summaryrefslogtreecommitdiffstats
path: root/perl-install/security
diff options
context:
space:
mode:
Diffstat (limited to 'perl-install/security')
-rw-r--r--perl-install/security/msec.pm297
1 files changed, 72 insertions, 225 deletions
diff --git a/perl-install/security/msec.pm b/perl-install/security/msec.pm
index 66800ef11..20b3558e5 100644
--- a/perl-install/security/msec.pm
+++ b/perl-install/security/msec.pm
@@ -1,238 +1,85 @@
package security::msec;
+use diagnostics;
+use strict;
+
use common;
use log;
-sub get_user_list {
- my @user_list = ();
-
- open(PASSWD, "/etc/passwd");
- while(<PASSWD>) {
- my ($login_name, undef, $uid) = split(/:/,$_);
- if($uid >= 500) { push(@user_list, $login_name); }
- }
- @user_list;
+sub get_secure_level {
+ my ($prefix) = @_;
+
+ cat_("/etc/profile") =~ /export SECURE_LEVEL=(\d+)/ && $1 || #- 8.0 msec
+ cat_("/etc/profile.d/msec.sh") =~ /export SECURE_LEVEL=(\d+)/ && $1 || #- 8.1 msec
+ ${{ getVarsFromSh("$prefix/etc/sysconfig/msec") }}{SECURE_LEVEL} || #- 8.2 msec
+ $ENV{SECURE_LEVEL};
}
-sub add_config {
- my ($prefix, $config_option, @values) = @_;
- my $tmp_file = "$prefix/etc/security/msec/level.local.tmp";
- my $result = "";
-
- $result = $config_option.'(';
- foreach $value (@values) {
- $result .= $value.',';
- }
- chop $result;
- $result .= ')';
-
- open(TMP_CONFIG, '>>'.$tmp_file);
- print TMP_CONFIG "$result\n";
- close TMP_CONFIG;
+sub config_security_user {
+ my ($prefix, $sec_user) = @_;
+ my %t = getVarsFromSh("$prefix/etc/security/msec/security.conf");
+ if (@_ > 1) {
+ $t{MAIL_USER} = $sec_user;
+ setVarsInSh("$prefix/etc/security/msec/security.conf", \%t);
+ }
+ $t{MAIL_USER};
+}
+
+sub choose_security_level {
+ my ($in, $security, $libsafe, $email) = @_;
+ my $expert_file = "/etc/security/msec/expert_mode";
+
+ my %l = (
+ 0 => _("Welcome To Crackers"),
+ 1 => _("Poor"),
+ 2 => _("Standard"),
+ 3 => _("High"),
+ 4 => _("Higher"),
+ 5 => _("Paranoid"),
+ );
+
+ my %help = (
+ 0 => _("This level is to be used with care. It makes your system more easy to use,
+ but very sensitive: it must not be used for a machine connected to others
+ or to the Internet. There is no password access."),
+ 1 => _("Password are now enabled, but use as a networked computer is still not recommended."),
+ 2 => _("This is the standard security recommended for a computer that will be used to connect to the Internet as a client."),
+ 3 => _("There are already some restrictions, and more automatic checks are run every night."),
+ 4 => _("With this security level, the use of this system as a server becomes possible.
+ The security is now high enough to use the system as a server which can accept
+ connections from many clients. Note: if your machine is only a client on the Internet, you should choose a lower level."),
+ 5 => _("This is similar to the previous level, but the system is entirely closed and security features are at their maximum."),
+ );
+
+ delete @l{0,1};
+ delete $l{5} if !$::expert;
+
+ $in->ask_from(
+ ("DrakSec Basic Options"),
+ ("Please choose the desired security level") . "\n\n" .
