1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
|
#!/usr/bin/python3 -O
"""This is the configuration file for msec.
The following variables are defined here:
SECURITY_LEVELS: list of supported security levels
SECURITYCONF: location of msec configuration file
SECURITYLOG: log file for msec messages
SETTINGS: all security settings, with correspondent options for each
level, callback functions, and regexp of valid parameters.
A helper function load_defaults parses the SETTINGS variable.
The MsecConfig class processes the main msec configuration file.
"""
import gettext
import sys
import traceback
import re
import os
import glob
# security levels
NONE_LEVEL="none"
STANDARD_LEVEL="standard"
SECURE_LEVEL="secure"
SECURITY_LEVEL="%s/etc/security/msec/level.%s"
# msec configuration file
SECURITYCONF = '/etc/security/msec/security.conf'
EXCEPTIONSCONF = '/etc/security/msec/exceptions'
# permissions
PERMCONF = '/etc/security/msec/perms.conf'
PERMISSIONS_LEVEL = '%s/etc/security/msec/perm.%s' # for level
# logging
SECURITYLOG = '/var/log/msec.log'
# localization
try:
gettext.install('msec')
except IOError:
_ = str
# shared strings
MODIFICATIONS_FOUND = _('Modified system files')
MODIFICATIONS_NOT_FOUND = _('No changes in system files')
# plugins
MSEC_DIR="/usr/share/msec"
MAIN_LIB="libmsec"
PLUGINS_DIR="/usr/share/msec/plugins"
# msec callbacks and valid values
# OPTION callback valid values
SETTINGS = {
'BASE_LEVEL': ("libmsec.base_level", ['*']),
}
# text for disabled options
OPTION_DISABLED=_("Disabled")
# options for periodic checks
VALUES_PERIODIC=['manual', 'daily', 'weekly', 'monthly', 'no']
# options for yes-no checks
VALUES_YESNO=['yes', 'no']
# some checks require installation of additional packages if a specific option was activated
REQUIRE_PACKAGES = {
# the format is: 'OPTION_NAME': (['option values which requires package installation]', ['packages'])
# for example, 'CHECK_CHKROOTKIT': (['yes'], ['chkrootkit'])
}
# settings organizes by category
# system security settings - defined by 'msec' plugin
SETTINGS_SYSTEM = []
# network security settings - defined by 'msec' plugin
SETTINGS_NETWORK = []
# periodic checks - defined by 'audit' plugin
SETTINGS_PERIODIC = []
# checks that support exceptions - defined by 'audit' plugin
CHECKS_WITH_EXCEPTIONS = []
# system encoding
SYS_ENC = sys.getfilesystemencoding()
# localized help
try:
from help import HELP
except:
HELP = {}
# helper function to find documentation for an option
def find_doc(msec, option, cached=None):
"""Helper function to find documentation for an option."""
if option not in SETTINGS:
# invalid option ?
return None
callback, values = SETTINGS[option]
# is it already cached?
if option in cached:
return cached[option]
if option in HELP:
doc = HELP[option]
else:
# option not found in HELP, lets look in docstring
# get description from function comments
func = msec.get_action(callback)
if func.__doc__:
doc = func.__doc__.strip()
else:
# well, no luck. Just use the callback then
doc = callback
# updated cached values
if cached:
cached[option] = doc
return doc
def find_callback(param):
'''Finds a callback for security option'''
if param not in SETTINGS:
return None
else:
callback, valid_params = SETTINGS[param]
return callback
def find_valid_params(param):
'''Finds valid parameters for security option'''
if param not in SETTINGS:
return None
else:
callback, valid_params = SETTINGS[param]
return valid_params
# helper functions
def list_available_levels(log, root=''):
"""Lists available msec levels"""
path = SECURITY_LEVEL % (root, "*")
levels = []
levels_glob = glob.glob(path)
for z in levels_glob:
# skip rpm junk
if z.find(".rpmsave") >= 0 or z.find(".rpmnew") >= 0:
continue
levels_re = re.compile(".*/level.(.*)")
levelname = levels_re.findall(z)
if levelname:
levels.append(levelname[0])
return levels
def load_defaults(log, level, root=''):
"""Loads default configuration for given security level, returning a
MsecConfig instance.
