diff options
Diffstat (limited to 'share/libmsec.py')
| -rw-r--r-- | share/libmsec.py | 1391 |
1 files changed, 0 insertions, 1391 deletions
diff --git a/share/libmsec.py b/share/libmsec.py deleted file mode 100644 index 2ef2e3c..0000000 --- a/share/libmsec.py +++ /dev/null @@ -1,1391 +0,0 @@ -#--------------------------------------------------------------- -# Project : Mandriva Linux -# Module : msec -# File : libmsec.py -# Version : $Id$ -# Author : Frederic Lepied -# Created On : Mon Dec 10 22:52:17 2001 -# Purpose : all access points of the msec utility. -#--------------------------------------------------------------- - -import ConfigFile -import Config -from Log import * - -import os -import grp -import Perms -import gettext -import pwd -import re -import string -import commands -import time -import traceback - -try: - cat = gettext.Catalog('msec') - _ = cat.gettext -except IOError: - _ = str - -SUFFIX='.msec' -_interactive=0 -_same_level=1 -FORCED = {} - -# list of config files - -ATALLOW = '/etc/at.allow' -AUTOLOGIN = '/etc/sysconfig/autologin' -BASTILLENOLOGIN = '/etc/bastille-no-login' -CRON = '/etc/cron.d/msec' -CRONALLOW = '/etc/cron.allow' -FSTAB = '/etc/fstab' -GDM = '/etc/pam.d/gdm' -GDMCONF = '/etc/X11/gdm/custom.conf' -HALT = '/usr/bin/halt' -HOSTCONF = '/etc/host.conf' -HOSTSDENY = '/etc/hosts.deny' -INITTAB = '/etc/inittab' -ISSUE = '/etc/issue' -ISSUENET = '/etc/issue.net' -KDE = '/etc/pam.d/kde' -KDMRC = '/usr/share/config/kdm/kdmrc' -LDSOPRELOAD = '/etc/ld.so.preload' -LILOCONF = '/etc/lilo.conf' -LOGINDEFS = '/etc/login.defs' -MENULST = '/boot/grub/menu.lst' -MSEC = '/etc/sysconfig/msec' -MSECBIN = '/usr/sbin/msec' -MSECCRON = '/etc/cron.hourly/msec' -MSEC_XINIT = '/etc/X11/xinit.d/msec' -OPASSWD = '/etc/security/opasswd' -PASSWD = '/etc/pam.d/passwd' -POWEROFF = '/usr/bin/poweroff' -REBOOT = '/usr/bin/reboot' -SECURETTY = '/etc/securetty' -SECURITYCONF = '/var/lib/msec/security.conf' -SECURITYCONF2 = '/etc/security/msec/security.conf' -SECURITYCRON = '/etc/cron.daily/msec' -SECURITYSH = '/usr/share/msec/security.sh' -SERVER = '/etc/security/msec/server' -SHADOW = '/etc/shadow' -SHUTDOWN = '/usr/bin/shutdown' -SHUTDOWNALLOW = '/etc/shutdown.allow' -SIMPLE_ROOT_AUTHEN = '/etc/pam.d/simple_root_authen' -SSHDCONFIG = '/etc/ssh/sshd_config' -STARTX = '/usr/bin/startx' -SU = '/etc/pam.d/su' -SYSCTLCONF = '/etc/sysctl.conf' -SYSLOGCONF = '/etc/syslog.conf' -SYSTEM_AUTH = '/etc/pam.d/system-auth' -XDM = '/etc/pam.d/xdm' -XSERVERS = '/etc/X11/xdm/Xservers' -EXPORT = '/root/.xauth/export' - -# constants to keep in sync with shadow.py -NONE=0 -ALL=1 -LOCAL=2 - -no=0 -yes=1 -without_password=2 - -ALL_LOCAL_NONE_TRANS = {ALL : 'ALL', NONE: 'NONE', LOCAL : 'LOCAL'} -YES_NO_TRANS = {yes : 'yes', no : 'no'} -ALLOW_ROOT_LOGIN_TRANS = {no : 'no', yes : 'yes', without_password : 'without_password'} - -# config files => actions - -ConfigFile.add_config_assoc(INITTAB, '/sbin/telinit q') -ConfigFile.add_config_assoc('/etc(?:/rc.d)?/init.d/(.+)', '[ -f /var/lock/subsys/@1 ] && @0 reload') -ConfigFile.add_config_assoc(SYSCTLCONF, '/sbin/sysctl -e -p /etc/sysctl.conf') -ConfigFile.add_config_assoc(SSHDCONFIG, '[ -f /var/lock/subsys/sshd ] && /etc/rc.d/init.d/sshd restart') -ConfigFile.add_config_assoc(LILOCONF, '[ `/usr/sbin/detectloader` = LILO ] && /sbin/lilo') -ConfigFile.add_config_assoc(SYSLOGCONF, '[ -f /var/lock/subsys/syslog ] && service syslog reload') -ConfigFile.add_config_assoc('^/etc/issue$', '/usr/bin/killall mingetty') - -# functions - -################################################################################ - -# The same_level function inspects the call stack in the 2 previous -# levels to see if a function is used that has been registered by -# force_val and if this is the case we act as if we were changing the -# security level to force the value to be used. -def same_level(): - 'D' - tb = traceback.extract_stack() - if FORCED.has_key(tb[-2][2]) or FORCED.has_key(tb[-3][2]): - return 0 - else: - return _same_level - -def changing_level(): - 'D' - global _same_level - _same_level=0 - -def force_val(name): - 'D' - global FORCED - FORCED[name] = 1 - -# configuration rules - -################################################################################ - -def set_secure_level(level): - msec = ConfigFile.get_config_file(MSEC) - - val = msec.get_shell_variable('SECURE_LEVEL') - - if not val or int(val) != level: - _interactive and log(_('Setting secure level to %s') % level) - msec.set_shell_variable('SECURE_LEVEL', level) - -################################################################################ - -def get_secure_level(): - 'D' - msec = ConfigFile.get_config_file(MSEC) - return msec.get_shell_variable('SECURE_LEVEL') - -################################################################################ - -def set_server_level(level): - _interactive and log(_('Setting server level to %s') % level) - securityconf = ConfigFile.get_config_file(SECURITYCONF2) - securityconf.set_shell_variable('SERVER_LEVEL', level) - -################################################################################ - -def get_server_level(): - 'D' - securityconf = ConfigFile.get_config_file(SECURITYCONF2) - level = securityconf.get_shell_variable('SERVER_LEVEL') - if level: return level - msec = ConfigFile.get_config_file(MSEC) - return msec.get_shell_variable('SECURE_LEVEL') - -################################################################################ - -def create_server_link(): - ''' If SERVER_LEVEL (or SECURE_LEVEL if absent) is greater than 3 -in /etc/security/msec/security.conf, creates the symlink /etc/security/msec/server -to point to /etc/security/msec/server.