive and log(_('Enabling logging of strange packets')) +def accept_bogus_error_responses(arg): sysctlconf = ConfigFile.get_config_file(SYSCTLCONF) - sysctlconf.set_shell_variable('net.ipv4.conf.all.log_martians', 1) -def disable_log_strange_packets(): - _interactive and log(_('Disabling logging of strange packets')) + if arg: + _interactive and log(_('Accepting bogus icmp error responses')) + sysctlconf.set_shell_variable('net.ipv4.icmp_ignore_bogus_error_responses', 0) + else: + _interactive and log(_('Ignoring bogus icmp error responses')) + sysctlconf.set_shell_variable('net.ipv4.icmp_ignore_bogus_error_responses', 1) + +def enable_log_strange_packets(arg): sysctlconf = ConfigFile.get_config_file(SYSCTLCONF) - sysctlconf.set_shell_variable('net.ipv4.conf.all.log_martians', 0) -def enable_libsafe(): - if os.path.exists(Config.get_config('root', '') + '/lib/libsafe.so.2'): - _interactive and log(_('Enabling libsafe')) + if arg: + _interactive and log(_('Enabling logging of strange packets')) + sysctlconf.set_shell_variable('net.ipv4.conf.all.log_martians', 1) + else: + _interactive and log(_('Disabling logging of strange packets')) + sysctlconf.set_shell_variable('net.ipv4.conf.all.log_martians', 0) + +def enable_libsafe(arg): + if arg: + if os.path.exists(Config.get_config('root', '') + '/lib/libsafe.so.2'): + _interactive and log(_('Enabling libsafe')) + ldsopreload = ConfigFile.get_config_file(LDSOPRELOAD) + ldsopreload.replace_line_matching('[^#]*libsafe', '/lib/libsafe.so.2', 1) + else: + _interactive and log(_('Disabling libsafe')) ldsopreload = ConfigFile.get_config_file(LDSOPRELOAD) - ldsopreload.replace_line_matching('[^#]*libsafe', '/lib/libsafe.so.2', 1) - -def disable_libsafe(): - _interactive and log(_('Disabling libsafe')) - ldsopreload = ConfigFile.get_config_file(LDSOPRELOAD) - ldsopreload.remove_line_matching('[^#]*libsafe') + ldsopreload.remove_line_matching('[^#]*libsafe') def password_length(length, ndigits=0, nupper=0): _interactive and log(_('Setting minimum password length %d') % length) @@ -402,39 +409,38 @@ def password_length(length, ndigits=0, nupper=0): passwd.replace_line_matching('^password\s+required\s+/lib/security/pam_cracklib.so.*', '@0 ucredit=%s ' % nupper)) -def enable_sulogin(): - _interactive and log(_('Enabling sulogin in single user runlevel')) - inittab = ConfigFile.get_config_file(INITTAB) - inittab.replace_line_matching('[^#]+:S:', '~~:S:wait:/sbin/sulogin', 1) - -def disable_sulogin(): - _interactive and log(_('Disabling sulogin in single user runlevel')) +def enable_sulogin(arg): inittab = ConfigFile.get_config_file(INITTAB) - inittab.remove_line_matching('~~:S:wait:/sbin/sulogin') -def enable_msec_cron(): - _interactive and log(_('Enabling msec periodic runs')) - mseccron = ConfigFile.get_config_file(MSECCRON) - mseccron.symlink(MSECBIN) + if arg: + _interactive and log(_('Enabling sulogin in single user runlevel')) + inittab.replace_line_matching('[^#]+:S:', '~~:S:wait:/sbin/sulogin', 1) + else: + _interactive and log(_('Disabling sulogin in single user runlevel')) + inittab.remove_line_matching('~~:S:wait:/sbin/sulogin') -def disable_msec_cron(): - _interactive and log(_('Disabling msec periodic runs')) +def enable_msec_cron(arg): mseccron = ConfigFile.get_config_file(MSECCRON) - mseccron.unlink() -def disable_at_crontab(): - _interactive and log(_('Disabling crontab and at')) - cronallow = ConfigFile.get_config_file(CRONALLOW, SUFFIX) - cronallow.replace_line_matching('root', 'root', 1) - atallow = ConfigFile.get_config_file(ATALLOW, SUFFIX) - atallow.replace_line_matching('root', 'root', 1) + if arg: + _interactive and log(_('Enabling msec periodic runs')) + mseccron.symlink(MSECBIN) + else: + _interactive and log(_('Disabling msec periodic runs')) + mseccron.unlink() -def enable_at_crontab(): - _interactive and log(_('Enabling crontab and at')) +def enable_at_crontab(arg): cronallow = ConfigFile.get_config_file(CRONALLOW) - cronallow.exists() and cronallow.move(SUFFIX) atallow = ConfigFile.get_config_file(ATALLOW) - atallow.exists() and atallow.move(SUFFIX) + + if arg: + _interactive and log(_('Enabling crontab and at')) + cronallow.exists() and cronallow.move(SUFFIX) + atallow.exists() and atallow.move(SUFFIX) + else: + _interactive and log(_('Disabling crontab and at')) + cronallow.replace_line_matching('root', 'root', 1) + atallow.replace_line_matching('root', 'root', 1) maximum_regex = re.compile('^Maximum:\s*([0-9]+)', re.MULTILINE) @@ -478,9 +484,16 @@ def password_aging(max): else: error(_('unable to run chage: %s') % ret[1]) +def set_security_conf(var, value): + "1" + securityconf = ConfigFile.get_config_file(SECURITYCONF) + securityconf.set_shell_variable(var, value) + # various def set_interactive(v): + "D" + global _interactive _interactive = v |