"""
config = MsecConfig(log, config=SECURITY_LEVEL % (root, level))
config.load()
return config
def load_default_perms(log, level, root=''):
"""Loads default permissions for given security level, returning a
MsecConfig instance.
"""
config = PermConfig(log, config=PERMISSIONS_LEVEL % (root, level))
config.load()
return config
def merge_with_baselevel(log, config, base_level, load_func, root=''):
"""Merges a config with its base level"""
# reloading levelconf for base level
levelconf = load_func(log, base_level, root=root)
config.merge(levelconf)
def to_utf8(s):
""" Returs string after decoding if needed """
try:
s.decode()
return s
except:
return str(s).decode("utf-8")
# {{{ MsecConfig
class MsecConfig:
"""Msec configuration parser"""
def __init__(self, log, config=SECURITYCONF):
self.config = config
self.options = {}
self.comments = []
self.log = log
self.base_level = None
def merge(self, newconfig, overwrite=False):
"""Merges parameters from newconfig to current config"""
for opt in newconfig.list_options():
if overwrite:
self.set(opt, newconfig.get(opt))
else:
self.get(opt, newconfig.get(opt))
def reset(self):
"""Resets all configuration"""
del self.options
self.options = {}
del self.comments
self.comments = []
def get_base_level(self, base_level=None):
"""Configures base level for current level, so the settings could be pulled from it"""
if not base_level:
base_level = self.get('BASE_LEVEL', NONE_LEVEL)
self.base_level = base_level
return self.base_level
def load(self):
"""Loads and parses configuration file"""
if not self.config:
# No associated file
return True
try:
fd = open(self.config)
except:
self.log.error(_("Unable to load configuration file %s: %s") % (self.config, sys.exc_info()[1]))
return False
for line in fd.readlines():
line = line.strip()
if not line:
continue
if line[0] == "#":
# comment
self.comments.append(line)
continue
try:
option, val = line.split("=", 1)
self.options[option] = val
except:
self.log.warn(_("Bad config option: %s") % line)
continue
fd.close()
return True
def get(self, option, default=None):
"""Gets a configuration option, or defines it if not defined"""
if option not in self.options:
self.options[option] = default
return self.options[option]
def remove(self, option):
"""Removes a configuration option."""
if option in self.options:
self.options[option]=None
def set(self, option, value):
"""Sets a configuration option"""
self.options[option] = value
def list_options(self):
"""Sorts and returns configuration parameters"""
sortedparams = list(self.options.keys())
if sortedparams:
sortedparams.sort()
return sortedparams
def save(self, base_level=None):
"""Saves configuration. Comments go on top. If a variable is present in base_level, and it is identical to the one to be saved, it is skipped"""
if not self.config:
# No associated file
return True
try:
fd = open(self.config, "w")
except:
self.log.error(_("Unable to save %s: %s") % (self.config, sys.exc_info()[1]))
return False
for comment in self.comments:
print(comment, file=fd)
# sorting keys
for option in self.list_options():
value = self.options[option]
# is it already on base level?
if base_level:
if option in base_level.options and option != "BASE_LEVEL":
if value == base_level.get(option):
self.log.debug("Option %s=%s already on base level!" % (option, value))
continue
# prevent saving empty options
# TODO: integrate with remove()
if value == None or value == OPTION_DISABLED:
self.log.debug("Skipping %s" % option)
value=""
else:
# escape special characters
escape=False
for c in [' ', '|', ';', '\\', '\r', '\n']:
if c in value:
escape=True
if escape:
if value[0] == '"' and value[-1] == '"':
# string is already escaped
pass
else:
value = '"%s"' % value
print("%s=%s" % (option, value), file=fd)
fd.close()
return True
# }}}
# {{{ ExceptionConfig
class ExceptionConfig:
"""Exceptions configuration parser"""
def __init__(self, log, config=EXCEPTIONSCONF):
self.config = config
self.options = []
self.comments = []
self.log = log
def reset(self):
"""Resets all configuration"""
del self.options
self.options = []
del self.comments
self.comments = []
def load(self):
"""Loads and parses configuration file"""
if not self.config:
# No associated file
return True
try:
fd = open(self.config)
except:
# this file is optional, so if it is not found that's not fatal
self.log.info(_("loading exceptions file %s: %s") % (self.config, sys.exc_info()[1]))
self.log.info(_("No exceptions loaded"))
return False
for line in fd.readlines():
line = line.strip()
if not line:
continue
if line[0] == "#":
# comment
self.comments.append(line)
continue
try:
option, val = line.split(" ", 1)
self.options.append((option, val))
except:
self.log.warn(_("Bad config option: %s") % line)
continue
fd.close()
return True
def get(self, pos, default=None):
"""Gets a configuration option, or defines it if not defined"""
if pos > len(self.options):
return default
return self.options[pos]
def remove(self, pos):
"""Removes a configuration option."""
