From 576618525818737b129c285fbe562937dbcfe45d Mon Sep 17 00:00:00 2001 From: Christian Belisle Date: Tue, 30 Jul 2002 21:08:36 +0000 Subject: - complete re-write --- perl-install/security/msec.pm | 159 ++++++++++++++++++++++++++++++++++------ perl-install/standalone/draksec | 10 +-- 2 files changed, 138 insertions(+), 31 deletions(-) (limited to 'perl-install') diff --git a/perl-install/security/msec.pm b/perl-install/security/msec.pm index 39eddeb92..052dbe1b6 100644 --- a/perl-install/security/msec.pm +++ b/perl-install/security/msec.pm @@ -8,7 +8,7 @@ use log; sub get_secure_level { my ($prefix) = @_; - + cat_("$prefix/etc/profile") =~ /export SECURE_LEVEL=(\d+)/ && $1 || #- 8.0 msec cat_("$prefix/etc/profile.d/msec.sh") =~ /export SECURE_LEVEL=(\d+)/ && $1 || #- 8.1 msec ${{ getVarsFromSh("$prefix/etc/sysconfig/msec") }}{SECURE_LEVEL} || #- 8.2 msec @@ -18,31 +18,127 @@ sub get_secure_level { sub config_security_user { my ($prefix, $sec_user) = @_; my %t = getVarsFromSh("$prefix/etc/security/msec/security.conf"); - if (@_ > 1) { + if (@_ > 1) { $t{MAIL_USER} = $sec_user; setVarsInSh("$prefix/etc/security/msec/security.conf", \%t); - } + } $t{MAIL_USER}; -} +} + +sub get_functions { + my $prefix = $_; + my @functions = (); + my @ignore_list = qw(indirect commit_changes closelog error initlog log set_secure_level + set_security_conf set_server_level print_changes get_translation + password_aging password_length enable_libsafe); + my $file = "$prefix/usr/share/msec/mseclib.py"; + my $function = ''; + + open F, $file; + while () { + if ($_ =~ /^def/) { + (undef, $function) = split(/ /, $_); + ($function, undef) = split(/\(/, $function); + if (!(member($function, @ignore_list))) { push(@functions, $function); } + } + } + close F; + + @functions; +} + +sub get_value { + my ($prefix, $function) = @_; + my $value = ''; + my $msec_options = "$prefix/etc/security/msec/level.local"; + my $msec_defaults = "$prefix/etc/security/msec/msec.defaults"; + my $found = 0; + + if (-e $msec_options) { + open F, $msec_options; + while() { + if($_ =~ /^$function/) { + (undef, $value) = split(/\(/, $_); + chop $value; chop $value; + $found = 1; + } + if ($found == 0) { $value = "default"; } + } + close F; + } + else { $value = "default"; } + $value; +} + +sub set_option { + my ($prefix, $option, $value) =@_; + my %functions_hash = ( ); + my $key = ""; + + my $msec_options = "$prefix/etc/security/msec/level.local"; + + if(-e $msec_options) { + open F, $msec_options; + while() { + if (!($_ =~ /^from mseclib/) && $_ ne "\n") { + my ($name, $value_set) = split (/\(/, $_); + chop $value_set; chop $value_set; + $functions_hash{$name} = $value_set; + } + } + close F; + } + + $functions_hash{$option} = $value; + + open F, '>'.$msec_options; + print F "from mseclib import *\n\n"; + foreach $key (keys %functions_hash) { + if ($functions_hash{$key} ne "default") { + print F "$key"."($functions_hash{$key})\n"; + } + } + close F; +} sub get_options { my ($prefix, $security) = @_; my %options = (); - + my @functions = get_functions($prefix); + my $key = ""; + + foreach $key (@functions) { + $options{$key} = get_value($prefix, $key); + } + %options; } +sub get_default { + my ($prefix, $function, $security) = @_; + my $default_file = "$prefix/usr/share/msec/level.".