diff options
-rw-r--r-- | share/libmsec.py | 67 |
1 files changed, 61 insertions, 6 deletions
diff --git a/share/libmsec.py b/share/libmsec.py index f95e1c7..d964e74 100644 --- a/share/libmsec.py +++ b/share/libmsec.py @@ -81,6 +81,9 @@ NONE=0 ALL=1 LOCAL=2 +ALL_LOCAL_NONE_TRANS = {ALL : 'ALL', NONE: 'NONE', LOCAL : 'LOCAL'} +YES_NO_TRANS = {1 : 'yes', 0 : 'no'} + # config files => actions ConfigFile.add_config_assoc(INITTAB, '/sbin/telinit q') @@ -91,7 +94,7 @@ ConfigFile.add_config_assoc(LILOCONF, '[ `/usr/sbin/detectloader` = LILO ] && /s ConfigFile.add_config_assoc(SYSLOGCONF, '[ -f /var/lock/subsys/syslog ] && service syslog reload') ConfigFile.add_config_assoc('^/etc/issue$', '/usr/bin/killall mingetty') -# +# rules def changing_level(): 'D' @@ -142,6 +145,8 @@ during the installation of packages.''' _interactive and log(_('Restricting chkconfig --add from rpm')) server.symlink(SERVER + '.' + str(level)) +create_server_link.arg_trans = YES_NO_TRANS + # helper function for set_root_umask and set_user_umask def set_umask(variable, umask, msg): 'D' @@ -214,6 +219,9 @@ local connection) and NONE (no connection).''' error(_('invalid allow_x_connections arg: %s') % arg) return +allow_x_connections.arg_trans=ALL_LOCAL_NONE_TRANS +allow_x_connections.one_arg = 1 + STARTX_REGEXP = '(\s*clientargs=".*) -nolisten tcp(.*")' XSERVERS_REGEXP = '(\s*[^#]+/usr/X11R6/bin/X .*) -nolisten tcp(.*)' GDMCONF_REGEXP = '(\s*command=.*/X.*?) -nolisten tcp(.*)$' @@ -250,6 +258,8 @@ to the X server on the tcp port 6000 or not.''' xservers.exists() and xservers.replace_line_matching('(\s*[^#]+/usr/X11R6/bin/X .*?)( -nolisten tcp)?$', '@1 -nolisten tcp', 0, 1) gdmconf.exists() and gdmconf. replace_line_matching('(\s*command=.*/X.*?)( -nolisten tcp)?$', '@1 -nolisten tcp', 0, 1) +allow_xserver_to_listen.arg_trans = YES_NO_TRANS + def set_shell_timeout(val): ''' Set the shell timeout. A value of zero means no timeout.''' @@ -341,7 +351,9 @@ def allow_reboot(arg): sysctlconf.set_shell_variable('kernel.sysrq', 0) kdmrc.exists() and kdmrc.set_shell_variable('AllowShutdown', 'None', 'X-:\*-Greeter', '^\s*$') gdmconf.exists() and gdmconf.set_shell_variable('SystemMenu', 'false', '\[greeter\]', '^\s*$') - + +allow_reboot.arg_trans = YES_NO_TRANS + def allow_user_list(arg): ''' Allow/Forbid the list of users on the system on display managers (kdm and gdm).''' kdmrc = ConfigFile.get_config_file(KDMRC) @@ -373,6 +385,8 @@ def allow_user_list(arg): oldval_kdmrc != val_gdmconf and kdmrc.exists() and kdmrc.set_shell_variable('ShowUsers', val_kdmrc) oldval_gdmconf != val_gdmconf and gdmconf.exists() and gdmconf.set_shell_variable('Browser', val_gdmconf) +allow_user_list.arg_trans = YES_NO_TRANS + def allow_root_login(arg): ''' Allow/Forbid direct root login.''' securetty = ConfigFile.get_config_file(SECURETTY) @@ -432,6 +446,8 @@ def allow_root_login(arg): securetty.remove_line_matching('.