aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--conf/level.default2
-rw-r--r--src/msec/config.py2
-rwxr-xr-xsrc/msec/libmsec.py176
3 files changed, 6 insertions, 174 deletions
diff --git a/conf/level.default b/conf/level.default
index 3c5d40e..20fa9fc 100644
--- a/conf/level.default
+++ b/conf/level.default
@@ -35,7 +35,7 @@ NOTIFY_WARN=yes
WIN_PARTS_UMASK=no
CHECK_OPEN_PORT=yes
SHELL_TIMEOUT=0
-ALLOW_REMOTE_ROOT_LOGIN=without_password
+ALLOW_REMOTE_ROOT_LOGIN=without-password
ENABLE_LOG_STRANGE_PACKETS=yes
USER_UMASK=022
CHECK_RPM=yes
diff --git a/src/msec/config.py b/src/msec/config.py
index a5baef1..e60c4fa 100644
--- a/src/msec/config.py
+++ b/src/msec/config.py
@@ -79,7 +79,7 @@ SETTINGS = {'BASE_LEVEL': ("base_level",
'ACCEPT_ICMP_ECHO': ("accept_icmp_echo", ['yes', 'no']),
'ALLOW_AUTOLOGIN': ("allow_autologin", ['yes', 'no']),
'ALLOW_REBOOT': ("allow_reboot", ['yes', 'no']),
- 'ALLOW_REMOTE_ROOT_LOGIN': ("allow_remote_root_login", ['yes', 'no', 'without_password']),
+ 'ALLOW_REMOTE_ROOT_LOGIN': ("allow_remote_root_login", ['yes', 'no', 'without-password']),
'ALLOW_ROOT_LOGIN': ("allow_root_login", ['yes', 'no']),
'ALLOW_USER_LIST': ("allow_user_list", ['yes', 'no']),
'ALLOW_X_CONNECTIONS': ("allow_x_connections", ['yes', 'no', 'local']),
diff --git a/src/msec/libmsec.py b/src/msec/libmsec.py
index dbc1e81..b8ca925 100755
--- a/src/msec/libmsec.py
+++ b/src/msec/libmsec.py
@@ -1089,6 +1089,9 @@ class MSEC:
''' Allow/Forbid remote root login via sshd. You can specify yes, no and without-password. See sshd_config(5) man page for more information.'''
sshd_config = self.configfiles.get_config_file(SSHDCONFIG)
+ if not sshd_config.exists():
+ return
+
val = sshd_config.get_match(PERMIT_ROOT_LOGIN_REGEXP, '@1')
if val != arg:
@@ -1100,7 +1103,7 @@ class MSEC:
self.log.info(_('Forbidding remote root login'))
sshd_config.exists() and sshd_config.replace_line_matching(PERMIT_ROOT_LOGIN_REGEXP,
'PermitRootLogin no', 1)
- elif arg == "without_password":
+ elif arg == "without-password":
self.log.info(_('Allowing remote root login only by passphrase'))
sshd_config.exists() and sshd_config.replace_line_matching(PERMIT_ROOT_LOGIN_REGEXP,
'PermitRootLogin without-password', 1)
@@ -1573,177 +1576,6 @@ class MSEC:
""" Enables checking for dangerous options in users' .rhosts/.shosts files."""
pass
- def get_app_auth(self, app):
- ''' Determine PAM authentication scheme for an application. Returns:
- - None: if file is not found, or unknown authentication scheme
- - without_password: if no password is required
- - <user>: if user password is required
- - root: if root password is required'''
- authfile = self.configfiles.get_config_file("%s/%s" % (AUTH_PAM, app))
-
- if not authfile.exists():
- # file not found
- self.log.error(_("Unable to find PAM authentication for: %s") % app)
- return None
-
- # what kind of link is if
- link = authfile.is_link()
-
- if not link:
- # It is not a symlink...
