diff options
| author | Mystery Man <unknown@mandriva.org> | 2004-06-15 16:50:22 +0000 |
|---|---|---|
| committer | Mystery Man <unknown@mandriva.org> | 2004-06-15 16:50:22 +0000 |
| commit | 8ea9beca90c410e12593fedfb6e741dbdf8795d0 (patch) | |
| tree | 544a377d0ea57462110009fbbbfd14473390e2a1 /perl-install/security | |
| parent | b5dc638815c772056e07cd013f5b1674900456d5 (diff) | |
| download | drakx-topic/mandrakesoft.tar drakx-topic/mandrakesoft.tar.gz drakx-topic/mandrakesoft.tar.bz2 drakx-topic/mandrakesoft.tar.xz drakx-topic/mandrakesoft.zip | |
This commit was manufactured by cvs2svn to create branch 'mandrakesoft'.topic/mandrakesoft
Diffstat (limited to 'perl-install/security')
| -rw-r--r-- | perl-install/security/help.pm | 130 | ||||
| -rw-r--r-- | perl-install/security/l10n.pm | 65 | ||||
| -rw-r--r-- | perl-install/security/level.pm | 70 | ||||
| -rw-r--r-- | perl-install/security/msec.pm | 189 | ||||
| -rw-r--r-- | perl-install/security/various.pm | 30 |
5 files changed, 0 insertions, 484 deletions
diff --git a/perl-install/security/help.pm b/perl-install/security/help.pm deleted file mode 100644 index 3176c5749..000000000 --- a/perl-install/security/help.pm +++ /dev/null @@ -1,130 +0,0 @@ -package security::help; -# This help was forked from msec internal function descriptions -# They were then reworked in order to be targeted for end users, not msec developpers - - -use strict; -use common; - -our %help = ( - -'accept_bogus_error_responses' => N("Accept/Refuse bogus IPv4 error messages."), - -'accept_broadcasted_icmp_echo' => N(" Accept/Refuse broadcasted icmp echo."), - -'accept_icmp_echo' => N(" Accept/Refuse icmp echo."), - -'allow_autologin' => N("Allow/Forbid autologin."), - -'allow_issues' => N("If set to \"ALL\", /etc/issue and /etc/issue.net are allowed to exist. - -If set to NONE, no issues are allowed. - -Else only /etc/issue is allowed."), - -'allow_reboot' => N("Allow/Forbid reboot by the console user."), - -'allow_remote_root_login' => N("Allow/Forbid remote root login."), - -'allow_root_login' => N("Allow/Forbid direct root login."), - -'allow_user_list' => N("Allow/Forbid the list of users on the system on display managers (kdm and gdm)."), - -'allow_x_connections' => N("Allow/Forbid X connections: - -- ALL (all connections are allowed), - -- LOCAL (only connection from local machine), - -- NONE (no connection)."), - -'allow_xserver_to_listen' => N("The argument specifies if clients are authorized to connect -to the X server from the network on the tcp port 6000 or not."), - -'authorize_services' => N("Authorize: - -- all services controlled by tcp_wrappers (see hosts.deny(5) man page) if set to \"ALL\", - -- only local ones if set to \"LOCAL\" - -- none if set to \"NONE\". - -To authorize the services you need, use /etc/hosts.allow (see hosts.allow(5))."), - -'create_server_link' => N("If SERVER_LEVEL (or SECURE_LEVEL if absent) -is greater than 3 in /etc/security/msec/security.conf, creates the -symlink /etc/security/msec/server to point to -/etc/security/msec/server.<SERVER_LEVEL>. - -The /etc/security/msec/server is used by chkconfig --add to decide to -add a service if it is present in the file during the installation of -packages."), - -'enable_at_crontab' => N("Enable/Disable crontab and at for users. - -Put allowed users in /etc/cron.allow and /etc/at.allow (see man at(1) -and crontab(1))."), - -'enable_console_log' => N("Enable/Disable syslog reports to console 12"), - -'enable_dns_spoofing_protection' => N("Enable/Disable name resolution spoofing protection. If -\"alert\" is true, also reports to syslog."), - -'enable_ip_spoofing_protection' => N("Enable/Disable IP spoofing protection."), - -'enable_libsafe' => N("Enable/Disable libsafe if libsafe is found on the system."), - -'enable_log_strange_packets' => N("Enable/Disable the logging of IPv4 strange packets."), - -'enable_msec_cron' => N("Enable/Disable msec hourly