+', 1) +allow_root_login.arg_trans = YES_NO_TRANS + def allow_remote_root_login(arg): ''' Allow/Forbid remote root login.''' sshd_config = ConfigFile.get_config_file(SSHDCONFIG) @@ -459,6 +475,8 @@ def allow_remote_root_login(arg): sshd_config.exists() and sshd_config.replace_line_matching('^\s*PermitRootLogin\s+(no|yes)', 'PermitRootLogin no', 1) +allow_remote_root_login.arg_trans = YES_NO_TRANS + def enable_pam_wheel_for_su(arg): ''' Enabling su only from members of the wheel group or allow su from any user.''' su = ConfigFile.get_config_file(SU) @@ -490,7 +508,9 @@ def enable_pam_wheel_for_su(arg): if val: _interactive and log(_('Allowing su for all')) su.exists() and su.remove_line_matching('^auth\s+required\s+/lib/security/pam_wheel.so\s+use_uid\s*$') - + +enable_pam_wheel_for_su.arg_trans = YES_NO_TRANS + def allow_issues(arg): ''' If \\fIarg\\fP = ALL allow /etc/issue and /etc/issue.net to exist. If \\fIarg\\fP = NONE no issues are allowed else only /etc/issue is allowed.''' @@ -525,6 +545,8 @@ allowed else only /etc/issue is allowed.''' _interactive and log(_('Disabling network pre-login message')) issuenet.exists(1) and issuenet.move(SUFFIX) +allow_issues.arg_trans = YES_NO_TRANS + def allow_autologin(arg): ''' Allow/Forbid autologin.''' autologin = ConfigFile.get_config_file(AUTOLOGIN) @@ -548,6 +570,8 @@ def allow_autologin(arg): _interactive and log(_('Forbidding autologin')) autologin.exists() and autologin.set_shell_variable('AUTOLOGIN', 'no') +allow_autologin.arg_trans = YES_NO_TRANS + def password_loader(value): 'D' _interactive and log(_('Activating password in boot loader')) @@ -596,6 +620,8 @@ dev the device to report the log.''' _interactive and log(_('Disabling log on console')) syslogconf.exists() and syslogconf.remove_line_matching('\s*[^#]+/dev/') +enable_console_log.arg_trans = YES_NO_TRANS + CRON_ENTRY = '*/1 * * * * root /usr/share/msec/promisc_check.sh' CRON_REGEX = '[^#]+/usr/share/msec/promisc_check.sh' @@ -619,6 +645,8 @@ def enable_promisc_check(arg): _interactive and log(_('Disabling periodic promiscuity check')) cron.remove_line_matching('[^#]+/usr/share/msec/promisc_check.sh') +enable_promisc_check.arg_trans = YES_NO_TRANS + def enable_security_check(arg): ''' Activate/Disable daily security check.''' cron = ConfigFile.get_config_file(CRON) @@ -642,6 +670,8 @@ def enable_security_check(arg): _interactive and log(_('Disabling daily security check')) securitycron.unlink() +enable_security_check.arg_trans = YES_NO_TRANS + ALL_REGEXP = '^ALL:ALL:DENY' ALL_LOCAL_REGEXP = '^ALL:ALL EXCEPT 127\.0\.0\.1:DENY' def authorize_services(arg): @@ -683,6 +713,8 @@ if \\fIarg\\fP = LOCAL and none if \\fIarg\\fP = NONE. To authorize the services else: error(_('authorize_services invalid argument: %s') % arg) +authorize_services.arg_trans = ALL_LOCAL_NONE_TRANS + # helper function for enable_ip_spoofing_protection, accept_icmp_echo, accept_broadcasted_icmp_echo, # accept_bogus_error_responses and enable_log_strange_packets. def set_zero_one_variable(file, variable, value, secure_value, one_msg, zero_msg): @@ -715,6 +747,9 @@ def enable_ip_spoofing_protection(arg, alert=1): ''' Enable/Disable IP spoofing protection.''' set_zero_one_variable(SYSCTLCONF, 'net.ipv4.conf.all.rp_filter', arg, 1, 'Enabling ip spoofing protection', 'Disabling ip spoofing protection') +enable_ip_spoofing_protection.arg_trans = YES_NO_TRANS +enable_ip_spoofing_protection.one_arg = 1 + def enable_dns_spoofing_protection(arg, alert=1): ''' Enable/Disable name resolution spoofing protection. If \\fIalert\\fP is true, also reports to syslog.''' @@ -738,22 +773,32 @@ def