- self.log.error(_("Unknown PAM authentication for: %s") % app)
- return None
-
- # no password
- if link.find(AUTH_LINK_CONSOLE) != -1:
- return "without_password"
-
- if link.find(AUTH_LINK_SIMPLE) != -1:
- authfile_console = self.configfiles.get_config_file("%s/%s" % (AUTH_CONSOLE, app))
- if not authfile_console.exists():
- self.log.error(_("Unable to find console authentication for: %s") % app)
- return None
- auth = authfile_console.get_shell_variable("USER")
- if auth:
- return auth
-
- # if we got here, no authentication was discovered
- self.log.error(_("Unknown authentication for: %s") % app)
-
- def set_app_auth(self, app, auth):
- ''' Configures PAM authentication scheme for an application. Valid schemes:
- - without_password: if no password is required
- - user: if user password is required
- - root: if root password is required'''
- authfile = self.configfiles.get_config_file("%s/%s" % (AUTH_PAM, app))
-
- if not authfile.exists():
- # file not found
- self.log.error(_("Unable to find PAM authentication for: %s") % app)
- return None
-
- # what kind of link is if
- link = authfile.is_link()
-
- if not link:
- # It is not a symlink...
- self.log.error(_("Unknown PAM authentication for: %s") % app)
- return None
-
- # let's set auth
- if auth == "without_password":
- if link.find(AUTH_LINK_CONSOLE) != -1:
- self.log.info(_("Configuring %s for password-less authentication") % app)
- authfile.symlink("%s/%s" % (AUTH_PAM, AUTH_LINK_CONSOLE))
- elif auth == "user" or auth == "root":
- if link.find(AUTH_LINK_SIMPLE) != -1:
- authfile.symlink("%s/%s" % (AUTH_PAM, AUTH_LINK_SIMPLE))
-
- authfile_console = self.configfiles.get_config_file("%s/%s" % (AUTH_CONSOLE, app))
- curauth = authfile.get_shell_variable("USER")
- if not curauth:
- # file not created? something wrong with the file
- self.log.error(_("Unable to find console authentication for: %s") % app)
- return None
- if auth == "user":
- newauth = "<user>"
- else:
- newauth = auth
- if newauth != curauth:
- self.log.info(_("Configuring %s for %s authentication") % (app, auth))
- authfile_console.set_shell_variable("USER", newauth)
- else:
- # if we got here, no authentication was discovered
- self.log.error(_("Unknown authentication for: %s") % app)
-
- def auth_rpmdrake(self, param):
- """Authentication for rpmdrake"""
- pass
-
- def auth_mandrivaupdate(self, param):
- """Authentication for MandrivaUpdate"""
- pass
-
- def auth_drakrpm_edit_media(self, param):
- """Authentication for drakrpm-edit-media"""
- pass
-
- def auth_drak3d(self, param):
- """Authentication for drak3d"""
- pass
-
- def auth_xfdrake(self, param):
- """Authentication for xfdrake"""
- pass
-
- def auth_drakmouse(self, param):
- """Authentication for drakmouse"""
- pass
-
- def auth_drakkeyboard(self, param):
- """Authentication for drakkeyboard"""
- pass
-
- def auth_drakups(self, param):
- """Authentication for drakups"""
- pass
-
- def auth_drakconnect(self, param):
- """Authentication for drakconnect"""
- pass
-
- def auth_drakhosts(self, param):
- """Authentication for drakhosts"""
- pass
-
- def auth_draknetcenter(self, param):
- """Authentication for draknetcenter"""
- pass
-
- def auth_drakvpn(self, param):
- """Authentication for drakvpn"""
- pass
-
- def auth_drakproxy(self, param):
- """Authentication for drakproxy"""
- pass
-
- def auth_drakgw(self, param):
- """Authentication for drakgw"""
- pass
-
- def auth_drakauth(self, param):
- """Authentication for drakauth"""
- pass
-
- def auth_drakbackup(self, param):
- """Authentication for drakbackup"""
- pass
-
- def auth_drakfont(self, param):
- """Authentication for drakfont"""
- pass
-
- def auth_draklog(self, param):
- """Authentication for draklog"""
- pass
-
- def auth_drakxservices(self, param):
- """Authentication for drakxservices"""
- pass
-
- def auth_userdrake(self, param):
- """Authentication for userdrake"""
- pass
-
- def auth_drakclock(self, param):
- """Authentication for drakclock"""
- pass
-
- def auth_drakboot(self, param):
- """Authentication for drakboot"""
- pass
-
# TODO: unfinished
def enable_apparmor(self, param):
"""Enables support for AppArmor security framework"""