summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--perl-install/security/msec.pm159
-rwxr-xr-xperl-install/standalone/draksec10
2 files changed, 138 insertions, 31 deletions
diff --git a/perl-install/security/msec.pm b/perl-install/security/msec.pm
index 39eddeb92..052dbe1b6 100644
--- a/perl-install/security/msec.pm
+++ b/perl-install/security/msec.pm
@@ -8,7 +8,7 @@ use log;
sub get_secure_level {
my ($prefix) = @_;
-
+
cat_("$prefix/etc/profile") =~ /export SECURE_LEVEL=(\d+)/ && $1 || #- 8.0 msec
cat_("$prefix/etc/profile.d/msec.sh") =~ /export SECURE_LEVEL=(\d+)/ && $1 || #- 8.1 msec
${{ getVarsFromSh("$prefix/etc/sysconfig/msec") }}{SECURE_LEVEL} || #- 8.2 msec
@@ -18,31 +18,127 @@ sub get_secure_level {
sub config_security_user {
my ($prefix, $sec_user) = @_;
my %t = getVarsFromSh("$prefix/etc/security/msec/security.conf");
- if (@_ > 1) {
+ if (@_ > 1) {
$t{MAIL_USER} = $sec_user;
setVarsInSh("$prefix/etc/security/msec/security.conf", \%t);
- }
+ }
$t{MAIL_USER};
-}
+}
+
+sub get_functions {
+ my $prefix = $_;
+ my @functions = ();
+ my @ignore_list = qw(indirect commit_changes closelog error initlog log set_secure_level
+ set_security_conf set_server_level print_changes get_translation
+ password_aging password_length enable_libsafe);
+ my $file = "$prefix/usr/share/msec/mseclib.py";
+ my $function = '';
+
+ open F, $file;
+ while (<F>) {
+ if ($_ =~ /^def/) {
+ (undef, $function) = split(/ /, $_);
+ ($function, undef) = split(/\(/, $function);
+ if (!(member($function, @ignore_list))) { push(@functions, $function); }
+ }
+ }
+ close F;
+
+ @functions;
+}
+
+sub get_value {
+ my ($prefix, $function) = @_;
+ my $value = '';
+ my $msec_options = "$prefix/etc/security/msec/level.local";
+ my $msec_defaults = "$prefix/etc/security/msec/msec.defaults";
+ my $found = 0;
+
+ if (-e $msec_options) {
+ open F, $msec_options;
+ while(<F>) {
+ if($_ =~ /^$function/) {
+ (undef, $value) = split(/\(/, $_);
+ chop $value; chop $value;
+ $found = 1;
+ }
+ if ($found == 0) { $value = "default"; }
+ }
+ close F;
+ }
+ else { $value = "default"; }
+ $value;
+}
+
+sub set_option {
+ my ($prefix, $option, $value) =@_;
+ my %functions_hash = ( );
+ my $key = "";
+
+ my $msec_options = "$prefix/etc/security/msec/level.local";
+
+ if(-e $msec_options) {
+ open F, $msec_options;
+ while(<F>) {
+ if (!($_ =~ /^from mseclib/) && $_ ne "\n") {
+ my ($name, $value_set) = split (/\(/, $_);
+ chop $value_set; chop $value_set;
+ $functions_hash{$name} = $value_set;
+ }
+ }
+ close F;
+ }
+
+ $functions_hash{$option} = $value;
+
+ open F, '>'.$msec_options;
+ print F "from mseclib import *\n\n";
+ foreach $key (keys %functions_hash) {
+ if ($functions_hash{$key} ne "default") {
+ print F "$key"."($functions_hash{$key})\n";
+ }
+ }
+ close F;
+}
sub get_options {
my ($prefix, $security) = @_;
my %options = ();
-
+ my @functions = get_functions($prefix);
+ my $key = "";
+
+ foreach $key (@functions) {
+ $options{$key} = get_value($prefix, $key);
+ }
+
%options;
}
+sub get_default {
+ my ($prefix, $function, $security) = @_;
+ my $default_file = "$prefix/usr/share/msec/level.".$security;
+ my $default_value = "";
+
+ open F, $default_file;
+ while(<F>) {
+ if ($_ =~ /^$function/) { (undef, $default_value) = split(/ /, $_); }
+ }
+ close F;
+ chop $default_value;
+ $default_value;
+}
+
sub choose_security_level {
- my ($in, $security, $libsafe, $email) = @_;
+ my ($in, $security, $libsafe, $email, $signal) = @_;
my %l = (
0 => _("Welcome To Crackers"),
1 => _("Poor"),
2 => _("Standard"),
- 3 => _("High"),
+ 3 => _("High"),
4 => _("Higher"),
5 => _("Paranoid"),
- );
+ );
my %help = (
0 => _("This level is to be used with care. It makes your system more easy to use,
@@ -55,11 +151,11 @@ sub choose_security_level {
The security is now high enough to use the system as a server which can accept
connections from many clients. Note: if your machine is only a client on the Internet, you should choose a lower level."),
5 => _("This is similar to the previous level, but the system is entirely closed and security features are at their maximum."),
- );
-
- delete @l{0,1};
+ );
+
+ delete @l{0,1};
delete $l{5} if !$::expert;
-
+
$in->ask_from(
("DrakSec Basic Options"),
("Please choose the desired security level") . "\n\n" .