enable_dns_spoofing_protection(arg, alert=1): hostconf.remove_line_matching('nospoof') hostconf.remove_line_matching('spoofalert') +enable_dns_spoofing_protection.arg_trans = YES_NO_TRANS + def accept_icmp_echo(arg): ''' Accept/Refuse icmp echo.''' set_zero_one_variable(SYSCTLCONF, 'net.ipv4.icmp_echo_ignore_all', not arg, 1, 'Accepting icmp echo', 'Ignoring icmp echo') - + +accept_icmp_echo.arg_trans = YES_NO_TRANS + def accept_broadcasted_icmp_echo(arg): ''' Accept/Refuse broadcasted icmp echo.''' set_zero_one_variable(SYSCTLCONF, 'net.ipv4.icmp_echo_ignore_broadcasts', not arg, 1, 'Accepting broadcasted icmp echo', 'Ignoring broadcasted icmp echo') - + +accept_broadcasted_icmp_echo.arg_trans = YES_NO_TRANS + def accept_bogus_error_responses(arg): ''' Accept/Refuse bogus IPv4 error messages.''' set_zero_one_variable(SYSCTLCONF, 'net.ipv4.icmp_ignore_bogus_error_responses', not arg, 1, 'Accepting bogus icmp error responses', 'Ignoring bogus icmp error responses') - + +accept_bogus_error_responses.arg_trans = YES_NO_TRANS + def enable_log_strange_packets(arg): ''' Enable/Disable the logging of IPv4 strange packets.''' set_zero_one_variable(SYSCTLCONF, 'net.ipv4.conf.all.log_martians', arg, 1, 'Enabling logging of strange packets', 'Disabling logging of strange packets') +enable_log_strange_packets.arg_trans = YES_NO_TRANS + def enable_libsafe(arg): ''' Enable/Disable libsafe if libsafe is found on the system.''' @@ -776,6 +821,8 @@ def enable_libsafe(arg): _interactive and log(_('Disabling libsafe')) ldsopreload.remove_line_matching('[^#]*libsafe') +enable_libsafe.arg_trans = YES_NO_TRANS + LENGTH_REGEXP = '^(password\s+required\s+/lib/security/pam_cracklib.so.*?)\sminlen=([0-9]+)\s(.*)' NDIGITS_REGEXP = '^(password\s+required\s+/lib/security/pam_cracklib.so.*?)\sdcredit=([0-9]+)\s(.*)' UCREDIT_REGEXP = '^(password\s+required\s+/lib/security/pam_cracklib.so.*?)\sucredit=([0-9]+)\s(.*)' @@ -851,6 +898,8 @@ def enable_password(arg): system_auth.replace_line_matching(PASSWORD_REGEXP, 'auth sufficient /lib/security/pam_permit.so') or \ system_auth.insert_before('auth\s+sufficient', 'auth sufficient /lib/security/pam_permit.so') +enable_password.arg_trans = YES_NO_TRANS + SULOGIN_REGEXP = '~~:S:wait:/sbin/sulogin' def enable_sulogin(arg): ''' Enable/Disable sulogin(8) in single user level.''' @@ -872,6 +921,8 @@ def enable_sulogin(arg): _interactive and log(_('Disabling sulogin in single user runlevel')) inittab.remove_line_matching('~~:S:wait:/sbin/sulogin') +enable_sulogin.arg_trans = YES_NO_TRANS + def enable_msec_cron(arg): ''' Enable/Disable msec hourly security check.''' mseccron = ConfigFile.get_config_file(MSECCRON) @@ -892,6 +943,8 @@ def enable_msec_cron(arg): _interactive and log(_('Disabling msec periodic runs')) mseccron.unlink() +enable_msec_cron.arg_trans = YES_NO_TRANS + def enable_at_crontab(arg): ''' Enable/Disable crontab and at for users. Put allowed users in /etc/cron.allow and /etc/at.allow (see man at(1) and crontab(1)).''' @@ -919,6 +972,8 @@ def enable_at_crontab(arg): cronallow.replace_line_matching('root', 'root', 1) atallow.replace_line_matching('root', 'root', 1) +enable_at_crontab.arg_trans = YES_NO_TRANS + maximum_regex = re.compile('^Maximum:\s*([0-9]+|-1)', re.MULTILINE) inactive_regex = re.compile('^Inactive:\s*(-?[0-9]+)', re.MULTILINE) no_aging_list = [] |