def __init__(self, config, environ, logdispatcher, statechglogger):
        RuleKVEditor.__init__(self, config, environ, logdispatcher,
                              statechglogger)

        self.rulenumber = 270
        self.rulename = 'DisableOpenSafeSafari'
        self.formatDetailedResults("initialize")
        self.mandatory = True
        self.rootrequired = False
        # for compatibility with logging in rule.py's undo() method...
        self.logger = self.logdispatch
        self.guidance = []
        self.applicable = {
            'type': 'white',
            'os': {
                'Mac OS X': ['10.15', 'r', '10.15.10']
            }
        }
        # init CIs
        datatype = 'bool'
        key = 'SAFESAFARI'
        instructions = "To prevent the open safe file after downloading " + \
        "feature being disabled, set the value of SAFESAFARI to False."
        default = True
        self.ci = self.initCi(datatype, key, instructions, default)
        self.addKVEditor("DisableOpenSafeSafari", "defaults",
                         "~/Library/Preferences/com.apple.Safari.plist", "",
                         {"AutoOpenSafeDownloads": ["0", "-bool no"]},
                         "present", "",
                         "Disable open safe files after download in safari")
        self.sethelptext()
    def __init__(self, config, environ, logger, statechglogger):
        RuleKVEditor.__init__(self, config, environ, logger, statechglogger)
        self.rulenumber = 164
        self.rulename = 'DisableAFPFileSharing'
        self.formatDetailedResults("initialize")
        self.mandatory = True
        self.logger = logger
        self.rootrequired = True
        self.guidance = ['CIS 1.4.14.3']

        self.applicable = {
            'type': 'white',
            'os': {
                'Mac OS X': ['10.15', 'r', '10.15.10']
            }
        }

        if self.environ.getostype() == "Mac OS X":
            self.addKVEditor(
                "DisableAFPFileSharing", "defaults",
                "/System/Library/LaunchDaemons/com.apple.AppleFileServer", "",
                {"Disabled": ["1", "-bool True"]}, "present", "",
                "Disable AFP File Sharing", None, False, {})

        self.initObjs()
        self.determineOrigAFPstatus()
        self.sethelptext()
Beispiel #3
0
    def __init__(self, config, environ, logger, statechglogger):
        RuleKVEditor.__init__(self, config, environ, logger, statechglogger)
        self.rulenumber = 174
        self.rulename = 'DisableGuestAccess'
        self.formatDetailedResults("initialize")
        self.mandatory = True
        self.helptext = "Configures the Apple File Server (AFS) and " + \
        "the Samba (SMB) server to prohibit anonymous guest access."
        self.applicable = {'type': 'white',
                           'os': {'Mac OS X': ['10.15', 'r', '10.15.10']}}

