aboutsummaryrefslogtreecommitdiffstats
path: root/share/msec.py
diff options
context:
space:
mode:
Diffstat (limited to 'share/msec.py')
-rwxr-xr-xshare/msec.py195
1 files changed, 195 insertions, 0 deletions
diff --git a/share/msec.py b/share/msec.py
new file mode 100755
index 0000000..8ab0a3f
--- /dev/null
+++ b/share/msec.py
@@ -0,0 +1,195 @@
+#!/usr/bin/python -O
+#---------------------------------------------------------------
+# Project : Mandrake Linux
+# Module : msec/share
+# File : msec.py
+# Version : $Id$
+# Author : Frederic Lepied
+# Created On : Wed Dec 5 20:20:21 2001
+#---------------------------------------------------------------
+
+from libmsec import *
+from Log import *
+from Log import _name
+import Config
+import sys
+import os
+import string
+import getopt
+import gettext
+
+try:
+ cat = gettext.Catalog('msec')
+ _ = cat.gettext
+except IOError:
+ _ = str
+
+# program
+_name = 'msec'
+
+sys.argv[0] = os.path.basename(sys.argv[0])
+
+try:
+ (opt, args) = getopt.getopt(sys.argv[1:], 'o:',
+ ['option'])
+except getopt.error:
+ error(_('Invalid option. Use %s (-o var=<val>...) ([0-5])') % sys.argv[0])
+ sys.exit(1)
+
+
+for o in opt:
+ if o[0] == '-o' or o[0] == '--option':
+ pair = string.split(o[1], '=')
+ if len(pair) != 2:
+ error(_('Invalid option format %s %s: use -o var=<val>') % (o[0], o[1]))
+ sys.exit(1)
+ else:
+ Config.set_config(pair[0], pair[1])
+
+interactive = sys.stdin.isatty()
+set_interactive(interactive)
+
+# initlog must be done after processing the option because we can change
+# the way to report log with options...
+if interactive:
+ import syslog
+
+ initlog('msec', syslog.LOG_LOCAL1)
+else:
+ initlog('msec')
+
+if len(args) == 0:
+ level = get_secure_level()
+ if level == None:
+ error(_('Secure level not set. Use %s <secure level> to set it.') % sys.argv[0])
+ sys.exit(1)
+else:
+ level = args[0]
+
+try:
+ level = int(level)
+except ValueError:
+ error(_('Invalid secure level %s. Use %s [0-5] to set it.') % (level, sys.argv[0]))
+ sys.exit(1)
+
+if level < 0 or level > 5:
+ error(_('Invalid secure level %s. Use %s [0-5] to set it.') % (level, sys.argv[0]))
+ sys.exit(1)
+
+set_secure_level(level)
+
+server=(level in range(3, 6))
+
+# for all levels: min length = 2 * (level - 1) and for level 4,5 makes mandatory
+# to have at least one upper case character and one digit.
+if level > 1:
+ password_length = (level - 1) * 2
+else:
+ password_length = 0
+
+password_length(password_length, level / 4, level / 4)
+
+enable_ip_spoofing_protection(server)
+
+# differences between level 5 and others
+if level == 5:
+ set_root_umask('077')
+ set_shell_timeout(900)
+ deny_all_services()
+ enable_pam_wheel_for_su()
+else:
+ set_root_umask('022')
+ if level == 4:
+ set_shell_timeout(3600)
+ deny_non_local_services()
+ else:
+ set_shell_timeout(0)
+ authorize_all_services()
+ disable_pam_wheel_for_su()
+
+# differences between level 4,5 and others
+if level >= 4:
+ set_user_umask('077')
+ set_shell_history_size(10)
+ forbid_root_login()
+ enable_sulogin()
+ forbid_user_list()
+ enable_promisc_check()
+ ignore_icmp_echo()
+ ignore_bogus_error_responses()
+ enable_libsafe()
+ forbid_reboot()
+ disable_at_crontab()
+ if level == 4:
+ password_aging(60)
+ else:
+ password_aging(30)
+else:
+ set_user_umask('022')
+ set_shell_history_size(-1)
+ allow_root_login()
+ disable_sulogin()
+ allow_user_list()
+ disable_promisc_check()
+ accept_icmp_echo()
+ accept_bogus_error_responses()
+ disable_libsafe()
+ allow_reboot()
+ enable_at_crontab()
+ password_aging(99999)
+
+# differences between level 3,4,5 and others
+if server:
+ forbid_autologin()
+ enable_console_log()
+ forbid_issues((level != 5))
+ enable_log_strange_packets()
+else:
+ allow_autologin()
+ disable_console_log()
+ allow_issues()
+ disable_log_strange_packets()
+
+# differences between level 0 and others
+if level != 0:
+ enable_security_check()
+ if level < 3:
+ allow_local_x_connections()
+ else:
+ restrict_x_connections()
+else:
+ disable_security_check()
+ allow_x_connections()
+
+# msec cron
+enable_msec_cron()
+
+# 0 1 2 3 4 5
+FILE_CHECKS = {'CHECK_SECURITY' : ('no', 'yes', 'yes', 'yes', 'yes', 'yes', ),
+ 'CHECK_PERMS' : ('no', 'no', 'no', 'yes', 'yes', 'yes', ),
+ 'CHECK_SUID_ROOT' : ('no', 'no', 'yes', 'yes', 'yes', 'yes', ),
+ 'CHECK_SUID_MD5' : ('no', 'no', 'yes', 'yes', 'yes', 'yes', ),
+ 'CHECK_SUID_GROUP' : ('no', 'no', 'yes', 'yes', 'yes', 'yes', ),
+ 'CHECK_WRITEABLE' : ('no', 'no', 'yes', 'yes', 'yes', 'yes', ),
+ 'CHECK_UNOWNED' : ('no', 'no', 'no', 'no', 'yes', 'yes', ),
+ 'CHECK_PROMISC' : ('no', 'no', 'no', 'no', 'yes', 'yes', ),
+ 'CHECK_OPEN_PORT' : ('no', 'no', 'no', 'yes', 'yes', 'yes', ),
+ 'CHECK_PASSWD' : ('no', 'no', 'no', 'yes', 'yes', 'yes', ),
+ 'CHECK_SHADOW' : ('no', 'no', 'no', 'yes', 'yes', 'yes', ),
+ 'TTY_WARN' : ('no', 'no', 'no', 'no', 'yes', 'yes', ),
+ 'MAIL_WARN' : ('no', 'no', 'no', 'yes', 'yes', 'yes', ),
+ 'SYSLOG_WARN' : ('no', 'no', 'yes', 'yes', 'yes', 'yes', ),
+ 'RPM_CHECK' : ('no', 'no', 'no', 'yes', 'yes', 'yes', ),
+ }
+
+interactive and log(_('Configuring periodic files checks'))
+securityconf = ConfigFile.get_config_file('/etc/security/msec/security.conf')
+for k in FILE_CHECKS.keys():
+ securityconf.set_shell_variable(k, FILE_CHECKS[k][level])
+
+interactive and log(_('Writing config files and then taking needed actions'))
+ConfigFile.write_files()
+
+closelog()
+
+# msec.py ends here