$security; + my $default_value = ""; + + open F, $default_file; + while() { + if ($_ =~ /^$function/) { (undef, $default_value) = split(/ /, $_); } + } + close F; + chop $default_value; + $default_value; +} + sub choose_security_level { - my ($in, $security, $libsafe, $email) = @_; + my ($in, $security, $libsafe, $email, $signal) = @_; my %l = ( 0 => _("Welcome To Crackers"), 1 => _("Poor"), 2 => _("Standard"), - 3 => _("High"), + 3 => _("High"), 4 => _("Higher"), 5 => _("Paranoid"), - ); + ); my %help = ( 0 => _("This level is to be used with care. It makes your system more easy to use, @@ -55,11 +151,11 @@ sub choose_security_level { The security is now high enough to use the system as a server which can accept connections from many clients. Note: if your machine is only a client on the Internet, you should choose a lower level."), 5 => _("This is similar to the previous level, but the system is entirely closed and security features are at their maximum."), - ); - - delete @l{0,1}; + ); + + delete @l{0,1}; delete $l{5} if !$::expert; - + $in->ask_from( ("DrakSec Basic Options"), ("Please choose the desired security level") . "\n\n" . @@ -70,21 +166,38 @@ sub choose_security_level { { label => _("Use libsafe for servers"), val => $libsafe, type => 'bool', text => _("A library which defends against buffer overflow and format string attacks.") } ), { label => _("Security Administrator (login or email)"), val => $email }, - { label => _("Advanced Options"), type => 'button', clicked => sub { sec_options($in, $security) } } + { val => _("Advanced Options"), type => 'button', clicked_may_quit => sub { $$signal = 1; } } ], - ); + ); } -sub sec_options { - my ($in, $security) = @_; - my %options = get_options('', $security); - +sub choose_options { + my ($in, $rfunctions, $signal, $security) = @_; + my $i = 0; + my @display = (); + my $key = ""; + my $default = ""; + + foreach $key (keys %$rfunctions) { + $default = get_default('', $key, $security); + if ($default eq "yes" || $default eq "no") { + $display[$i] = { label => $key." (default=$default)", val =>\$$rfunctions{$key}, list => ["yes", "no", "default"] }; + } + elsif ($default eq "ALL" || $default eq "NONE" || $default eq "LOCAL") { + $display[$i] = { label => $key." (default=$default)", val =>\$$rfunctions{$key}, list => ["ALL", "NONE", "LOCAL", "default"] }; + } + else { + $display[$i] = { label => $key." (default=$default)", val => \$$rfunctions{$key} }; + } + $i++; + } + $in->ask_from( - ("DrakSec Advanced Options"), - ("For explanations on the following options, click on the Help button"), - [ - %options - ], + ("DrakSec - Advanced Options"), + ("You can customize the following options. For more information, see the mseclib manual page."), + [ @display, + { val =>_("Basic Options"), type => 'button', clicked_may_quit => sub { $$signal = 0; print "";} } + ], ); } diff --git a/perl-install/standalone/draksec b/perl-install/standalone/draksec index 6af60a0b1..fa1ff2961 100755 --- a/perl-install/standalone/draksec +++ b/perl-install/standalone/draksec @@ -7,11 +7,10 @@ use standalone; #- warning, standalone must be loaded very first, for 'expla use common; use interactive; use log; -use security::msec; +use security::main; local $_ = join '', @ARGV; - /-h/ and die "usage: draksec [--expert]\n"; $::expert = /-expert/ || cat_("/etc/sysconfig/system") =~ /^CLASS="?expert/m; #" @@ -22,12 +21,7 @@ my $in = 'interactive'->vnew('su', 'security'); begin: $::isEmbedded and kill USR2, $::CCPID; -my $security = security::msec::get_secure_level(''); -my $libsafe = security::msec::config_libsafe(''); -my $sec_user = security::msec::config_security_user(''); -my $w; - -security::main($in, $security, $sec_user); +security::main::main($prefix, $in); !$::isEmbedded ? $in->exit(0) : kill(USR1, $::CCPID); goto begin; -- cgit v1.2.1