        self.rootrequired = True
        self.guidance = []
        self.addKVEditor("disableGuestSharingAFP",
                         "defaults",
                         "/Library/Preferences/com.apple.AppleFileServer",
                         "",
                         {"guestAccess": ["0", "-bool no"]},
                         "present",
                         "",
                         "Do not allow guests to access AppleShare volumes.",
                         None,
                         False,
                         {})
        self.addKVEditor("disableGuestSharingSMB",
                         "defaults",
                         "/Library/Preferences/SystemConfiguration/com.apple.smb.server", 
                         "",
                         {"AllowGuestAccess": ["0", "-bool no"]},
                         "present",
                         "",
                         "Do not allow guest to access SMB Shares.",
                         None,
                         False,
                         {})
Beispiel #4
0
 def __init__(self, config, environ, logdispatcher, statechglogger):
     '''
     Constructor
     '''
     RuleKVEditor.__init__(self, config, environ, logdispatcher,
                           statechglogger)
     self.rulenumber = 170
     self.rulename = 'ConfigureLoginWindow'
     self.formatDetailedResults("initialize")
     self.mandatory = True
     self.sethelptext()
     self.rootrequired = True
     self.guidance = ['CCE-28310-1']
     self.applicable = {
         'type': 'white',
         'os': {
             'Mac OS X': ['10.15', 'r', '10.15.10']
         }
     }
     self.addKVEditor(
         "LoginNamePassword", "defaults",
         "/Library/Preferences/com.apple.loginwindow", "",
         {"SHOWFULLNAME": ["1", "-bool yes"]}, "present", "",
         "Forces the user to enter a username and " +
         "password at the login window when enabled.", None, False,
         {"SHOWFULLNAME": ["0", "-bool no"]})
     self.addKVEditor(
         "DisableConsoleAccess", "defaults",
         "/Library/Preferences/com.apple.loginwindow", "",
         {"DisableConsoleAccess": ["1", "-bool yes"]}, "present", "",
         'If console login is enabled, the user can type ' +
         '">console" for the user name to get a console ' + 'login.', None,
         False, {"DisableConsoleAccess": ["0", "-bool no"]})
Beispiel #5
0
    def __init__(self, config, environ, logdispatcher, statechglogger):
        RuleKVEditor.__init__(self, config, environ, logdispatcher,
                              statechglogger)
        self.rulenumber = 131
        self.rulename = 'ShowBluetoothIcon'
        self.formatDetailedResults("initialize")
        self.mandatory = False
        self.sethelptext()
        self.rootrequired = False
        self.guidance = []
        self.statechglogger = statechglogger
        self.applicable = {
            'type': 'white',
            'os': {
                'Mac OS X': ['10.15', 'r', '10.15.10']
            }
        }
        self.ch = CommandHelper(self.logdispatch)

        self.systemuiserver = ""
        self.bluetoothmenu = ""

        if self.environ.geteuid() != 0:
            user = pwd.getpwuid(os.getuid())[0]
            self.systemuiserver = "/Users/" + user + "/Library/Preferences/com.apple.systemuiserver"
            self.bluetoothmenu = "\"/System/Library/CoreServices/Menu Extras/Bluetooth.menu\""
            self.addKVEditor(
                "ShowBluetoothIcon", "defaults", self.systemuiserver, "", {
                    "menuExtras":
                    [self.bluetoothmenu, "-array-add " + self.bluetoothmenu]
                }, "present", "", "Show Bluetooth Icon in the Menu Bar.", None,
                False, {})
Beispiel #6
0
    def __init__(self, config, environ, logger, statechglogger):
        """

        :param config: 
        :param environ: 
        :param logger: 
        :param statechglogger: 
        """

        RuleKVEditor.__init__(self, config, environ, logger, statechglogger)
        self.logger = logger
        self.environ = environ
        self.rulenumber = 145
        self.rootrequired = True
        self.mandatory = True
        self.rulename = 'LinuxPackageSigning'
        self.formatDetailedResults("initialize")
        self.sethelptext()
        self.guidance = ['CNSSI 1253: cm-5(3)']

        # init CIs
        datatype = 'bool'
        key = 'LINUXPACKAGESIGNING'
        instructions = 'If you wish to disable this rule, set the value ' + \
            'of LinuxPackageSigning to False.'
        default = True
        self.ci = self.initCi(datatype, key, instructions, default)
        self.ostype = self.environ.getostype()
        self.applicable = self.isapplicable()

