diff options
Diffstat (limited to 'perl-install/security/msec.pm')
-rw-r--r-- | perl-install/security/msec.pm | 297 |
1 files changed, 72 insertions, 225 deletions
diff --git a/perl-install/security/msec.pm b/perl-install/security/msec.pm index 66800ef11..20b3558e5 100644 --- a/perl-install/security/msec.pm +++ b/perl-install/security/msec.pm @@ -1,238 +1,85 @@ package security::msec; +use diagnostics; +use strict; + use common; use log; -sub get_user_list { - my @user_list = (); - - open(PASSWD, "/etc/passwd"); - while(<PASSWD>) { - my ($login_name, undef, $uid) = split(/:/,$_); - if($uid >= 500) { push(@user_list, $login_name); } - } - @user_list; +sub get_secure_level { + my ($prefix) = @_; + + cat_("/etc/profile") =~ /export SECURE_LEVEL=(\d+)/ && $1 || #- 8.0 msec + cat_("/etc/profile.d/msec.sh") =~ /export SECURE_LEVEL=(\d+)/ && $1 || #- 8.1 msec + ${{ getVarsFromSh("$prefix/etc/sysconfig/msec") }}{SECURE_LEVEL} || #- 8.2 msec + $ENV{SECURE_LEVEL}; } -sub add_config { - my ($prefix, $config_option, @values) = @_; - my $tmp_file = "$prefix/etc/security/msec/level.local.tmp"; - my $result = ""; - - $result = $config_option.'('; - foreach $value (@values) { - $result .= $value.','; - } - chop $result; - $result .= ')'; - - open(TMP_CONFIG, '>>'.$tmp_file); - print TMP_CONFIG "$result\n"; - close TMP_CONFIG; +sub config_security_user { + my ($prefix, $sec_user) = @_; + my %t = getVarsFromSh("$prefix/etc/security/msec/security.conf"); + if (@_ > 1) { + $t{MAIL_USER} = $sec_user; + setVarsInSh("$prefix/etc/security/msec/security.conf", \%t); + } + $t{MAIL_USER}; +} + +sub choose_security_level { + my ($in, $security, $libsafe, $email) = @_; + my $expert_file = "/etc/security/msec/expert_mode"; + + my %l = ( + 0 => _("Welcome To Crackers"), + 1 => _("Poor"), + 2 => _("Standard"), + 3 => _("High"), + 4 => _("Higher"), + 5 => _("Paranoid"), + ); + + my %help = ( + 0 => _("This level is to be used with care. It makes your system more easy to use, + but very sensitive: it must not be used for a machine connected to others + or to the Internet. There is no password access."), + 1 => _("Password are now enabled, but use as a networked computer is still not recommended."), + 2 => _("This is the standard security recommended for a computer that will be used to connect to the Internet as a client."), + 3 => _("There are already some restrictions, and more automatic checks are run every night."), + 4 => _("With this security level, the use of this system as a server becomes possible. + The security is now high enough to use the system as a server which can accept + connections from many clients. Note: if your machine is only a client on the Internet, you should choose a lower level."), + 5 => _("This is similar to the previous level, but the system is entirely closed and security features are at their maximum."), + ); + + delete @l{0,1}; + delete $l{5} if !$::expert; + + $in->ask_from( + ("DrakSec Basic Options"), + ("Please choose the desired security level") . "\n\n" . + join('', map { "$l{$_}: " . formatAlaTeX($help{$_}) . "\n\n" } keys %l), + [ + { label => _("Security level"), val => $security, list => [ sort keys %l ], format => sub { $l{$_} } }, + if_($in->do_pkgs->is_installed('libsafe') && arch() =~ /^i.86/, + { label => _("Use libsafe for servers"), val => $libsafe, type => 'bool', text => + _("A library which defends against buffer overflow and format string attacks.") } ), + { label => _("Security Administrator (login or email)"), val => $email }, + { label => _("Advanced Options"), type => 'button', clicked => sub { sec_options($in, $security) } } + ], + ); } -sub commit_changes { - my ($prefix) = $_; - my $tmp_file = "$prefix/etc/security/msec/level.local.tmp"; - my $config_file = "$prefix/etc/security/msec/level.local"; - my %config_data; - my $config_option = ""; - - open (TMP_CONFIG, $tmp_file); - - if (!(-x $config_file)) { - open(CONFIG_FILE, '>'.$config_file); - print CONFIG_FILE "from mseclib import *\n\n"; - while(<TMP_CONFIG>) { print CONFIG_FILE $_; } - } - else { - open(CONFIG_FILE, $config_file); - while(<CONFIG_FILE>) { - if($_ =~ /\(/) { - ($config_option, undef) = split(/\(/, $_); - (undef, $config_data{$config_option}) = split(/\(/, $_); - } - } - close CONFIG_FILE; - - while(<TMP_CONFIG>) { - ($config_option, undef) = split(/\(/, $_); - (undef, $config_data{$config_option}) = split(/\(/, $_); - } - - open(CONFIG_FILE, '>'.