<SERVER_LEVEL>. The /etc/security/msec/server -is used by chkconfig --add to decide to add a service if it is present in the file -during the installation of packages.''' - level = get_server_level() - server = ConfigFile.get_config_file(SERVER) - if level in ('0', '1', '2', '3'): - _interactive and log(_('Allowing chkconfig --add from rpm')) - server.exists() and server.unlink() - else: - _interactive and log(_('Restricting chkconfig --add from rpm')) - server.symlink(SERVER + '.' + str(level)) - -create_server_link.arg_trans = YES_NO_TRANS - -################################################################################ - -STRING_TYPE = type('') - -# helper function for set_root_umask and set_user_umask -def set_umask(variable, umask, msg): - 'D' - msec = ConfigFile.get_config_file(MSEC) - - if type(umask) == STRING_TYPE: - umask = int(umask, 8) - - if msec.exists(): - val = msec.get_shell_variable(variable) - else: - val = None - - # don't lower security when not changing security level - if same_level(): - if val: - octal = umask | int(val, 8) - umask = '0%o' % octal - - if type(umask) != STRING_TYPE: - umask = '0%o' % umask - - if val != umask: - _interactive and log(_('Setting %s umask to %s') % (msg, umask)) - msec.set_shell_variable(variable, umask) - -def set_root_umask(umask): - ''' Set the root umask.''' - set_umask('UMASK_ROOT', umask, 'root') - -def set_user_umask(umask): - ''' Set the user umask.''' - set_umask('UMASK_USER', umask, 'users') - -################################################################################ - -# the listen_tcp argument is kept for backward compatibility -def allow_x_connections(arg, listen_tcp=None): - ''' Allow/Forbid X connections. First arg specifies what is done -on the client side: ALL (all connections are allowed), LOCAL (only -local connection) and NONE (no connection).''' - - msec = ConfigFile.get_config_file(MSEC_XINIT) - - val = msec.exists() and msec.get_match('/usr/bin/xhost\s*\+\s*([^#]*)') - - if val: - if val == '': - val = ALL - elif val == 'localhost': - val = LOCAL - else: - val = NONE - else: - val = NONE - - # don't lower security when not changing security level - if same_level(): - if val == NONE or (val == LOCAL and arg == ALL): - return - - if arg == ALL: - if val != arg: - _interactive and log(_('Allowing users to connect X server from everywhere')) - msec.exists() and msec.replace_line_matching('/usr/bin/xhost', '/usr/bin/xhost +', 1) - - elif arg == LOCAL: - if val != arg: - _interactive and log(_('Allowing users to connect X server from localhost')) - msec.exists() and msec.replace_line_matching('/usr/bin/xhost', '/usr/bin/xhost + localhost', 1) - - elif arg == NONE: - if val != arg: - _interactive and log(_('Restricting X server connection to the console user')) - msec.exists() and msec.remove_line_matching('/usr/bin/xhost', 1) - - else: - error(_('invalid allow_x_connections arg: %s') % arg) - return - -allow_x_connections.arg_trans=ALL_LOCAL_NONE_TRANS -allow_x_connections.one_arg = 1 - -################################################################################ - -STARTX_REGEXP = '(\s*serverargs=".*) -nolisten tcp(.*")' -XSERVERS_REGEXP = '(\s*[^#]+/usr/bin/X .*) -nolisten tcp(.*)' -GDMCONF_REGEXP = '(\s*command=.*/X.*?) -nolisten tcp(.*)$' -KDMRC_REGEXP = re.compile('(.*?)-nolisten tcp(.*)$') - -def allow_xserver_to_listen(arg): - ''' The argument specifies if clients are authorized to connect -to the X server on the tcp port 6000 or not.''' - - startx = ConfigFile.get_config_file(STARTX) - xservers = ConfigFile.get_config_file(XSERVERS) - gdmconf = ConfigFile.get_config_file(GDMCONF) - kdmrc = ConfigFile.get_config_file(KDMRC) - - val_startx = startx.exists() and startx.get_match(STARTX_REGEXP) - val_xservers = xservers.exists() and xservers.get_match(XSERVERS_REGEXP) - val_gdmconf = gdmconf.exists() and gdmconf.get_match(GDMCONF_REGEXP) - str = kdmrc.exists() and kdmrc.get_shell_variable('ServerArgsLocal', 'X-\*-Core', '^\s*$') - - if str: - val_kdmrc = KDMRC_REGEXP.search(str) - else: - val_kdmrc = None - - # don't lower security when not changing security level - if same_level(): - if val_startx and val_xservers and val_gdmconf and val_kdmrc: - return - - if arg: - if val_startx or val_xservers or val_gdmconf or val_kdmrc: - _interactive and log(_('Allowing the X server to listen to tcp connections')) - if not (same_level() and val_startx): - startx.exists() and startx.replace_line_matching(STARTX_REGEXP, '@1@2') - if not (same_level() and val_xservers): - xservers.exists() and xservers.replace_line_matching(XSERVERS_REGEXP, '@1@2', 0, 1) - if not (same_level() and val_gdmconf): - gdmconf.exists() and gdmconf.replace_line_matching(GDMCONF_REGEXP, '@1@2', 0, 1) - if not (same_level() and val_kdmrc): - kdmrc.exists() and kdmrc.replace_line_matching('^(ServerArgsLocal=.*?)-nolisten tcp(.*)$', '@1@2', 0, 0, 'X-\*-Core', '^\s*$') - else: - if not val_startx or not val_xservers or not val_gdmconf or not val_kdmrc: - _interactive and log(_('Forbidding the X server to listen to tcp connection')) - startx.exists() and not val_startx and startx.replace_line_matching('serverargs="(.*?)( -nolisten tcp)?"', 'serverargs="@1 -nolisten tcp"') - xservers.exists() and not val_xservers and xservers.replace_line_matching('(\s*[^#]+/usr/bin/X .*?)( -nolisten tcp)?$', '@1 -nolisten tcp', 0, 1) - gdmconf.exists() and not val_gdmconf and gdmconf.replace_line_matching('(\s*command=.*/X.*?)( -nolisten tcp)?$', '@1 -nolisten tcp', 0, 1) - kdmrc.exists() and not val_kdmrc and kdmrc.replace_line_matching('^(ServerArgsLocal=.*)( -nolisten tcp)?$', '@1 -nolisten tcp', 'ServerArgsLocal=-nolisten tcp', 0, 'X-\*-Core', '^\s*$') - -allow_xserver_to_listen.arg_trans = YES_NO_TRANS - -################################################################################ - -def set_shell_timeout(val): - ''' Set the shell timeout. A value of zero means no timeout.''' - - msec = ConfigFile.get_config_file(MSEC) - - if msec.exists(): - old = msec.get_shell_variable('TMOUT') - if old != None: - old = int(old) - else: - old = None - - # don't lower security when not changing security level - if same_level(): - if old != None and old > val: - return - - if old != val: - _interactive and log(_('Setting shell timeout to %s') % val) - msec.set_shell_variable('TMOUT', val) - -################################################################################ - -def set_shell_history_size(size): - ''' Set shell commands history size. A value of -1 means unlimited.''' - msec = ConfigFile.get_config_file(MSEC) - - if