        self.localize()
Beispiel #7
0
 def __init__(self, config, environ, logdispatcher, statechglogger):
     '''
     Constructor
     '''
     RuleKVEditor.__init__(self, config, environ, logdispatcher,
                           statechglogger)
     self.rulenumber = 171
     self.rulename = 'DisablePasswordHints'
     self.formatDetailedResults("initialize")
     self.mandatory = True
     self.rootrequired = True
     self.applicable = {
         'type': 'white',
         'os': {
             'Mac OS X': ['10.15', 'r', '10.15.10']
         }
     }
     self.addKVEditor("DisablePasswordHints",
                      "defaults",
                      "/Library/Preferences/com.apple.loginwindow",
                      "",
                      {"RetriesUntilHint": ["0", "-int 0"]},
                      "present",
                      "",
                      "This variable is to determine number of " + \
                      "tries until password hints are displayed at " + \
                      "the login window. Zero indicates no password " + \
                      "hints will be given.",
                      None,
                      False,
                      {})
     self.sethelptext()
Beispiel #8
0
 def fix(self):
     '''choose which fix method to run, based on OS archetype'''
     self.detailedresults = ""
     if self.DisableCloudServices.getcurrvalue():
         if self.environ.getosfamily() == 'darwin':
             RuleKVEditor.fix(self, False)
         elif re.search('Ubuntu', self.environ.getostype()):
             self.fixUbuntu()
Beispiel #9
0
 def report(self):
     '''choose which report method to run based on OS archetype'''
     self.detailedresults = ""
     if self.environ.getosfamily() == 'darwin':
         RuleKVEditor.report(self, False)
     elif re.search('Ubuntu', self.environ.getostype()):
         retval = self.reportUbuntu()
         return retval
Beispiel #10
0
    def __init__(self, config, environ, logger, statechglogger):
        '''
        Constructor
        '''
        RuleKVEditor.__init__(self, config, environ, logger, statechglogger)
        self.logger = logger
        self.rulenumber = 261
        self.rulename = 'ConfigureRemoteManagement'
        self.compliant = True
        self.formatDetailedResults("initialize")
        self.sethelptext()
        self.rootrequired = True
        self.guidance = ['CIS 2.4.9', 'Apple HT201710']

        self.applicable = {
            'type': 'white',
            'os': {
                'Mac OS X': ['10.15', 'r', '10.15.10']
            }
        }

        if self.environ.getostype() == "Mac OS X":
            self.addKVEditor(
                "ARD_AllLocalUsers", "defaults",
                "/Library/Preferences/com.apple.RemoteManagement", "",
                {"ARD_AllLocalUsers": ["0", "-bool no"]}, "present", "",
                "Do not allow local users remote management rights.", None,
                False, {"ARD_AllLocalUsers": ["1", "-bool yes"]})

            self.addKVEditor(
                "ARD_AllLocalUsersPrivs", "defaults",
                "/Library/Preferences/com.apple.RemoteManagement", "",
                {"ARD_AllLocalUsersPrivs": ["1073742058", "-int 1073742058"]},
                "present", "",
                "Set which privleges local users have access to", None, False,
                {"ARD_AllLocalUsersPrivs": ["0", "-int 0"]})

            self.addKVEditor(
                "ScreenSharingReqPermEnabled", "defaults",
                "/Library/Preferences/com.apple.RemoteManagement", "",
                {"ScreenSharingReqPermEnabled": ["1", "-bool yes"]}, "present",
                "",
                "Enable remote users to request permissions for screen sharing.",
                None, False,
                {"ScreenSharingReqPermEnabled": ["0", "-bool no"]})
            self.addKVEditor(
                "VNCLegacyConnectionsEnabled", "defaults",
                "/Library/Preferences/com.apple.RemoteManagement", "",
                {"VNCLegacyConnectionsEnabled": ["0", "-bool no"]}, "present",
                "", "Disable Legacy VNC Connections.", None, False,
                {"VNCLegacyConnectionsEnabled": ["1", "-bool yes"]})
            self.addKVEditor(
                "LoadRemoteManagementMenuExtra", "defaults",
                "/Library/Preferences/com.apple.RemoteManagement", "",
                {"LoadRemoteManagementMenuExtra": ["1", "-bool yes"]},
                "present", "", "Load the remote management menu item.", None,
                False, {"LoadRemoteManagementMenuExtra": ["0", "-bool no"]})
Beispiel #11
0
    def __init__(self, config, environ, logdispatcher, statechglogger):
        RuleKVEditor.__init__(self, config, environ, logdispatcher,
                              statechglogger)
        self.rulenumber = 122
        self.rulename = 'ConfigureNetworks'
        self.formatDetailedResults("initialize")
        self.mandatory = True
        self.sethelptext()
        self.rootrequired = True
        self.guidance = []
        self.iditerator = 0
        self.statechglogger = statechglogger
        self.applicable = {
            'type': 'white',
            'os': {
                'Mac OS X': ['10.15', 'r', '10.15.10']
            }
        }