security check."), - -'enable_pam_wheel_for_su' => N(" Enabling su only from members of the wheel group or allow su from any user."), - -'enable_password' => N("Use password to authenticate users."), - -'enable_promisc_check' => N("Activate/Disable ethernet cards promiscuity check."), - -'enable_security_check' => N(" Activate/Disable daily security check."), - -'enable_sulogin' => N(" Enable/Disable sulogin(8) in single user level."), - -'no_password_aging_for' => N("Add the name as an exception to the handling of password aging by msec."), - -'password_aging' => N("Set password aging to \"max\" days and delay to change to \"inactive\"."), - -'password_history' => N("Set the password history length to prevent password reuse."), - -'password_length' => N("Set the password minimum length and minimum number of digit and minimum number of capitalized letters."), - -'set_root_umask' => N("Set the root umask."), -CHECK_OPEN_PORT => N("if set to yes, check open ports."), -CHECK_PASSWD => N("if set to yes, check for : - -- empty passwords, - -- no password in /etc/shadow - -- for users with the 0 id other than root."), -CHECK_PERMS => N("if set to yes, check permissions of files in the users' home."), -CHECK_PROMISC => N("if set to yes, check if the network devices are in promiscuous mode."), -CHECK_SECURITY => N("if set to yes, run the daily security checks."), -CHECK_SGID => N("if set to yes, check additions/removals of sgid files."), -CHECK_SHADOW => N("if set to yes, check empty password in /etc/shadow."), -CHECK_SUID_MD5 => N("if set to yes, verify checksum of the suid/sgid files."), -CHECK_SUID_ROOT => N("if set to yes, check additions/removals of suid root files."), -CHECK_UNOWNED => N("if set to yes, report unowned files."), -CHECK_WRITABLE => N("if set to yes, check files/directories writable by everybody."), -CHKROOTKIT_CHECK => N("if set to yes, run chkrootkit checks."), -MAIL_USER => N("if set, send the mail report to this email address else send it to root."), -MAIL_WARN => N("if set to yes, report check result by mail."), -MAIL_EMPTY_CONTENT => N("Do not send mails if there's nothing to warn about"), -RPM_CHECK => N("if set to yes, run some checks against the rpm database."), -SYSLOG_WARN => N("if set to yes, report check result to syslog."), -TTY_WARN => N("if set to yes, reports check result to tty."), - -'set_shell_history_size' => N("Set shell commands history size. A value of -1 means unlimited."), - -'set_shell_timeout' => N("Set the shell timeout. A value of zero means no timeout.") . "\n\n" . N("Timeout unit is second"), - -'set_user_umask' => N("Set the user umask."), -); diff --git a/perl-install/security/l10n.pm b/perl-install/security/l10n.pm deleted file mode 100644 index 17e9bb017..000000000 --- a/perl-install/security/l10n.pm +++ /dev/null @@ -1,65 +0,0 @@ -package security::l10n; -# This help was build from stripped from python description of msec functions -# soft/msec/share/libmsec.py -# -# It's used in draksec option labels - -use common; - -sub fields() { - return ( - 'accept_bogus_error_responses' => N("Accept bogus IPv4 error messages"), - 'accept_broadcasted_icmp_echo' => N("Accept broadcasted icmp echo"), - 'accept_icmp_echo' => N("Accept icmp echo"), - 'allow_autologin' => N("Autologin"), - 'allow_issues' => N("/etc/issue* exist"), - 'allow_reboot' => N("Reboot by the console user"), - 'allow_remote_root_login' => N("Allow remote root login"), - 'allow_root_login' => N("Direct root login"), - 'allow_user_list' => N("List users on display managers (kdm and gdm)"), - 'allow_x_connections' => N("Allow X Window connections"), - 'allow_xserver_to_listen' => N("Authorize TCP connections to X Window"), - 'authorize_services' => N("Authorize all services controlled by tcp_wrappers"), - 'create_server_link' => N("Chkconfig obey msec rules"), - 'enable_at_crontab' => N("Enable \"crontab\" and \"at\" for users"), - 'enable_console_log' => N("Syslog