msec.exists(): - val = msec.get_shell_variable('HISTFILESIZE') - else: - val = None - - # don't lower security when not changing security level - if same_level(): - if val != None: - val = int(val) - if size == -1 or val < size: - return - - if size >= 0: - if val != size: - _interactive and log(_('Setting shell history size to %s') % size) - msec.set_shell_variable('HISTFILESIZE', size) - else: - if val != None: - _interactive and log(_('Removing limit on shell history size')) - msec.remove_line_matching('^HISTFILESIZE=') - -################################################################################ - -def set_win_parts_umask(umask): - ''' Set umask option for mounting vfat and ntfs partitions. A value of None means default umask.''' - fstab = ConfigFile.get_config_file(FSTAB) - - # don't lower security when not changing security level - if same_level(): - if umask != None: - return - - if umask == None: - fstab.replace_line_matching("(.*\s(vfat|ntfs)\s+)umask=\d+(\s.*)", "@1defaults@3", 0, 1) - fstab.replace_line_matching("(.*\s(vfat|ntfs)\s+)umask=\d+,(.*)", "@1@3", 0, 1) - fstab.replace_line_matching("(.*\s(vfat|ntfs)\s+\S+),umask=\d+(.*)", "@1@3", 0, 1) - else: - fstab.replace_line_matching("(.*\s(vfat|ntfs)\s+\S*)umask=\d+(.*)", "@1umask=0@3", 0, 1) - fstab.replace_line_matching("(.*\s(vfat|ntfs)\s+)(?!.*umask=)(\S+)(.*)", "@1@3,umask=0@4", 0, 1) - -################################################################################ - -def get_index(val, array): - for loop in range(0, len(array)): - if val == array[loop]: - return loop - return -1 - -################################################################################ -ALLOW_SHUTDOWN_VALUES = ('All', 'Root', 'None') -CTRALTDEL_REGEXP = '^ca::ctrlaltdel:/sbin/shutdown.*' -CONSOLE_HELPER = 'consolehelper' - -def allow_reboot(arg): - ''' Allow/Forbid reboot by the console user.''' - shutdownallow = ConfigFile.get_config_file(SHUTDOWNALLOW) - sysctlconf = ConfigFile.get_config_file(SYSCTLCONF) - kdmrc = ConfigFile.get_config_file(KDMRC) - gdmconf = ConfigFile.get_config_file(GDMCONF) - inittab = ConfigFile.get_config_file(INITTAB) - - val_shutdownallow = shutdownallow.exists() - val_sysctlconf = sysctlconf.exists() and sysctlconf.get_shell_variable('kernel.sysrq') - val_inittab = inittab.exists() and inittab.get_match(CTRALTDEL_REGEXP) - num = 0 - val = {} - for f in [SHUTDOWN, POWEROFF, REBOOT, HALT]: - val[f] = ConfigFile.get_config_file(f).exists() - if val[f]: - num = num + 1 - val_gdmconf = gdmconf.exists() and gdmconf.get_shell_variable('SystemMenu') - oldval_kdmrc = kdmrc.exists() and kdmrc.get_shell_variable('AllowShutdown', 'X-:\*-Core', '^\s*$') - if oldval_kdmrc: - oldval_kdmrc = get_index(oldval_kdmrc, ALLOW_SHUTDOWN_VALUES) - if arg: - val_kdmrc = 0 - else: - val_kdmrc = 2 - - # don't lower security when not changing security level - if same_level(): - if val_shutdownallow and val_sysctlconf == '0' and num == 0 and oldval_kdmrc >= val_kdmrc and val_gdmconf == 'false' and not val_inittab: - return - if oldval_kdmrc > val_kdmrc: - val_kdmrc = oldval_kdmrc - - if arg: - _interactive and log(_('Allowing reboot to the console user')) - if not (same_level() and val_shutdownallow): - shutdownallow.exists() and shutdownallow.move(SUFFIX) - for f in [SHUTDOWN, POWEROFF, REBOOT, HALT]: - cfg = ConfigFile.get_config_file(f) - if not (same_level() and not val[f]): - cfg.exists() or cfg.symlink(CONSOLE_HELPER) - if not (same_level() and val_sysctlconf == '0'): - sysctlconf.set_shell_variable('kernel.sysrq', 1) - if not same_level() and val_gdmconf == 'false': - gdmconf.exists() and gdmconf.set_shell_variable('SystemMenu', 'true', '\[greeter\]', '^\s*$') - if not (same_level() and not val_inittab): - inittab.replace_line_matching(CTRALTDEL_REGEXP, 'ca::ctrlaltdel:/sbin/shutdown -t3 -r now', 1) - else: - _interactive and log(_('Forbidding reboot to the console user')) - ConfigFile.get_config_file(SHUTDOWNALLOW, SUFFIX).touch() - for f in [SHUTDOWN, POWEROFF, REBOOT, HALT]: - ConfigFile.get_config_file(f).unlink() - sysctlconf.set_shell_variable('kernel.sysrq', 0) - gdmconf.exists() and gdmconf.set_shell_variable('SystemMenu', 'false', '\[greeter\]', '^\s*$') - inittab.remove_line_matching(CTRALTDEL_REGEXP) - - kdmrc.exists() and kdmrc.set_shell_variable('AllowShutdown', ALLOW_SHUTDOWN_VALUES[val_kdmrc], 'X-:\*-Core', '^\s*$') - -allow_reboot.arg_trans = YES_NO_TRANS - -################################################################################ -SHOW_USERS_VALUES = ('NotHidden', 'Selected') - -def allow_user_list(arg): - ''' Allow/Forbid the list of users on the system on display managers (kdm and gdm).''' - kdmrc = ConfigFile.get_config_file(KDMRC) - gdmconf = ConfigFile.get_config_file(GDMCONF) - - oldval_gdmconf = gdmconf.exists() and gdmconf.get_shell_variable('Browser') - oldval_kdmrc = kdmrc.exists() and kdmrc.get_shell_variable('ShowUsers', 'X-\*-Greeter', '^\s*$') - if oldval_kdmrc: - oldval_kdmrc = get_index(oldval_kdmrc, SHOW_USERS_VALUES) - - if arg: - msg = 'Allowing the listing of users in display managers' - val_kdmrc = 0 - val_gdmconf = 'true' - else: - msg = 'Disabling the listing of users in display managers' - val_kdmrc = 1 - val_gdmconf = 'false' - - # don't lower security when not changing security level - if same_level(): - if oldval_kdmrc >= val_kdmrc and oldval_gdmconf == 'false': - return - if oldval_kdmrc > val_kdmrc: - val_kdmrc = oldval_kdmrc - if oldval_gdmconf == 'false': - val_gdmconf = 'false' - - if (gdmconf.exists() and oldval_gdmconf != val_gdmconf) or (kdmrc.exists() and oldval_kdmrc != val_kdmrc): - _interactive and log(_(msg)) - oldval_kdmrc != val_gdmconf and kdmrc.exists() and kdmrc.set_shell_variable('ShowUsers', SHOW_USERS_VALUES[val_kdmrc], 'X-\*-Greeter', '^\s*$') - oldval_gdmconf != val_gdmconf and gdmconf.exists() and gdmconf.set_shell_variable('Browser', val_gdmconf) - -allow_user_list.arg_trans = YES_NO_TRANS - -################################################################################ - -def allow_root_login(arg): - ''' Allow/Forbid direct root login.''' - securetty = ConfigFile.get_config_file(SECURETTY) - kde = ConfigFile.get_config_file(KDE) - gdm = ConfigFile.get_config_file(GDM) - gdmconf = ConfigFile.get_config_file(GDMCONF) - xdm = ConfigFile.get_config_file(XDM) - - val = {} - val[kde] = kde.exists() and kde.get_match('auth required (?:/lib/security/)?pam_listfile.so onerr=succeed item=user sense=deny file=/etc/bastille-no-login') - val[gdm] = gdm.exists() and gdm.get_match('auth required (?:/lib/security/)?pam_listfile.so onerr=succeed item=user sense=deny file=/etc/bastille-no-login') - val[xdm] = xdm.exists() and xdm.get_match('auth required (?:/lib/security/)?pam_listfile.so onerr=succeed item=user sense=deny file=/etc/bastille-no-login') - num = 0 - for n in range(1, 7): - s = 'tty' + str(n) - if securetty.get_match(s): - num = num + 1 - val[s] = 1 - else: - val[s] = 0 - s = 'vc/' + str(n) - if securetty.get_match(s): - num = num + 1 - val[s] = 1 - else: - val[s] = 0 - - # don't lower security when not changing security level - if same_level(): - if (not kde.exists() or val[kde]) and (not gdm.exists() or val[gdm]) and (not xdm.exists() or val[xdm]) and num == 12: - return - - if arg: - if val[kde] or val[gdm] or val[xdm] or num != 12: - _interactive and log(_('Allowing direct root login')) - gdmconf.exists() and gdmconf.set_shell_variable('ConfigAvailable', 'true', '\[greeter\]', '^\s*') - - - for cnf in (kde, gdm, xdm): - if not (same_level() and val[cnf]): - cnf.exists() and cnf.remove_line_matching('^auth\s*required\s*(?:/lib/security/)?pam_listfile.so.*bastille-no-login', 1) - - for n in range(1, 7): - s = 'tty' + str(n) - if not (same_level() and not val[s]): - securetty.replace_line_matching(s, s, 1) - s = 'vc/' + str(n) - if not (same_level() and not val[s]): - securetty.replace_line_matching(s, s, 1) - else: - gdmconf.exists() and gdmconf.set_shell_variable('ConfigAvailable', 'false', '\[greeter\]', '^\s*') - if (kde.exists() and not val[kde]) or (gdm.exists() and not val[gdm]) or (xdm.exists() and not val[xdm]) or num > 0: - _interactive and log(_('Forbidding direct root login')) - - bastillenologin = ConfigFile.get_config_file(BASTILLENOLOGIN) - bastillenologin.replace_line_matching('^\s*root', 'root', 1) - - for cnf in (kde, gdm, xdm): - cnf.exists() and (cnf.replace_line_matching('^auth\s*required\s*(?:/lib/security/)?pam_listfile.so.*bastille-no-login', 'auth required pam_listfile.so onerr=succeed item=user sense=deny file=/etc/bastille-no-login') or \ - cnf.insert_at(0, 'auth required pam_listfile.so onerr=succeed item=user sense=deny file=/etc/bastille-no-login')) - securetty.remove_line_matching('.+', 1) - -allow_root_login.arg_trans = YES_NO_TRANS - -PERMIT_ROOT_LOGIN_REGEXP = '^\s*PermitRootLogin\s+(no|yes|without-password|forced-commands-only)' - -################################################################################ - -def allow_remote_root_login(arg): - ''' Allow/Forbid remote root login via sshd. You can specify -yes, no and without-password. See sshd_config(5) man page for more -information.''' - sshd_config = ConfigFile.get_config_file(SSHDCONFIG) - - if sshd_config.exists(): - val = sshd_config.get_match(PERMIT_ROOT_LOGIN_REGEXP, '@1') - else: - val = None - - # don't lower security when not changing security level - if same_level(): - if val == 'no': - return - if val == 'forced-commands-only': - return - - if val == 'yes': - val = yes - elif val == 'no': - val = no - elif val == 'without-password': - val = without_password - else: - val = yes - - if val != arg: - if arg == yes: - _interactive and log(_('Allowing remote root login')) - sshd_config.exists() and sshd_config.replace_line_matching(PERMIT_ROOT_LOGIN_REGEXP, - 'PermitRootLogin yes', 1) - elif arg == no: - _interactive and log(_('Forbidding remote root login')) - sshd_config.exists() and sshd_config.replace_line_matching(PERMIT_ROOT_LOGIN_REGEXP, - 'PermitRootLogin no', 1) - elif arg == without_password: - _interactive and log(_('Allowing remote root login only by passphrase')) - sshd_config.exists() and sshd_config.replace_line_matching(PERMIT_ROOT_LOGIN_REGEXP, - 'PermitRootLogin without-password', 1) - -allow_remote_root_login.arg_trans = ALLOW_ROOT_LOGIN_TRANS - -################################################################################ - -def enable_pam_wheel_for_su(arg): - ''' Enabling su only from members of the wheel group or allow su from any user.''' - su = ConfigFile.get_config_file(SU) - - val = su.exists() and su.get_match('^auth\s+required\s+(?:/lib/security/)?pam_wheel.so\s+use_uid\s*$') - - # don't lower security when not changing security level - if same_level(): - if val: - return - - if arg: - if not val: - _interactive and log(_('Allowing su only from wheel group members')) - try: - ent = grp.getgrnam('wheel') - except KeyError: - error(_('no wheel group')) - return - members = ent[3] - if members == [] or members == ['root']: - _interactive and error(_('wheel group is empty')) - return - su.exists() and (su.replace_line_matching('^auth\s+required\s+(?:/lib/security/)?pam_wheel.so\s+use_uid\s*$', - 'auth required pam_wheel.so use_uid') or \ - su.insert_after('^auth\s+required', - 'auth required pam_wheel.so use_uid')) - else: - if val: - _interactive and log(_('Allowing su for all')) - su.exists() and su.remove_line_matching('^auth\s+required\s+(?:/lib/security/)?pam_wheel.so\s+use_uid\s*$') - -enable_pam_wheel_for_su.arg_trans = YES_NO_TRANS - -################################################################################ - -SUCCEED_MATCH = '^auth\s+sufficient\s+pam_succeed_if.so\s+use_uid\s+user\s+ingroup\s+wheel\s*$' -SUCCEED_LINE = 'auth sufficient pam_succeed_if.so use_uid user ingroup wheel' - -def enable_pam_root_from_wheel(arg): - ''' Allow root access without password for the members of the wheel group.''' - su = ConfigFile.get_config_file(SU) - simple = ConfigFile.get_config_file(SIMPLE_ROOT_AUTHEN) - - if not su.exists(): - return - - val = su.get_match(SUCCEED_MATCH) - - if simple.exists(): - val_simple = simple.get_match(SUCCEED_MATCH) - else: - val_simple = False - - # don't lower security when not changing security level - if same_level(): - if not val and