        ## this section added to prevent code, which relies on constants in localize.py,
        # from running if those constants are not defined or are set to 'None'
        #         if DNS == None:
        #             self.logdispatch.log(LogPriority.DEBUG, "Please ensure that the following constants, in localize.py, are correctly defined and are not None: DNS, PROXY, PROXYCONFIGURATIONFILE, PROXYDOMAIN. ConfigureNetworks will not function without these!")
        #             exit
        #         if PROXY == None:
        #             self.logdispatch.log(LogPriority.DEBUG, "Please ensure that the following constants, in localize.py, are correctly defined and are not None: DNS, PROXY, PROXYCONFIGURATIONFILE, PROXYDOMAIN. ConfigureNetworks will not function without these!")
        #             exit
        #         if PROXYCONFIGURATIONFILE == None:
        #             self.logdispatch.log(LogPriority.DEBUG, "Please ensure that the following constants, in localize.py, are correctly defined and are not None: DNS, PROXY, PROXYCONFIGURATIONFILE, PROXYDOMAIN. ConfigureNetworks will not function without these!")
        #             exit
        #         if PROXYDOMAIN == None:
        #             self.logdispatch.log(LogPriority.DEBUG, "Please ensure that the following constants, in localize.py, are correctly defined and are not None: DNS, PROXY, PROXYCONFIGURATIONFILE, PROXYDOMAIN. ConfigureNetworks will not function without these!")
        #             exit
        # this section added to prevent code, which relies on constants in localize.py,
        ## from running if those constants are not defined or are set to 'None'

        self.nsobject = None

        self.nsobject = networksetup(self.logdispatch)

        if self.nsobject != None:
            self.ch = CommandHelper(self.logdispatch)
            self.sh = ServiceHelper(self.environ, self.logdispatch)
            self.addKVEditor("DisableBluetoothUserInterface", "defaults",
                             "/Library/Preferences/com.apple.Bluetooth", "",
                             {"ControllerPowerState": ["0", "-int 0"]},
                             "present", "",
                             "Disable Bluetooth User Interface.", None, False,
                             {})
            self.addKVEditor("DisableBluetoothInternetSharing", "defaults",
                             "/Library/Preferences/com.apple.Bluetooth", "",
                             {"PANServices": ["0", "-int 0"]}, "present", "",
                             "Disable Bluetooth Internet Sharing.", None,
                             False, {})
Beispiel #12
0
    def __init__(self, config, environ, logger, statechglogger):
        """
        Constructor
        """

        RuleKVEditor.__init__(self, config, environ, logger, statechglogger)
        self.logger = logger
        self.rulenumber = 51
        self.rulename = 'InstallBanners'
        self.formatDetailedResults("initialize")
        self.mandatory = True
        self.sethelptext()
        self.rootrequired = True
        self.compliant = False
        self.guidance = [
            'CIS', 'NSA 2.3.7.2', 'CCE 4188-9', 'CCE 4431-3', 'CCE 3717-6',
            'CCE 4554-2', 'CCE 4603-7', 'CCE 4760-5', 'CCE 4301-8',
            'CCE 4698-7', 'CCE 4222-6', 'CCE 4103-8', 'CCE 4870-2',
            'CCE 4896-7'
        ]
        self.iditerator = 0
        self.applicable = {
            'type': 'white',
            'family': ['linux', 'solaris', 'freebsd'],
            'os': {
                'Mac OS X': ['10.15', 'r', '10.15.10']
            }
        }
        # init CIs
        datatype = 'bool'
        key = 'INSTALLBANNERS'
        instructions = "To prevent the installation of warning banners, " + \
            "set the value of InstallBanners to False.\n\n!DEBIAN USERS! Due to " + \
            "a bug in gdm3 (gnome 3) which has not been patched on debian, we are forced to " + \
            "change the user's display manager to something else in order to be compliant " + \
            "with the login banner requirement. As a result, the login banner changes will " + \
            "only take effect after a system reboot."
        default = True
        self.ci = self.initCi(datatype, key, instructions, default)