+ join('', map { "$l{$_}: " . formatAlaTeX($help{$_}) . "\n\n" } keys %l),
+ [
+ { label => _("Security level"), val => $security, list => [ sort keys %l ], format => sub { $l{$_} } },
+ if_($in->do_pkgs->is_installed('libsafe') && arch() =~ /^i.86/,
+ { label => _("Use libsafe for servers"), val => $libsafe, type => 'bool', text =>
+ _("A library which defends against buffer overflow and format string attacks.") } ),
+ { label => _("Security Administrator (login or email)"), val => $email },
+ { label => _("Advanced Options"), type => 'button', clicked => sub { sec_options($in, $security) } }
+ ],
+ );
}
-sub commit_changes {
- my ($prefix) = $_;
- my $tmp_file = "$prefix/etc/security/msec/level.local.tmp";
- my $config_file = "$prefix/etc/security/msec/level.local";
- my %config_data;
- my $config_option = "";
-
- open (TMP_CONFIG, $tmp_file);
-
- if (!(-x $config_file)) {
- open(CONFIG_FILE, '>'.$config_file);
- print CONFIG_FILE "from mseclib import *\n\n";
- while(<TMP_CONFIG>) { print CONFIG_FILE $_; }
- }
- else {
- open(CONFIG_FILE, $config_file);
- while(<CONFIG_FILE>) {
- if($_ =~ /\(/) {
- ($config_option, undef) = split(/\(/, $_);
- (undef, $config_data{$config_option}) = split(/\(/, $_);
- }
- }
- close CONFIG_FILE;
-
- while(<TMP_CONFIG>) {
- ($config_option, undef) = split(/\(/, $_);
- (undef, $config_data{$config_option}) = split(/\(/, $_);
- }
-
- open(CONFIG_FILE, '>'.$config_file);
- print CONFIG_FILE "from mseclib import *\n\n";
- foreach $config_option (keys %config_data) {
- print CONFIG_FILE $config_option.'('.$config_data{$config_option}.'\n';
- }
- }
-
- close CONFIG_FILE;
- close TMP_CONFIG;
-
- standalone::rm_rf($tmp_file);
-}
-
-sub get_config {
- my ($prefix, $security) = @_;
-
- my (%net_options_defaults) = (
- accept_bogus_error_responses => [ 0, 0, 0, 0, 1, 1 ],
- accept_icmp_echo => [ 1, 1, 1, 1, 0, 0 ],
- enable_ip_spoofing_protection => [ 0, 0, 0, 1, 1, 1 ],
- enable_log_strange_packets => [ 0, 0, 0, 0, 1, 1 ] );
-
- my (%user_options_defaults) = (
- allow_autologin => [ 1, 1, 1, 0, 0, 0 ],
- allow_issues => [ "ALL", "ALL", "ALL", "LOCAL", "LOCAL", "NONE" ],
- allow_reboot => [ 1, 1, 1, 1, 0, 0 ],
- allow_root_login => [ 1, 1, 1, 1, 0, 0 ],
- allow_user_list => [ 1, 1, 1, 1, 0, 0 ],
- enable_at_crontab => [ 1, 1, 1, 1, 0, 0 ],
- enable_pam_wheel_for_su => [ 0, 0, 0, 0, 0, 0 ],
- enable_password => [ 0, 1, 1, 1, 1, 1 ],
- enable_sulogin => [ 0, 0, 0, 0, 1, 1 ],
- password_aging => [ "99999,-1", "99999,-1", "99999,-1", "99999,-1", "60,-1", "30,-1" ],
- password_length => [ "0,0,0", "0,0,0", "0,0,0", "0,0,0", "0,0,0", "0,0,0" ],
- set_root_umask => [ "002", "002", "022", "022", "022", "077" ],
- set_user_umask => [ "002", "002", "022", "022", "077", "077" ],
- set_shell_history_size => [ "-1", "-1", "-1", "-1", "10", "10" ],
- set_shell_timeout => [ "0", "0", "0", "0", "3600", "900" ] );
-
- my (%server_options_defaults) = (
- allow_x_connections => [ "ALL", "LOCAL", "LOCAL", "LOCAL", "LOCAL", "NONE" ],
- authorize_services => [ "ALL", "ALL", "ALL", "ALL", "LOCAL", "NONE" ],
- enable_libsafe => [ 0, 0, 0, 0, 0, 0 ] );
-
- my (%net_options) = (
- accept_bogus_error_responses => $net_options_defaults{accept_bogus_error_responses}[$security],
- accept_icmp_echo => $net_options_defaults{accept_icmp_echo}[$security],
- enable_ip_spoofing_protection => $net_options_defaults{enable_ip_spoofing_protection}[$security],
- enable_log_strange_packets => $net_options_defaults{enable_log_strange_packets}[$security]
+sub sec_options {
+ my ($in, $security) = @_;
+ my %options =
+
+ $in->ask_from(
+ ("DrakSec Advanced Options"),
+ ("For explanations on the following options, click on the Help button"),
+ [
+ %options;
+ ],
);
-
- my (%net_options_matrix) = (
- accept_bogus_error_responses => { label => _("Accept/Refuse bogus IPV4 error messages"),
- val => \$net_options{accept_bogus_error_responses},
- type => "bool" },
- accept_icmp_echo => { label => _("Accept/Refuse ICMP echo"),
- val => \$net_options{accept_icmp_echo},
- type => "bool" },
- enable_ip_spoofing_protection => { label => _("Enable/Disable IP spoofing protection. If alert is true, also reports to syslog"),
- val => \$net_options{enable_ip_spoofing_protection},
- type=> "bool" },
- enable_log_strange_packets => { label => _("Enable/Disable the logging of IPv4 strange packets"),
- val => \$net_options{enable_log_strange_packets},
- type => "bool" }
- );
-
- my (%user_options) = (
- allow_autologin => $user_options_defaults{allow_autologin}[$security],
- allow_issues => $user_options_defaults{allow_issues}[$security],
- allow_reboot => $user_options_defaults{allow_reboot}[$security],
- allow_root_login => $user_options_defaults{allow_root_login}[$security],
- allow_user_list => $user_options_defaults{allow_user_list}[$security],
- enable_at_crontab => $user_options_defaults{enable_at_crontab}[$security],
- enable_pam_wheel_for_su => $user_options_defaults{enable_pam_wheel_for_su}[$security],
- enable_password => $user_options_defaults{enable_password}[$security],