not val_simple: - return - - if arg: - if not val or (simple.exists() and not val_simple): - _interactive and log(_('Allowing transparent root access for wheel group members')) - if not val: - su.insert_before('^auth\s+required', SUCCEED_LINE) - if simple.exists() and not val_simple: - simple.insert_before('^auth\s+required', SUCCEED_LINE) - else: - if val or (simple.exists() and val_simple): - _interactive and log(_('Disabling transparent root access for wheel group members')) - if val: - su.remove_line_matching(SUCCEED_MATCH) - if simple.exists() and val_simple: - simple.remove_line_matching(SUCCEED_MATCH) - -enable_pam_root_from_wheel.arg_trans = YES_NO_TRANS - -################################################################################ - -def allow_issues(arg): - ''' If \\fIarg\\fP = ALL allow /etc/issue and /etc/issue.net to exist. If \\fIarg\\fP = NONE no issues are -allowed else only /etc/issue is allowed.''' - issue = ConfigFile.get_config_file(ISSUE, SUFFIX) - issuenet = ConfigFile.get_config_file(ISSUENET, SUFFIX) - - val = issue.exists(1) - valnet = issuenet.exists(1) - - # don't lower security when not changing security level - if same_level(): - if not val and not valnet: - return - if arg == ALL and not valnet: - return - - if arg == ALL: - if not (val and valnet): - _interactive and log(_('Allowing network pre-login messages')) - issue.exists() and issue.get_lines() - issuenet.exists() and issuenet.get_lines() - else: - if arg == NONE: - if val: - _interactive and log(_('Disabling pre-login message')) - issue.exists(1) and issue.move(SUFFIX) and issue.modified() - else: - if not val: - _interactive and log(_('Allowing pre-login message')) - issue.exists() and issue.get_lines() - if valnet: - _interactive and log(_('Disabling network pre-login message')) - issuenet.exists(1) and issuenet.move(SUFFIX) - -allow_issues.arg_trans = ALL_LOCAL_NONE_TRANS - -################################################################################ - -def allow_autologin(arg): - ''' Allow/Forbid autologin.''' - autologin = ConfigFile.get_config_file(AUTOLOGIN) - - if autologin.exists(): - val = autologin.get_shell_variable('AUTOLOGIN') - else: - val = None - - # don't lower security when not changing security level - if same_level(): - if val == 'no': - return - - if arg: - if val != 'yes': - _interactive and log(_('Allowing autologin')) - autologin.exists() and autologin.set_shell_variable('AUTOLOGIN', 'yes') - else: - if val != 'no': - _interactive and log(_('Forbidding autologin')) - autologin.exists() and autologin.set_shell_variable('AUTOLOGIN', 'no') - -allow_autologin.arg_trans = YES_NO_TRANS - -################################################################################ - -def password_loader(value): - 'D' - _interactive and log(_('Activating password in boot loader')) - liloconf = ConfigFile.get_config_file(LILOCONF) - liloconf.exists() and (liloconf.replace_line_matching('^password=', 'password="' + value + '"', 0, 1) or \ - liloconf.insert_after('^boot=', 'password="' + value + '"')) and \ - Perms.chmod(liloconf.path, 0600) - # TODO encrypt password in grub - menulst = ConfigFile.get_config_file(MENULST) - menulst.exists() and (menulst.replace_line_matching('^password\s', 'password "' + value + '"') or \ - menulst.insert_at(0, 'password "' + value + '"')) and \ - Perms.chmod(menulst.path, 0600) - # TODO add yaboot support - -################################################################################ - -def nopassword_loader(): - 'D' - _interactive and log(_('Removing password in boot loader')) - liloconf = ConfigFile.get_config_file(LILOCONF) - liloconf.exists() and liloconf.remove_line_matching('^password=', 1) - menulst = ConfigFile.get_config_file(MENULST) - menulst.exists() and menulst.remove_line_matching('^password\s') - -################################################################################ - -def enable_console_log(arg, expr='*.*', dev='tty12'): - ''' Enable/Disable syslog reports to console 12. \\fIexpr\\fP is the -expression describing what to log (see syslog.conf(5) for more details) and -dev the device to report the log.''' - - syslogconf = ConfigFile.get_config_file(SYSLOGCONF) - - if syslogconf.exists(): - val = syslogconf.get_match('\s*[^#]+/dev/([^ ]+)', '@1') - else: - val = None - - # don't lower security when not changing security level - if same_level(): - if val: - return - - if arg: - if dev != val: - _interactive and log(_('Enabling log on console')) - syslogconf.exists() and syslogconf.replace_line_matching('\s*[^#]+/dev/', expr + ' /dev/' + dev, 1) - else: - if val != None: - _interactive and log(_('Disabling log on console')) - syslogconf.exists() and syslogconf.remove_line_matching('\s*[^#]+/dev/') - -enable_console_log.arg_trans = YES_NO_TRANS - -CRON_ENTRY = '*/1 * * * * root /usr/share/msec/promisc_check.sh' -CRON_REGEX = '[^#]+/usr/share/msec/promisc_check.sh' - -################################################################################ - -def enable_promisc_check(arg): - ''' Activate/Disable ethernet cards promiscuity check.''' - cron = ConfigFile.get_config_file(CRON) - - val = cron.exists() and cron.get_match(CRON_REGEX) - - # don't lower security when not changing security level - if same_level(): - if val == CRON_ENTRY: - return - - if arg: - if val != CRON_ENTRY: - _interactive and log(_('Activating periodic promiscuity check')) - cron.replace_line_matching(CRON_REGEX, CRON_ENTRY, 1) - else: - if val: - _interactive and log(_('Disabling periodic promiscuity check')) - cron.remove_line_matching('[^#]+/usr/share/msec/promisc_check.sh') - -enable_promisc_check.arg_trans = YES_NO_TRANS - -################################################################################ - -def enable_security_check(arg): - ''' Activate/Disable daily security check.''' - cron = ConfigFile.get_config_file(CRON) - cron.remove_line_matching('[^#]+/usr/share/msec/security.sh') - - securitycron = ConfigFile.get_config_file(SECURITYCRON) - - val = securitycron.exists() - - # don't lower security when not changing security level - if same_level(): - if val: - return - - if