        # Initial setup and deterministic resolution of variables
        constlist = [
            WARNINGBANNER, GDMWARNINGBANNER, GDM3WARNINGBANNER,
            ALTWARNINGBANNER, OSXSHORTWARNINGBANNER
        ]
        if not self.checkConsts(constlist):
            self.applicable = {'type': 'white', 'family': []}
            return

        self.initobjs()
        self.setcommon()
        self.islinux()
        self.ismac()
Beispiel #13
0
 def __init__(self, config, environ, logdispatcher, statechglogger):
     RuleKVEditor.__init__(self, config, environ, logdispatcher,
                           statechglogger)
     self.rulenumber = 14
     self.rulename = 'ConfigureFirewall'
     self.formatDetailedResults("initialize")
     self.mandatory = True
     self.sethelptext()
     self.rootrequired = True
     self.guidance = []
     self.applicable = {
         'type': 'white',
         'os': {
             'Mac OS X': ['10.12', 'r', '10.15.10']
         }
     }
     self.ch = CommandHelper(self.logdispatch)
     self.sh = ServiceHelper(self.environ, self.logdispatch)
     self.fwcmd = "/usr/libexec/ApplicationFirewall/socketfilterfw"
     self.list = self.fwcmd + " --listapps"
     self.add = self.fwcmd + " --add "
     self.rmv = self.fwcmd + " --remove "
     self.iditerator = 0
     datatype = 'bool'
     key = 'CONFIGUREFIREWALL'
     instructions = "To disable this rule set CONFIGUREFIREWALL to False\n"
     default = True
     self.ci = self.initCi(datatype, key, instructions, default)
     self.addKVEditor("FirewallOn", "defaults",
                      "/Library/Preferences/com.apple.alf", "",
                      {"globalstate": ["1", "-int 1"]}, "present", "",
                      "Turn On Firewall. When enabled.", None, False,
                      {"globalstate": ["0", "-int 0"]})
     self.addKVEditor("FirewallLoginEnabled", "defaults",
                      "/Library/Preferences/com.apple.alf", "",
                      {"loggingenabled": ["1", "-int 1"]}, "present", "",
                      "Login Enabled. When enabled.", None, False,
                      {"loggingenabled": ["0", "-int 0"]})
     self.addKVEditor("FirewallStealthDisabled", "defaults",
                      "/Library/Preferences/com.apple.alf", "",
                      {"stealthenabled": ["0", "-int 0"]}, "present", "",
                      "Stealth Disabled. When enabled.", None, False,
                      {"stealthenabled": ["1", "-int 1"]})
     # self.currallowed = []
     '''Any values inside stonix.conf overrule the values inserted
     in the text field unless changes are saved to stonix.conf'''
     '''There are no currently allowed apps for the fw'''
     datatype = 'list'
     key = 'ALLOWEDAPPS'
     instructions = "Comma separated list of Applications allowed by the firewall.\n" + \
                    "Most applications end with .app and must contain the full path to the application.\n"
     default = []
     self.appci = self.initCi(datatype, key, instructions, default, ",")
Beispiel #14
0
    def fix(self):
        '''disable Apple File Sharing service


        :returns: success

        :rtype: bool
@author: Breen Malmberg

        '''

        success = True

        try:

            # if version = 10.10.*, then use KVEditor and ignore the other code
            if re.search("10\.10.*", self.environ.getosver(), re.IGNORECASE):
                RuleKVEditor.fix(self)
            else:

                clientfixpath1 = "/System/Library/LaunchDaemons/com.apple.AppleFileServer"
                clientfixtool = "launchctl"
                clientfixcmd1 = clientfixtool + " unload " + clientfixpath1