reports to console 12"), - 'enable_dns_spoofing_protection' => N("Name resolution spoofing protection"), - 'enable_ip_spoofing_protection' => N("Enable IP spoofing protection"), - 'enable_libsafe' => N("Enable libsafe if libsafe is found on the system"), - 'enable_log_strange_packets' => N("Enable the logging of IPv4 strange packets"), - 'enable_msec_cron' => N("Enable msec hourly security check"), - 'enable_pam_wheel_for_su' => N("Enable su only from the wheel group members or for any user"), - 'enable_password' => N("Use password to authenticate users"), - 'enable_promisc_check' => N("Ethernet cards promiscuity check"), - 'enable_security_check' => N("Daily security check"), - 'enable_sulogin' => N("Sulogin(8) in single user level"), - 'no_password_aging_for' => N("No password aging for"), - 'password_aging' => N("Set password expiration and account inactivation delays"), - 'password_history' => N("Password history length"), - 'password_length' => N("Password minimum length and number of digits and upcase letters"), - 'set_root_umask' => N("Root umask"), - 'set_shell_history_size' => N("Shell history size"), - 'set_shell_timeout' => N("Shell timeout"), - 'set_user_umask' => N("User umask"), - CHECK_OPEN_PORT => N("Check open ports"), - CHECK_PASSWD => N("Check for unsecured accounts"), - CHECK_PERMS => N("Check permissions of files in the users' home"), - CHECK_PROMISC => N("Check if the network devices are in promiscuous mode"), - CHECK_SECURITY => N("Run the daily security checks"), - CHECK_SGID => N("Check additions/removals of sgid files"), - CHECK_SHADOW => N("Check empty password in /etc/shadow"), - CHECK_SUID_MD5 => N("Verify checksum of the suid/sgid files"), - CHECK_SUID_ROOT => N("Check additions/removals of suid root files"), - CHECK_UNOWNED => N("Report unowned files"), - CHECK_WRITABLE => N("Check files/directories writable by everybody"), - CHKROOTKIT_CHECK => N("Run chkrootkit checks"), - MAIL_EMPTY_CONTENT => N("Do not send mails when unneeded"), - MAIL_USER => N("If set, send the mail report to this email address else send it to root"), - MAIL_WARN => N("Report check result by mail"), - RPM_CHECK => N("Run some checks against the rpm database"), - SYSLOG_WARN => N("Report check result to syslog"), - TTY_WARN => N("Reports check result to tty"), - ); -} - -1; diff --git a/perl-install/security/level.pm b/perl-install/security/level.pm deleted file mode 100644 index c6a260c74..000000000 --- a/perl-install/security/level.pm +++ /dev/null @@ -1,70 +0,0 @@ -package security::level; - -use strict; -use common; -use run_program; - - -sub level_list() { - ( - 0 => N("Welcome To Crackers"), - 1 => N("Poor"), - 2 => N("Standard"), - 3 => N("High"), - 4 => N("Higher"), - 5 => N("Paranoid"), - ); -} - -sub to_string { +{ level_list() }->{$_[0]} } -sub from_string { +{ reverse level_list() }->{$_[0]} || 2 } - -sub get_string() { to_string(get() || 2) } -sub get_common_list() { map { to_string($_) } (1, 2, 3, 4, 5) } - -sub get() { - cat_("$::prefix/etc/profile") =~ /export SECURE_LEVEL=(\d+)/ && $1 || #- 8.0 msec - cat_("$::prefix/etc/profile.d/msec.sh") =~ /export SECURE_LEVEL=(\d+)/ && $1 || #- 8.1 msec - ${{ getVarsFromSh("$::prefix/etc/sysconfig/msec") }}{SECURE_LEVEL} || #- 8.2 msec - $ENV{SECURE_LEVEL} || 2; -} - -sub set { - my ($security) = @_; - run_program::rooted($::prefix, 'msec', '-o', 'run_commands=0', '-o', 'log=stderr', $security || 3); -} - -sub level_choose { - my ($in, $security, $libsafe, $email) = @_; - - my %help = ( - 0 => N("This level is to be used with care. It makes your system more easy to use, -but very sensitive. It must not be used for a machine connected to others -or to the Internet. There is no password access."), - 1 => N("Passwords are now enabled, but use as a networked computer is still not recommended."), - 2 => N("This is the standard security recommended for a computer that will be used to connect to the Internet as a client."), - 3 => N("There are already some restrictions, and more automatic checks are run every night."), - 4 => N("With this security level, the use of this system as a server becomes possible. -The security is now high enough to use the system as a server which can accept -connections from many clients. Note: if your machine is only a client on the Internet, you should choose a lower level."), - 5 => N("This is similar to the previous level, but the system is entirely closed and security features are at their maximum."), - ); - - my @l = 2 .. 