@@ -70,21 +166,38 @@ sub choose_security_level {
{ label => _("Use libsafe for servers"), val => $libsafe, type => 'bool', text =>
_("A library which defends against buffer overflow and format string attacks.") } ),
{ label => _("Security Administrator (login or email)"), val => $email },
- { label => _("Advanced Options"), type => 'button', clicked => sub { sec_options($in, $security) } }
+ { val => _("Advanced Options"), type => 'button', clicked_may_quit => sub { $$signal = 1; } }
],
- );
+ );
}
-sub sec_options {
- my ($in, $security) = @_;
- my %options = get_options('', $security);
-
+sub choose_options {
+ my ($in, $rfunctions, $signal, $security) = @_;
+ my $i = 0;
+ my @display = ();
+ my $key = "";
+ my $default = "";
+
+ foreach $key (keys %$rfunctions) {
+ $default = get_default('', $key, $security);
+ if ($default eq "yes" || $default eq "no") {
+ $display[$i] = { label => $key." (default=$default)", val =>\$$rfunctions{$key}, list => ["yes", "no", "default"] };
+ }
+ elsif ($default eq "ALL" || $default eq "NONE" || $default eq "LOCAL") {
+ $display[$i] = { label => $key." (default=$default)", val =>\$$rfunctions{$key}, list => ["ALL", "NONE", "LOCAL", "default"] };
+ }
+ else {
+ $display[$i] = { label => $key." (default=$default)", val => \$$rfunctions{$key} };
+ }
+ $i++;
+ }
+
$in->ask_from(
- ("DrakSec Advanced Options"),
- ("For explanations on the following options, click on the Help button"),
- [
- %options
- ],
+ ("DrakSec - Advanced Options"),
+ ("You can customize the following options. For more information, see the mseclib manual page."),
+ [ @display,
+ { val =>_("Basic Options"), type => 'button', clicked_may_quit => sub { $$signal = 0; print "";} }
+ ],
);
}
diff --git a/perl-install/standalone/draksec b/perl-install/standalone/draksec
index 6af60a0b1..fa1ff2961 100755
--- a/perl-install/standalone/draksec
+++ b/perl-install/standalone/draksec
@@ -7,11 +7,10 @@ use standalone; #- warning, standalone must be loaded very first, for 'expla
use common;
use interactive;
use log;
-use security::msec;
+use security::main;
local $_ = join '', @ARGV;
-
/-h/ and die "usage: draksec [--expert]\n";
$::expert = /-expert/ || cat_("/etc/sysconfig/system") =~ /^CLASS="?expert/m; #"
@@ -22,12 +21,7 @@ my $in = 'interactive'->vnew('su', 'security');
begin:
$::isEmbedded and kill USR2, $::CCPID;
-my $security = security::msec::get_secure_level('');
-my $libsafe = security::msec::config_libsafe('');
-my $sec_user = security::msec::config_security_user('');
-my $w;
-
-security::main($in, $security, $sec_user);
+security::main::main($prefix, $in);
!$::isEmbedded ? $in->exit(0) : kill(USR1, $::CCPID);
goto begin;