                # the below 'path' is actually an alias
                # which is understood by launchctl.
                # in mac terminology, this is called a 'target'
                clientfixpath2 = "system/com.apple.AppleFileServer"
                clientfixcmd2 = clientfixtool + " disable " + clientfixpath2

                self.cmdhelper.executeCommand(clientfixcmd1)
                retcode = self.cmdhelper.getReturnCode()
                if retcode != 0:
                    errstr = self.cmdhelper.getErrorString()
                    self.logger.log(LogPriority.DEBUG, errstr)
                    success = False
                self.cmdhelper.executeCommand(clientfixcmd2)
                retcode = self.cmdhelper.getReturnCode()
                if retcode != 0:
                    errstr = self.cmdhelper.getErrorString()
                    self.logger.log(LogPriority.DEBUG, errstr)
                    success = False

            if success:
                self.detailedresults += "\nApple File Server has successfully been disabled."

            self.formatDetailedResults('fix', success, self.detailedresults)
            return success
        except (KeyboardInterrupt, SystemExit):
            raise
        except Exception:
            self.detailedresults = traceback.format_exc()
            self.logger.log(LogPriority.ERROR, self.detailedresults)
Beispiel #15
0
    def fixmac(self):
        '''run fix functionality for macintosh, or darwin-based systems


        :returns: success

        :rtype: boolean
@author: Breen Malmberg

        '''

        success = True

        try:
            if not RuleKVEditor.fix(self, True):
                success = False
            if not self.setFileContents(self.ftpwelcomefile, self.bannertext):
                success = False
                self.detailedresults += '\nUnable to set warning banner text in ' + str(
                    self.ftpwelcomefile)
            if not self.setFileContents(self.policybanner, self.bannertext):
                success = False
                self.detailedresults += '\nUnable to set warning banner text in ' + str(
                    self.policybanner)
        except Exception:
            raise
        return success
Beispiel #16
0
    def fix(self):
        '''run fixed actions for ShowBluetoothIcon
        return True if all succeed


        :returns: fixed

        :rtype: bool
@author: bgonz12

        '''
        self.detailedresults = ""
        fixed = True

        try:
            if not RuleKVEditor.fix(self, True):
                fixed = False
                self.logdispatch.log(LogPriority.DEBUG,
                                     "Kveditor fixed failed.")

        except (KeyboardInterrupt, SystemExit):
            # User initiated exit
            raise
        except Exception as err:
            self.rulesuccess = False
            fixed = False
            messagestring = str(err) + " - " + str(traceback.format_exc())
            self.resultAppend(messagestring)
            self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
        self.formatDetailedResults("fix", fixed, self.detailedresults)
        self.logdispatch.log(LogPriority.INFO, self.detailedresults)
        return fixed
Beispiel #17
0
    def fix(self):
        '''Disables Auto Login
        
        @author: Roy Nielsen


        '''
        try:
            self.detailedresults = ""
            fixed = False
            self.kvfix = False
            self.fhfix = False
            self.kvfix = RuleKVEditor.fix(self)
            if self.kvfix:
                self.fhfix = self.fh.fixFiles()
                if self.fhfix:
                    self.detailedresults = self.detailedresults + "\n" + \
                        self.fh.getFileMessage()
            if not self.kvfix or not self.fhfix:
                fixed = False
        except (KeyboardInterrupt, SystemExit):
            # User initiated exit
            raise
        except Exception as err:
            self.rulesuccess = False
            self.detailedresults = self.detailedresults + "\n" + str(err) + \
                " - " + str(traceback.format_exc())
            self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
        self.formatDetailedResults("fix", fixed, self.detailedresults)
        self.logdispatch.log(LogPriority.INFO, self.detailedresults)
        return fixed
Beispiel #18
0
    def report(self):
        '''Report on the status of this rule
        