5; - - $in->ask_from_({ title => N("DrakSec Basic Options"), - messages => N("Please choose the desired security level") . "\n\n" . - join('', map { to_string($_) . ": " . formatAlaTeX($help{$_}) . "\n\n" } @l), - interactive_help_id => 'miscellaneous', - }, [ - { label => N("Security level"), val => $security, list => \@l, format => \&to_string }, - if_($in->do_pkgs->is_installed('libsafe') && arch() =~ /^i.86/, - { label => N("Use libsafe for servers"), val => $libsafe, type => 'bool', text => - N("A library which defends against buffer overflow and format string attacks.") }), - { label => N("Security Administrator (login or email)"), val => $email, }, - ], - ); -} - - -1; diff --git a/perl-install/security/msec.pm b/perl-install/security/msec.pm deleted file mode 100644 index b06078aed..000000000 --- a/perl-install/security/msec.pm +++ /dev/null @@ -1,189 +0,0 @@ -package security::msec; - -use strict; -use MDK::Common::File; -use MDK::Common; - - -#------------------------------------------------------------- -# msec options managment methods - - -#------------------------------------------------------------- -# option defaults - -sub load_defaults { - my ($msec, $category) = @_; - my $separator = $msec->{$category}{def_separator}; - map { - my ($opt, $val) = split(/$separator/, $_, 2); - chop $val; - if_($opt ne 'set_security_conf', $opt => $val); - } cat_($msec->{$category}{defaults_file}), if_($category eq "checks", 'MAIL_USER'); -} - - -# get_XXX_default(function) - -# return the default of the function|check passed in argument. - -sub get_check_default { - my ($msec, $check) = @_; - $msec->{checks}{default}{$check}; -} - -sub get_function_default { - my ($msec, $function) = @_; - $msec->{functions}{default}{$function}; -} - - - -#------------------------------------------------------------- -# option values - -sub load_values { - my ($msec, $category) = @_; - my $separator = $msec->{$category}{val_separator}; - map { - my ($opt, $val) = split /$separator/; - chop $val; - $val =~ s/[()]//g; - chop $opt if $separator eq '\('; # $opt =~ s/ //g if $separator eq '\('; - if_($val, $opt => $val); - } cat_($msec->{$category}{values_file}); -} - - -# get_XXX_value(check|function) - -# return the value of the function|check passed in argument. -# If no value is set, return "default". - -sub get_function_value { - my ($msec, $function) = @_; - $msec->{functions}{value}{$function} || "default"; -} - -sub get_check_value { - my ($msec, $check) = @_; - $msec->{checks}{value}{$check} || "default"; -} - - - -#------------------------------------------------------------- -# get list of check|functions - -# list_(functions|checks) - -# return a list of functions|checks handled by level.local|security.conf - -sub raw_checks_list { - my ($msec) = @_; - keys %{$msec->{checks}{default}}; -} - -sub list_checks { - my ($msec) = @_; - grep { !member($_, qw(MAIL_WARN MAIL_USER)) } $msec->raw_checks_list; -} - -sub list_functions { - my ($msec, $category) = @_; - - ## TODO handle 3 last functions here so they can be removed from this list - my @ignore_list = qw(indirect commit_changes closelog error initlog log set_secure_level - set_security_conf set_server_level print_changes get_translation create_server_link); - - my %options = ( - 'network' => [qw(accept_bogus_error_responses accept_broadcasted_icmp_echo accept_icmp_echo - enable_dns_spoofing_protection enable_ip_spoofing_protection - enable_log_strange_packets enable_promisc_check no_password_aging_for)], - 'system' => [qw(allow_autologin allow_issues allow_reboot allow_remote_root_login - allow_root_login allow_user_list allow_x_connections allow_xserver_to_listen - authorize_services enable_at_crontab enable_console_log - enable_msec_cron enable_pam_wheel_for_su enable_password enable_security_check - enable_sulogin password_aging password_history password_length set_root_umask - set_shell_history_size set_shell_timeout set_user_umask)]); - - # get all function names; filter out those which are in the ignore - # list, return what lefts. - grep { !member($_, @ignore_list) && member($_, @{$options{$category}}) } keys %{$msec->{functions}{default}}; -} - - -#------------------------------------------------------------- -# set back checks|functions values - -sub set_function { - my ($msec, $function, $value) = @_; - $msec->{functions}{value}{$function} = $value; -} - -sub set_check { - my ($msec, $check, $value) = @_; - $msec->{checks}{value}{$check} = $value; -} - - -#------------------------------------------------------------- -# apply configuration - -# config_(check|function)(check|function, value) - -# Apply the configuration to 'prefix'/etc/security/msec/security.conf||/etc/security/msec/level.local - -sub apply_functions { - my ($msec) = @_; - my @list = sort($msec->list_functions('system'), $msec->list_functions('network')); - touch($msec->{functions}{values_file}) if !-e $msec->{functions}{values_file}; - substInFile { - foreach my $function (@list) { s/^$function.*\n// } - if (eof) { - $_ .= join("\n", if_(!$_, ''), (map { - my $value = $msec->get_function_value($_); - if_($value ne 'default', "$_ ($value)"); - } @list), ""); - } - } $msec->{functions}{values_file}; -} - -sub apply_checks { - my ($msec) = @_; - my @list = sort $msec->raw_checks_list; - setVarsInSh($msec->{checks}{values_file}, - { - map { - my $value = $msec->get_check_value($_); - if_($value ne 'default', $_ => $value); - } @list - } - ); -} - -sub reload { - my ($msec) = @_; - my $num_level = 0; - require security::level; - $num_level ||= security::level::get(); - $msec->{functions}{defaults_file} = "$::prefix/usr/share/msec/level.".$num_level; - $msec->{functions}{default} = { $msec->load_defaults('functions') }; -} - -sub new { - my $type = shift; - my $msec = bless {}, $type; - - $msec->{functions}{values_file} = "$::prefix/etc/security/msec/level.local"; - $msec->{checks}{values_file} = "$::prefix/etc/security/msec/security.conf"; - $msec->{checks}{defaults_file} = "$::prefix/var/lib/msec/security.conf"; - $msec->{checks}{val_separator} = '='; - $msec->{functions}{val_separator} = '\('; - $msec->{checks}{def_separator} = '='; - $msec->{functions}{def_separator} = ' '; - $msec->reload; - - $msec->{checks}{default} = { $msec->load_defaults('checks') }; - $msec->{functions}{value} = { $msec->load_values('functions') }; - $msec->{checks}{value} = { $msec->load_values('checks') }; - $msec; -} - -1; diff --git a/perl-install/security/various.pm b/perl-install/security/various.pm deleted file mode 100644 index 23b9174ef..000000000 --- a/perl-install/security/various.pm +++ /dev/null @@ -1,30 +0,0 @@ -package security::various; # $Id$ - -use diagnostics; -use strict; - -use common; - -sub config_libsafe { - my $setting = @_ > 1; - my ($prefix, $libsafe) = @_; - my %t = getVarsFromSh("$prefix/etc/sysconfig/system"); - if ($setting) { - $t{LIBSAFE} = bool2yesno($libsafe); - setVarsInSh("$prefix/etc/sysconfig/system", \%t); - } - text2bool($t{LIBSAFE}); -} - -sub config_security_user { - my $setting = @_ > 1; - my ($prefix, $sec_user) = @_; - my %t = getVarsFromSh("$prefix/etc/security/msec/security.conf"); - if ($setting) { - $t{MAIL_USER} = $sec_user; - setVarsInSh("$prefix/etc/security/msec/security.conf", \%t); - } - $t{MAIL_USER}; -} - -1; |