- enable_sulogin => $user_options_defaults{enable_sulogin}[$security],
- password_aging => $user_options_defaults{password_aging}[$security],
- password_length => $user_options_defaults{password_length}[$security],
- set_root_umask => $user_options_defaults{set_root_umask}[$security],
- set_user_umask => $user_options_defaults{set_user_umask}[$security],
- set_shell_history_size => $user_options_defaults{set_shell_history_size}[$security],
- set_shell_timeout => $user_options_defaults{set_shell_timeout}[$security]
- );
-
- my (%user_options_matrix) = (
- allow_autologin => { label => _("Allow/Forbid autologin"),
- val => \$user_options{allow_autologin},
- type => "bool" },
- allow_issues => { label => _("Allow/Forbid pre-login message : If ALL, allow remote and local pre-login message (/etc/issue[.net]).\n If LOCAL, allow local pre-login message (/etc/issue). If NONE, disable pre-login message."),
- val => \$user_options{allow_issues},
- list => ["ALL", "LOCAL", "NONE"] },
- allow_reboot => { label => _("Allow/Forbid reboot by the console user"),
- val => \$user_options{allow_reboot},
- type => "bool" },
- allow_root_login => { label => _("Allow/Forbid direct root login"),
- val => \$user_options{allow_root_login},
- type => "bool" },
- allow_user_list => { label => _("Allow/Forbid the list of users on the system in the display managers (kdm and gdm)"),
- val => \$user_options{allow_user_list},
- type => "bool" },
- enable_at_crontab => { label => _("Enable/Disable crontab and at for users. Put allowed users in /etc/cron.allow\n and /etc/at.allow (see at(1) and crontab(1))"),
- val => \$user_options{enable_at_crontab},
- type => "bool" },
- enable_pam_wheel_for_su => { label => _("Enable su only for members of the wheel group or allow su from any user"),
- val => \$user_options{enable_pam_wheel_for_su},
- type => "bool" },
- enable_password => { label => _("Use password to authenticate users"),
- val => \$user_options{enable_password},
- type => "bool" },
- enable_sulogin => { label => _("Enable/Disable sulogin in single user level (see sulogin(8))"),
- val => \$user_options{enable_sulogin},
- type => "bool" },
- password_aging => { label => _("Set password aging to max days, Set delay before inactive\n (99999 to disable password aging, -1 to disable de-activation"),
- val => \$user_options{password_aging} },
- password_length => { label => _("Set the password minimum length, the minimum number of digits and the minimum number of capitalized letters"),
- val => \$user_options{password_length} },
- set_root_umask => { label => _("Set the root umask"),
- val => \$user_options{set_root_umask} },
- set_user_umask => { label => _("Set the user umask"),
- val => \$user_options{set_user_umask} },
- set_shell_history_size => { label => _("Set shell commands history size (-1 for unlimited)"),
- val => \$user_options{set_shell_history_size} },
- set_shell_timeout => { label => _("Set the shell timeout in seconds (0 for unlimited)"),
- val => \$user_options{set_shell_timeout} }
- );
-
- my (%server_options) = (
- allow_x_connections => $server_options_defaults{allow_x_connections}[$security],
- authorize_services => $server_options_defaults{authorize_services}[$security],
- enable_libsafe => $server_options_defaults{enable_libsafe}[$security]
- );
-
- my (%server_options_matrix) = (
- allow_x_connections => { label => ("Allow/Forbid X connections : If ALL, all connections allowed. If LOCAL, local connections allowed.\n If NONE, only console connections allowed"),
- val => \$server_options{allow_x_connections},
- list => [ "ALL", "LOCAL", "NONE" ] },
- authorize_services => { label => _("Allow/Forbid services : If ALL, authorize all services. If LOCAL, authorize only local services.\n If NONE, disable all services. (see hosts.deny(5)). To authorize a service, see hosts.allow(5)."),
- val => \$server_options{authorize_services},
- list => [ "ALL", "LOCAL", "NONE" ] },
- enable_libsafe => { label => _("Enable/Disable libsafe if it's installed on the system."),
- val => \$server_options{enable_libsafe},
- type => "bool" },
- );
-
- my $config_file = "$prefix/etc/security/msec/level.local";
- my $values = "";
- my $config_option = "";
-
- open CONFIGFILE, $config_file;
- while(<CONFIGFILE>) {
- if($_ =~ /\(/) {
- ($config_option, undef) = split(/\(/, $_);
- (undef, $values) = split(/\(/, $_);
- chop $values;
-
- if ($config_option ne "set_security_conf") {
- if ($net_options_matrix{$config_option}{description} eq "") {
- (undef, $net_options_matrix{$config_option}{value}) = $values;
- } elsif ($user_options_matrix{$config_option}{description} eq "") {
- (undef, $user_options_matrix{$config_option}{value}) = $values;
- } elsif ($server_options_matrix{$config_option}{description} eq "") {
- (undef, $server_options_matrix{$config_option}{value}) = $values;
- }
- }
- else {
- # TODO : Add code to handle set_security_conf
- }
- }
- }
-
- close CONFIGFILE;
-
- return (\%net_options_matrix, \%user_options_matrix, \%server_options_matrix);
}
1;