        @author: Roy Nielsen


        '''
        try:
            self.detailedresults = ""
            self.kvcompliant = False
            self.fhcompliant = False
            self.kvcompliant = RuleKVEditor.report(self)
            if not self.kvcompliant:
                self.detailedresults = "DisableAutoLogin is not compliant!"
            else:
                self.detailedresults = "DisableAutoLogin is compliant!"
            self.fhcompliant = self.fh.evaluateFiles()
            if not self.fhcompliant:
                self.detailedresults = self.detailedresults + "\n" + \
                    self.fh.getFileMessage()
            if not self.fhcompliant or not self.kvcompliant:
                self.compliant = False
        except (KeyboardInterrupt, SystemExit):
            raise
        except Exception as err:
            self.rulesuccess = False
            self.detailedresults = self.detailedresults + "\n" + str(err) + \
                " - " + str(traceback.format_exc())
            self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
        self.formatDetailedResults("report", self.compliant,
                                   self.detailedresults)
        self.logdispatch.log(LogPriority.INFO, self.detailedresults)
        return self.compliant
Beispiel #19
0
    def undo(self):
        '''restore Apple File Sharing service
        to its original state


        :returns: void
        @author: Breen Malmberg

        '''

        success = True

        try:

            # if version = 10.10.*, then use KVEditor and ignore the other code
            if re.search("10\.10.*", self.environ.getosver(), re.IGNORECASE):
                RuleKVEditor.undo(self)
            else:

                if not self.afporigstatus:
                    undocmd1 = "launchctl enable system/com.apple.AppleFileServer"
                    undocmd2 = "launchctl load /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist"
                    self.cmdhelper.executeCommand(undocmd1)
                    retcode = self.cmdhelper.getReturnCode()
                    if retcode != 0:
                        success = False
                        errstr = self.cmdhelper.getErrorString()
                        self.logger.log(LogPriority.DEBUG, errstr)
                    self.cmdhelper.executeCommand(undocmd2)
                    retcode = self.cmdhelper.getReturnCode()
                    if retcode != 0:
                        success = False
                        errstr = self.cmdhelper.getErrorString()
                        self.logger.log(LogPriority.DEBUG, errstr)

                if not success:
                    self.detailedresults += "\nUndo failed to restore Apple File Sharing to its original state on this system."
                else:
                    self.detailedresults += "\nUndo has successfully restored Apple File Sharing to its original state on this system."