$config_file); - print CONFIG_FILE "from mseclib import *\n\n"; - foreach $config_option (keys %config_data) { - print CONFIG_FILE $config_option.'('.$config_data{$config_option}.'\n'; - } - } - - close CONFIG_FILE; - close TMP_CONFIG; - - standalone::rm_rf($tmp_file); -} - -sub get_config { - my ($prefix, $security) = @_; - - my (%net_options_defaults) = ( - accept_bogus_error_responses => [ 0, 0, 0, 0, 1, 1 ], - accept_icmp_echo => [ 1, 1, 1, 1, 0, 0 ], - enable_ip_spoofing_protection => [ 0, 0, 0, 1, 1, 1 ], - enable_log_strange_packets => [ 0, 0, 0, 0, 1, 1 ] ); - - my (%user_options_defaults) = ( - allow_autologin => [ 1, 1, 1, 0, 0, 0 ], - allow_issues => [ "ALL", "ALL", "ALL", "LOCAL", "LOCAL", "NONE" ], - allow_reboot => [ 1, 1, 1, 1, 0, 0 ], - allow_root_login => [ 1, 1, 1, 1, 0, 0 ], - allow_user_list => [ 1, 1, 1, 1, 0, 0 ], - enable_at_crontab => [ 1, 1, 1, 1, 0, 0 ], - enable_pam_wheel_for_su => [ 0, 0, 0, 0, 0, 0 ], - enable_password => [ 0, 1, 1, 1, 1, 1 ], - enable_sulogin => [ 0, 0, 0, 0, 1, 1 ], - password_aging => [ "99999,-1", "99999,-1", "99999,-1", "99999,-1", "60,-1", "30,-1" ], - password_length => [ "0,0,0", "0,0,0", "0,0,0", "0,0,0", "0,0,0", "0,0,0" ], - set_root_umask => [ "002", "002", "022", "022", "022", "077" ], - set_user_umask => [ "002", "002", "022", "022", "077", "077" ], - set_shell_history_size => [ "-1", "-1", "-1", "-1", "10", "10" ], - set_shell_timeout => [ "0", "0", "0", "0", "3600", "900" ] ); - - my (%server_options_defaults) = ( - allow_x_connections => [ "ALL", "LOCAL", "LOCAL", "LOCAL", "LOCAL", "NONE" ], - authorize_services => [ "ALL", "ALL", "ALL", "ALL", "LOCAL", "NONE" ], - enable_libsafe => [ 0, 0, 0, 0, 0, 0 ] ); - - my (%net_options) = ( - accept_bogus_error_responses => $net_options_defaults{accept_bogus_error_responses}[$security], - accept_icmp_echo => $net_options_defaults{accept_icmp_echo}[$security], - enable_ip_spoofing_protection => $net_options_defaults{enable_ip_spoofing_protection}[$security], - enable_log_strange_packets => $net_options_defaults{enable_log_strange_packets}[$security] +sub sec_options { + my ($in, $security) = @_; + my %options = + + $in->ask_from( + ("DrakSec Advanced Options"), + ("For explanations on the following options, click on the Help button"), + [ + %options; + ], ); - - my (%net_options_matrix) = ( - accept_bogus_error_responses => { label => _("Accept/Refuse bogus IPV4 error messages"), - val => \$net_options{accept_bogus_error_responses}, - type => "bool" }, - accept_icmp_echo => { label => _("Accept/Refuse ICMP echo"), - val => \$net_options{accept_icmp_echo}, - type => "bool" }, - enable_ip_spoofing_protection => { label => _("Enable/Disable IP spoofing protection. If alert is true, also reports to syslog"), - val => \$net_options{enable_ip_spoofing_protection}, - type=> "bool" }, - enable_log_strange_packets => { label => _("Enable/Disable the logging of IPv4 strange packets"), - val => \$net_options{enable_log_strange_packets}, - type => "bool" } - ); - - my (%user_options) = ( - allow_autologin => $user_options_defaults{allow_autologin}[$security], - allow_issues => $user_options_defaults{allow_issues}[$security], - allow_reboot => $user_options_defaults{allow_reboot}[$security], - allow_root_login => $user_options_defaults{allow_root_login}[$security], - allow_user_list => $user_options_defaults{allow_user_list}[$security], - enable_at_crontab => $user_options_defaults{enable_at_crontab}[$security], - enable_pam_wheel_for_su => $user_options_defaults{enable_pam_wheel_for_su}[$security], - enable_password => $user_options_defaults{enable_password}[$security], - enable_sulogin => $user_options_defaults{enable_sulogin}[$security], - password_aging => $user_options_defaults{password_aging}[$security], - password_length => $user_options_defaults{password_length}[$security], - set_root_umask => $user_options_defaults{set_root_umask}[$security], - set_user_umask => $user_options_defaults{set_user_umask}[$security], - set_shell_history_size => $user_options_defaults{set_shell_history_size}[$security], - set_shell_timeout => $user_options_defaults{set_shell_timeout}[$security] - ); - - my (%user_options_matrix) = ( - allow_autologin => { label => _("Allow/Forbid autologin"), - val => \$user_options{allow_autologin}, - type => "bool" }, - allow_issues => { label => _("Allow/Forbid pre-login message : If ALL, allow remote and local pre-login message (/etc/issue[.net]).