arg: - if not val: - _interactive and log(_('Activating daily security check')) - securitycron.symlink(SECURITYSH) - else: - if val: - _interactive and log(_('Disabling daily security check')) - securitycron.unlink() - -enable_security_check.arg_trans = YES_NO_TRANS - -################################################################################ - -ALL_REGEXP = '^ALL:ALL:DENY' -ALL_LOCAL_REGEXP = '^ALL:ALL EXCEPT 127\.0\.0\.1:DENY' -def authorize_services(arg): - ''' Authorize all services controlled by tcp_wrappers (see hosts.deny(5)) if \\fIarg\\fP = ALL. Only local ones -if \\fIarg\\fP = LOCAL and none if \\fIarg\\fP = NONE. To authorize the services you need, use /etc/hosts.allow -(see hosts.allow(5)).''' - hostsdeny = ConfigFile.get_config_file(HOSTSDENY) - - if hostsdeny.exists(): - if hostsdeny.get_match(ALL_REGEXP): - val = NONE - elif hostsdeny.get_match(ALL_LOCAL_REGEXP): - val = LOCAL - else: - val = ALL - else: - val = ALL - - # don't lower security when not changing security level - if same_level(): - if val == NONE or (val == LOCAL and arg == ALL): - return - - if arg == ALL: - if arg != val: - _interactive and log(_('Authorizing all services')) - hostsdeny.remove_line_matching(ALL_REGEXP, 1) - hostsdeny.remove_line_matching(ALL_LOCAL_REGEXP, 1) - elif arg == NONE: - if arg != val: - _interactive and log(_('Disabling all services')) - hostsdeny.remove_line_matching('^ALL:ALL EXCEPT 127\.0\.0\.1:DENY', 1) - hostsdeny.replace_line_matching('^ALL:ALL:DENY', 'ALL:ALL:DENY', 1) - elif arg == LOCAL: - if arg != val: - _interactive and log(_('Disabling non local services')) - hostsdeny.remove_line_matching(ALL_REGEXP, 1) - hostsdeny.replace_line_matching(ALL_LOCAL_REGEXP, 'ALL:ALL EXCEPT 127.0.0.1:DENY', 1) - else: - error(_('authorize_services invalid argument: %s') % arg) - -authorize_services.arg_trans = ALL_LOCAL_NONE_TRANS - -################################################################################ - -def boolean2bit(bool): - if bool: - return 1 - else: - return 0 - -# helper function for enable_ip_spoofing_protection, accept_icmp_echo, accept_broadcasted_icmp_echo, -# accept_bogus_error_responses and enable_log_strange_packets. -def set_zero_one_variable(file, variable, value, secure_value, one_msg, zero_msg): - 'D' - f = ConfigFile.get_config_file(file) - - if f.exists(): - val = f.get_shell_variable(variable) - if val: - val = int(val) - else: - val = None - - # don't lower security when not changing security level - if same_level(): - if val == secure_value: - return - - if value != val: - if value: - msg = _(one_msg) - else: - msg = _(zero_msg) - - _interactive and log(msg) - f.set_shell_variable(variable, boolean2bit(value)) - -################################################################################ - -# the alert argument is kept for backward compatibility -def enable_ip_spoofing_protection(arg, alert=1): - ''' Enable/Disable IP spoofing protection.''' - set_zero_one_variable(SYSCTLCONF, 'net.ipv4.conf.all.rp_filter', arg, 1, 'Enabling ip spoofing protection', 'Disabling ip spoofing protection') - -enable_ip_spoofing_protection.arg_trans = YES_NO_TRANS -enable_ip_spoofing_protection.one_arg = 1 - -################################################################################ - -def enable_dns_spoofing_protection(arg, alert=1): - ''' Enable/Disable name resolution spoofing protection. If -\\fIalert\\fP is true, also reports to syslog.''' - hostconf = ConfigFile.get_config_file(HOSTCONF) - - val = hostconf.exists() and hostconf.get_match('nospoof\s+on') - - # don't lower security when not changing security level - if same_level(): - if val: - return - - if arg: - if not val: - _interactive and log(_('Enabling name resolution spoofing protection')) - hostconf.replace_line_matching('nospoof', 'nospoof on', 1) - hostconf.replace_line_matching('spoofalert', 'spoofalert on', (alert != 0)) - else: - if val: - _interactive and log(_('Disabling name resolution spoofing protection')) - hostconf.remove_line_matching('nospoof') - hostconf.remove_line_matching('spoofalert') - -enable_dns_spoofing_protection.arg_trans = YES_NO_TRANS - -################################################################################ - -def accept_icmp_echo(arg): - ''' Accept/Refuse icmp echo.''' - set_zero_one_variable(SYSCTLCONF, 'net.ipv4.icmp_echo_ignore_all', not arg, 1, 'Ignoring icmp echo', 'Accepting icmp echo') - -accept_icmp_echo.arg_trans = YES_NO_TRANS - -################################################################################ - -def accept_broadcasted_icmp_echo(arg): - ''' Accept/Refuse broadcasted icmp echo.''' - set_zero_one_variable(SYSCTLCONF, 'net.ipv4.icmp_echo_ignore_broadcasts', not arg, 1, 'Ignoring broadcasted icmp echo', 'Accepting broadcasted icmp echo') - -accept_broadcasted_icmp_echo.arg_trans = YES_NO_TRANS - -################################################################################ - -def accept_bogus_error_responses(arg): - ''' Accept/Refuse bogus IPv4 error messages.''' - set_zero_one_variable(SYSCTLCONF, 'net.ipv4.icmp_ignore_bogus_error_responses', not arg, 1, 'Ignoring bogus icmp error responses', 'Accepting bogus icmp error responses') - -accept_bogus_error_responses.arg_trans = YES_NO_TRANS - -################################################################################ - -def enable_log_strange_packets(arg): - ''' Enable/Disable the logging of IPv4 strange packets.''' - set_zero_one_variable(SYSCTLCONF, 'net.ipv4.conf.all.log_martians', arg, 1, 'Enabling logging of strange packets', 'Disabling logging of strange packets') - -enable_log_strange_packets.arg_trans = YES_NO_TRANS - -################################################################################ - -def enable_libsafe(arg): - ''' Enable/Disable libsafe if libsafe is found on the system.''' - - ldsopreload = ConfigFile.get_config_file(LDSOPRELOAD) - - val = ldsopreload.exists() and ldsopreload.get_match('/lib/libsafe.so.2') - - # don't lower security when not changing security level - if same_level(): - if val: - return - - if arg: - if not val: - if os.path.exists(Config.get_config('root', '') + '/lib/libsafe.so.2'): - _interactive and log(_('Enabling libsafe')) - ldsopreload.replace_line_matching('[^#]*libsafe', '/lib/libsafe.so.2', 1) - else: - if val: - _interactive and log(_('Disabling libsafe')) - ldsopreload.remove_line_matching('[^#]*libsafe') - -enable_libsafe.arg_trans = YES_NO_TRANS - -################################################################################ - -LENGTH_REGEXP = re.compile('^(password\s+required\s+(?:/lib/security/)?pam_cracklib.so.