if pos < len(self.options):
del self.options[pos]
def set(self, pos, value):
"""Sets a configuration option"""
if pos > 0:
print("Pos: %d" % pos)
self.options[pos] = value
else:
self.options.append(value)
def list_options(self):
"""Sorts and returns configuration parameters"""
sortedparams = self.options
if sortedparams:
sortedparams.sort()
return sortedparams
def save(self):
"""Saves configuration. Comments go on top"""
if not self.config:
# No associated file
return True
try:
fd = open(self.config, "w")
except:
self.log.error(_("Unable to save %s: %s") % (self.config, sys.exc_info()[1]))
return False
for comment in self.comments:
print(comment, file=fd)
# sorting keys
for option,value in self.options:
# TODO: integrate with remove()
if value == None or value == OPTION_DISABLED:
self.log.debug("Skipping %s" % option)
else:
print("%s %s" % (option, value), file=fd)
fd.close()
return True
# }}}
# {{{ PermConfig
class PermConfig(MsecConfig):
"""Msec file permission parser"""
def __init__(self, log, config=PERMCONF):
self.config = config
self.options = {}
self.options_order = []
self.comments = []
self.log = log
self.regexp = re.compile("^([^\s]*)\s*([a-z]*)\.([a-z]*)\s*([\d]?\d\d\d|current)\s*(force)?\s?([^\s]*)$")
def merge(self, newconfig, overwrite=False):
"""Merges parameters from newconfig to current config"""
for opt in newconfig.list_options():
if overwrite:
self.set(opt, newconfig.get(opt))
else:
self.get(opt, newconfig.get(opt))
def reset(self):
MsecConfig.reset(self)
del self.options_order
self.options_order = []
def remove(self, option):
"""Removes a configuration option."""
MsecConfig.remove(self, option)
if option in self.options_order:
pos = self.options_order.index(option)
del self.options_order[pos]
def load(self):
"""Loads and parses configuration file"""
try:
fd = open(self.config)
except:
self.log.error(_("Unable to load configuration file %s: %s") % (self.config, sys.exc_info()[1]))
return False
for line in fd.readlines():
line = line.strip()
if not line:
continue
if line[0] == "#":
# comment
self.comments.append(line)
continue
try:
res = self.regexp.findall(line)
if res:
if len(res[0]) == 6:
file, user, group, perm, force, acl = res[0]
self.options[file] = (user, group, perm, force, acl)
self.options_order.append(file)
except:
traceback.print_exc()
self.log.warn(_("Bad config option: %s") % line)
continue
fd.close()
return True
def list_options(self):
"""Sorts and returns configuration parameters"""
return self.options_order
def get(self, option, default=None):
"""Gets a configuration option, or defines it if not defined"""
if option not in self.options:
self.set(option, default)
return self.options[option]
def set(self, option, value):
"""Sets a configuration option"""
self.options[option] = value
if option not in self.options_order:
self.options_order.append(option)
def save(self, base_level=None):
"""Saves configuration. Comments go on top. If a variable is present in base_level, and it is identical to the one to be saved, it is skipped"""
try:
fd = open(self.config, "w")
except:
self.log.error(_("Unable to save %s: %s") % (self.config, sys.exc_info()[1]))
return False
for comment in self.comments:
print(comment, file=fd)
# sorting keys
for file in self.options_order:
value = self.options[file]
if base_level:
if file in base_level.options:
new_value = base_level.get(file)
if value == new_value:
self.log.debug("Option %s=%s already on base level!" % (file, value))
continue
if not value:
# the option was removed
continue
user, group, perm, force, acl = self.options[file]
if force:
force = "\tforce"
else:
force = ""
print("%s\t%s.%s\t%s%s\t%s" % (file, user, group, perm, force, acl), file=fd)
fd.close()
return True
# }}}
|