\n If LOCAL, allow local pre-login message (/etc/issue). If NONE, disable pre-login message."), - val => \$user_options{allow_issues}, - list => ["ALL", "LOCAL", "NONE"] }, - allow_reboot => { label => _("Allow/Forbid reboot by the console user"), - val => \$user_options{allow_reboot}, - type => "bool" }, - allow_root_login => { label => _("Allow/Forbid direct root login"), - val => \$user_options{allow_root_login}, - type => "bool" }, - allow_user_list => { label => _("Allow/Forbid the list of users on the system in the display managers (kdm and gdm)"), - val => \$user_options{allow_user_list}, - type => "bool" }, - enable_at_crontab => { label => _("Enable/Disable crontab and at for users. Put allowed users in /etc/cron.allow\n and /etc/at.allow (see at(1) and crontab(1))"), - val => \$user_options{enable_at_crontab}, - type => "bool" }, - enable_pam_wheel_for_su => { label => _("Enable su only for members of the wheel group or allow su from any user"), - val => \$user_options{enable_pam_wheel_for_su}, - type => "bool" }, - enable_password => { label => _("Use password to authenticate users"), - val => \$user_options{enable_password}, - type => "bool" }, - enable_sulogin => { label => _("Enable/Disable sulogin in single user level (see sulogin(8))"), - val => \$user_options{enable_sulogin}, - type => "bool" }, - password_aging => { label => _("Set password aging to max days, Set delay before inactive\n (99999 to disable password aging, -1 to disable de-activation"), - val => \$user_options{password_aging} }, - password_length => { label => _("Set the password minimum length, the minimum number of digits and the minimum number of capitalized letters"), - val => \$user_options{password_length} }, - set_root_umask => { label => _("Set the root umask"), - val => \$user_options{set_root_umask} }, - set_user_umask => { label => _("Set the user umask"), - val => \$user_options{set_user_umask} }, - set_shell_history_size => { label => _("Set shell commands history size (-1 for unlimited)"), - val => \$user_options{set_shell_history_size} }, - set_shell_timeout => { label => _("Set the shell timeout in seconds (0 for unlimited)"), - val => \$user_options{set_shell_timeout} } - ); - - my (%server_options) = ( - allow_x_connections => $server_options_defaults{allow_x_connections}[$security], - authorize_services => $server_options_defaults{authorize_services}[$security], - enable_libsafe => $server_options_defaults{enable_libsafe}[$security] - ); - - my (%server_options_matrix) = ( - allow_x_connections => { label => ("Allow/Forbid X connections : If ALL, all connections allowed. If LOCAL, local connections allowed.\n If NONE, only console connections allowed"), - val => \$server_options{allow_x_connections}, - list => [ "ALL", "LOCAL", "NONE" ] }, - authorize_services => { label => _("Allow/Forbid services : If ALL, authorize all services. If LOCAL, authorize only local services.\n If NONE, disable all services. (see hosts.deny(5)). To authorize a service, see hosts.allow(5)."), - val => \$server_options{authorize_services}, - list => [ "ALL", "LOCAL", "NONE" ] }, - enable_libsafe => { label => _("Enable/Disable libsafe if it's installed on the system."), - val => \$server_options{enable_libsafe}, - type => "bool" }, - ); - - my $config_file = "$prefix/etc/security/msec/level.local"; - my $values = ""; - my $config_option = ""; - - open CONFIGFILE, $config_file; - while(<CONFIGFILE>) { - if($_ =~ /\(/) { - ($config_option, undef) = split(/\(/, $_); - (undef, $values) = split(/\(/, $_); - chop $values; - - if ($config_option ne "set_security_conf") { - if ($net_options_matrix{$config_option}{description} eq "") { - (undef, $net_options_matrix{$config_option}{value}) = $values; - } elsif ($user_options_matrix{$config_option}{description} eq "") { - (undef, $user_options_matrix{$config_option}{value}) = $values; - } elsif ($server_options_matrix{$config_option}{description} eq "") { - (undef, $server_options_matrix{$config_option}{value}) = $values; - } - } - else { - # TODO : Add code to handle set_security_conf - } - } - } - - close CONFIGFILE; - - return (\%net_options_matrix, \%user_options_matrix, \%server_options_matrix); } 1; |