*?)\sminlen=([0-9]+)\s(.*)') -NDIGITS_REGEXP = re.compile('^(password\s+required\s+(?:/lib/security/)?pam_cracklib.so.*?)\sdcredit=([0-9]+)\s(.*)') -UCREDIT_REGEXP = re.compile('^(password\s+required\s+(?:/lib/security/)?pam_cracklib.so.*?)\sucredit=([0-9]+)\s(.*)') - -def password_length(length, ndigits=0, nupper=0): - ''' Set the password minimum length and minimum number of digit and minimum number of capitalized letters.''' - - passwd = ConfigFile.get_config_file(SYSTEM_AUTH) - - val_length = val_ndigits = val_ucredit = 999999 - - if passwd.exists(): - val_length = passwd.get_match(LENGTH_REGEXP, '@2') - if val_length: - val_length = int(val_length) - - val_ndigits = passwd.get_match(NDIGITS_REGEXP, '@2') - if val_ndigits: - val_ndigits = int(val_ndigits) - - val_ucredit = passwd.get_match(UCREDIT_REGEXP, '@2') - if val_ucredit: - val_ucredit = int(val_ucredit) - - # don't lower security when not changing security level - if same_level(): - if val_length > length and val_ndigits > ndigits and val_ucredit > nupper: - return - - if val_length > length: - length = val_length - - if val_ndigits > ndigits: - ndigits = val_ndigits - - if val_ucredit > nupper: - nupper = val_ucredit - - if passwd.exists() and (val_length != length or val_ndigits != ndigits or val_ucredit != nupper): - _interactive and log(_('Setting minimum password length %d') % length) - (passwd.replace_line_matching(LENGTH_REGEXP, - '@1 minlen=%s @3' % length) or \ - passwd.replace_line_matching('^password\s+required\s+(?:/lib/security/)?pam_cracklib.so.*', - '@0 minlen=%s ' % length)) - - (passwd.replace_line_matching(NDIGITS_REGEXP, - '@1 dcredit=%s @3' % ndigits) or \ - passwd.replace_line_matching('^password\s+required\s+(?:/lib/security/)?pam_cracklib.so.*', - '@0 dcredit=%s ' % ndigits)) - - (passwd.replace_line_matching(UCREDIT_REGEXP, - '@1 ucredit=%s @3' % nupper) or \ - passwd.replace_line_matching('^password\s+required\s+(?:/lib/security/)?pam_cracklib.so.*', - '@0 ucredit=%s ' % nupper)) - -################################################################################ - -PASSWORD_REGEXP = '^\s*auth\s+sufficient\s+(?:/lib/security/)?pam_permit.so' -def enable_password(arg): - ''' Use password to authenticate users.''' - system_auth = ConfigFile.get_config_file(SYSTEM_AUTH) - - val = system_auth.exists() and system_auth.get_match(PASSWORD_REGEXP) - - # don't lower security when not changing security level - if same_level(): - if not val: - return - - if arg: - if val: - _interactive and log(_('Using password to authenticate users')) - system_auth.remove_line_matching(PASSWORD_REGEXP) - else: - if not val: - _interactive and log(_('Don\'t use password to authenticate users')) - system_auth.replace_line_matching(PASSWORD_REGEXP, 'auth sufficient pam_permit.so') or \ - system_auth.insert_before('auth\s+sufficient', 'auth sufficient pam_permit.so') - -enable_password.arg_trans = YES_NO_TRANS - -################################################################################ - -UNIX_REGEXP = re.compile('(^\s*password\s+sufficient\s+(?:/lib/security/)?pam_unix.so.*)\sremember=([0-9]+)(.*)') - -def password_history(arg): - ''' Set the password history length to prevent password reuse.''' - system_auth = ConfigFile.get_config_file(SYSTEM_AUTH) - - if system_auth.exists(): - val = system_auth.get_match(UNIX_REGEXP, '@2') - - if val and val != '': - val = int(val) - else: - val = 0 - else: - val = 0 - - # don't lower security when not changing security level - if same_level(): - if val >= arg: - return - - if arg != val: - if arg > 0: - _interactive and log(_('Setting password history to %d.') % arg) - system_auth.replace_line_matching(UNIX_REGEXP, '@1 remember=%d@3' % arg) or \ - system_auth.replace_line_matching('(^\s*password\s+sufficient\s+(?:/lib/security/)?pam_unix.so.*)', '@1 remember=%d' % arg) - opasswd = ConfigFile.get_config_file(OPASSWD) - opasswd.exists() or opasswd.touch() - else: - _interactive and log(_('Disabling password history')) - system_auth.replace_line_matching(UNIX_REGEXP, '@1@3') - -################################################################################ - -SULOGIN_REGEXP = '~~:S:wait:/sbin/sulogin' -def enable_sulogin(arg): - ''' Enable/Disable sulogin(8) in single user level.''' - inittab = ConfigFile.get_config_file(INITTAB) - - val = inittab.exists() and inittab.get_match(SULOGIN_REGEXP) - - # don't lower security when not changing security level - if same_level(): - if val: - return - - if arg: - if not val: - _interactive and log(_('Enabling sulogin in single user runlevel')) - inittab.replace_line_matching('[^#]+:S:', '~~:S:wait:/sbin/sulogin', 1) - else: - if val: - _interactive and log(_('Disabling sulogin in single user runlevel')) - inittab.remove_line_matching('~~:S:wait:/sbin/sulogin') - -enable_sulogin.arg_trans = YES_NO_TRANS - -################################################################################ - -def enable_msec_cron(arg): - ''' Enable/Disable msec hourly security check.''' - mseccron = ConfigFile.get_config_file(MSECCRON) - - val = mseccron.exists() - - # don't lower security when not changing security level - if same_level(): - if val: - return - - if arg: - if arg != val: - _interactive and log(_('Enabling msec periodic runs')) - mseccron.symlink(MSECBIN) - else: - if arg != val: - _interactive and log(_('Disabling msec periodic runs')) - mseccron.unlink() - -enable_msec_cron.arg_trans = YES_NO_TRANS - -################################################################################ - -def enable_at_crontab(arg): - ''' Enable/Disable crontab and at for users. Put allowed users in /etc/cron.allow and /etc/at.allow -(see man at(1) and crontab(1)).''' - cronallow = ConfigFile.get_config_file(CRONALLOW) - atallow = ConfigFile.get_config_file(ATALLOW) - - val_cronallow = cronallow.exists() and cronallow.get_match('root') - val_atallow = atallow.exists() and atallow.get_match('root') - - # don't lower security when not changing security level - if same_level(): - if val_cronallow and val_atallow: - return - - if arg: - if val_cronallow or val_atallow: - _interactive and log(_('Enabling crontab and at')) - if not (same_level() and val_cronallow): - cronallow.exists() and cronallow.move(SUFFIX) - if not (same_level() and val_atallow): - atallow.exists() and atallow.move(SUFFIX) - else: - if not val_cronallow or not val_atallow: - _interactive and log(_('Disabling crontab and at')) - cronallow.replace_line_matching('root', 'root', 1) - atallow.replace_line_matching('root', 'root', 1) - -enable_at_crontab.arg_trans = YES_NO_TRANS - -################################################################################ - -maximum_regex = re.compile('^Maximum.*:\s*([0-9]+|-1)', re.MULTILINE) -inactive_regex = re.compile('^(Inactive|Password inactive\s*):\s*(-?[0-9]+|never)', re.MULTILINE) -no_aging_list = [] - -def no_password_aging_for(name): - '''D Add the name as an exception to the handling of password aging by msec. -Name must be put between '. Msec will then no more manage password aging for -name so you have to use chage(1) to manage it by hand.''' - no_aging_list.append(name) - -def password_aging(max, inactive=-1): - ''' Set password aging to \\fImax\\fP days and delay to change to \\fIinactive\\fP.''' - uid_min = 500 - _interactive and log(_('Setting password maximum aging for new user to %d') % max) - logindefs = ConfigFile.get_config_file(LOGINDEFS) - if logindefs.exists(): - logindefs.replace_line_matching('^\s*PASS_MAX_DAYS', 'PASS_MAX_DAYS ' + str(max), 1) - uid_min = logindefs.get_match('^\s*UID_MIN\s+([0-9]+)', '@1') - if uid_min: - uid_min = int(uid_min) - shadow = ConfigFile.get_config_file(SHADOW) - if shadow.exists(): - _interactive and log(_('Setting password maximum aging for root and users with id greater than %d to %d and delay to %d days') % (uid_min, max, inactive)) - for line in shadow.get_lines(): - field = string.split(line, ':') - if len(field) < 2: - continue - name = field[0] - password = field[1] - if name in no_aging_list: - _interactive and log(_('User %s in password aging exception list') % (name,)) - continue - try: - entry = pwd.getpwnam(name) - except KeyError: - error(_('User %s in shadow but not in passwd file') % name) - continue - if (len(password) > 0 and password[0] != '!') and password != '*' and password != 'x' and (entry[2] >= uid_min or entry[2] == 0): - if field[4] == '': - current_max = 99999 - else: - current_max = int(field[4]) - if field[6] == '': - current_inactive = -1 - else: - current_inactive = int(field[6]) - new_max = max - new_inactive = inactive - # don't lower security when not changing security level - if same_level(): - if current_max < max and current_inactive < inactive: - continue - if current_max < max: - new_max = current_max - if current_inactive < inactive: - new_inactive = current_inactive - if new_max != current_max or current_inactive != new_inactive: - cmd = 'LC_ALL=C /usr/bin/chage -M %d -I %d -d %s \'%s\'' % (new_max, new_inactive, time.strftime('%Y-%m-%d'), entry[0]) - ret = commands.getstatusoutput(cmd) - log(_('changed maximum password aging for user \'%s\' with command %s') % (entry[0], cmd)) - -################################################################################ - -def allow_xauth_from_root(arg): - ''' Allow/forbid to export display when passing from the root account -to the other users. See pam_xauth(8) for more details.''' - export = ConfigFile.get_config_file(EXPORT) - - allow = export.exists() and export.get_match('^\*$') - - # don't lower security when not changing security level - if same_level(): - if not allow: - return - - if arg: - if not allow: - _interactive and log(_('Allowing export display from root')) - export.insert_at(0, '*') - else: - if allow: - _interactive and log(_('Forbidding export display from root')) - export.remove_line_matching('^\*$') - -################################################################################ - -def set_security_conf(var, value): - '''1 Set the variable \\fIvar\\fP to the value \\fIvalue\\fP in /var/lib/msec/security.conf. -The best way to override the default setting is to create /etc/security/msec/security.conf -with the value you want. These settings are used to configure the daily check run each night. - -The following variables are currentrly recognized by msec: - -CHECK_UNOWNED if set to yes, report unowned files. - -CHECK_SHADOW if set to yes, check empty password in /etc/shadow. - -CHECK_SUID_MD5 if set to yes, verify checksum of the suid/sgid files. - -CHECK_SECURITY if set to yes, run the daily security checks. - -CHECK_PASSWD if set to yes, check for empty passwords, for no password in /etc/shadow and for users with the 0 id other than root. - -SYSLOG_WARN if set to yes, report check result to syslog. - -CHECK_SUID_ROOT if set to yes, check additions/removals of suid root files. - -CHECK_PERMS if set to yes, check permissions of files in the users' home. - -CHKROOTKIT_CHECK if set to yes, run chkrootkit checks. - -CHECK_PROMISC if set to yes, check if the network devices are in promiscuous mode. - -RPM_CHECK if set to yes, run some checks against the rpm database. - -TTY_WARN if set to yes, reports check result to tty. - -CHECK_WRITABLE if set to yes, check files/directories writable by everybody. - -MAIL_WARN if set to yes, report check result by mail. - -MAIL_USER if set, send the mail report to this email address else send it to root. - -CHECK_OPEN_PORT if set to yes, check open ports. - -CHECK_SGID if set to yes, check additions/removals of sgid files. -''' - securityconf = ConfigFile.get_config_file(SECURITYCONF) - securityconf.set_shell_variable(var, value) - -# various - -def set_interactive(v): - "D" - - global _interactive - - _interactive = v - -# libmsec.py ends here - |