        except (KeyboardInterrupt, SystemExit):
            raise
        except Exception:
            self.detailedresults = traceback.format_exc()
            self.logger.log(LogPriority.ERROR, self.detailedresults)
        self.formatDetailedResults('undo', success, self.detailedresults)
        return success
Beispiel #20
0
 def __init__(self, config, environ, logdispatcher, statechglogger):
     '''
     Constructor
     '''
     RuleKVEditor.__init__(self, config, environ, logdispatcher,
                           statechglogger)
     self.rulenumber = 169
     self.rulename = 'DisableAutoLogin'
     self.formatDetailedResults("initialize")
     self.applicable = {
         'type': 'white',
         'os': {
             'Mac OS X': ['10.15', 'r', '10.15.10']
         }
     }
     self.mandatory = True
     self.rootrequired = True
     self.files = {
         "kcpassword": {
             "path": "/etc/kcpassword",
             "remove": True,
             "content": None,
             "permissions": None,
             "owner": None,
             "group": None,
             "eventid": str(self.rulenumber).zfill(4) + "kcpassword"
         }
     }
     self.addKVEditor(
         "DisableAutoLogin", "defaults",
         "/Library/Preferences/com.apple.loginwindow", "", {
             "autoLoginUser": [
                 re.escape(
                     "The domain/default pair of (/Library/Preferences/com.apple.loginwindow, autoLoginUser) does not exist"
                 ), None
             ]
         }, "present", "",
         "This variable is to determine whether or not to " +
         "disable auto login", None, False, {})
     self.fh = FileHelper(self.logdispatch, self.statechglogger)
     self.ch = CommandHelper(self.logdispatch)
     for filelabel, fileinfo in sorted(self.files.items()):
         self.fh.addFile(filelabel, fileinfo["path"], fileinfo["remove"],
                         fileinfo["content"], fileinfo["permissions"],
                         fileinfo["owner"], fileinfo["group"],
                         fileinfo["eventid"])
     self.sethelptext()
 def __init__(self, config, environ, logger, statechglogger):
     RuleKVEditor.__init__(self, config, environ, logger, statechglogger)
     self.rulenumber = 257
     self.rulename = 'DisableMediaAutomaticActions'
     self.formatDetailedResults("initialize")
     self.mandatory = True
     self.rootrequired = True
     self.guidance = []
     self.applicable = {
         'type': 'white',
         'os': {
             'Mac OS X': ['10.15', 'r', '10.15.10']
         }
     }
     self.addKVEditor(
         "DisableAutoCDAction", "defaults",
         "/Library/Preferences/com.apple.digihub", "", {
             "com.apple.digihub.blank.cd.appeared":
             ["Enabled = 0;", "-dict Enabled -int 0"]
         }, "present", "", "Disable Automatic mounting of CDs.", None,
         False, {})
     self.addKVEditor(
         "DisableAutoMusicCDAction", "defaults",
         "/Library/Preferences/com.apple.digihub", "", {
             "com.apple.digihub.blank.dvd.appeared":
             ["Enabled = 0;", "-dict Enabled -int 0"]
         }, "present", "", "Disable Automatic mounting of Music CDs.", None,
         False, {})
     self.addKVEditor(
         "DisableAutoPictureCDAction", "defaults",
         "/Library/Preferences/com.apple.digihub", "", {
             "com.apple.digihub.cd.picture.appeared":
             ["Enabled = 0;", "-dict Enabled -int 0"]
         }, "present", "", "Disable Automatic mounting of Picture CDs.",
         None, False, {})
     self.addKVEditor(
         "DisableAutoVideoDVDAction", "defaults",
         "/Library/Preferences/com.apple.digihub", "", {
             "com.apple.digihub.dvd.video.appeared":
             ["Enabled = 0;", "-dict Enabled -int 0"]
         }, "present", "", "Disable Automatic mounting of DVDs.", None,
         False, {})
     self.sethelptext()
 def __init__(self, config, environ, logger, statechglogger):
     RuleKVEditor.__init__(self, config, environ, logger, statechglogger)
     self.rulenumber = 215
     self.rulename = 'DisableInternetSharing'
     self.formatDetailedResults("initialize")
     self.rootrequired = True
     self.guidance = []
     self.applicable = {
         'type': 'white',
         'os': {
             'Mac OS X': ['10.15', 'r', '10.15.10']
         }
     }
     self.addKVEditor(
         "DisabledInternetSharing", "defaults",
         "/Library/Preferences/SystemConfiguration/com.apple.nat", "",
         {"NAT": ["Enabled = 0;", "-dict Enabled -int 0"]}, "present", "",
         "Disable Internet sharing", None, False, {})
     self.sethelptext()
Beispiel #23
0
    def __init__(self, config, environ, logdispatcher, statechglogger):
        RuleKVEditor.__init__(self, config, environ, logdispatcher,
                              statechglogger)

        self.rulenumber = 159
        self.rulename = 'DisableCloudServices'
        self.formatDetailedResults("initialize")
        self.mandatory = True
        self.rootrequired = True
        self.logger = self.logdispatch
        self.guidance = []
        self.applicable = {'type': 'white',
                           'os': {'Mac OS X': ['10.15', 'r', '10.15.10'],
                                  'Ubuntu': ['12.04', '+']}}
        self.ch = CommandHelper(self.logdispatch)

        # init CIs
        datatype = 'bool'
        key = 'DISABLECLOUDSERVICES'
        instructions = "To prevent cloud services from being disabled, " + \
            "set the value of DisableCloudServices to False."
        default = True
        self.DisableCloudServices = self.initCi(datatype, key, instructions,
                                                default)
        if self.environ.getosfamily() == 'darwin':
            self.addKVEditor("iCloudSaveNewDocumentsToDisk",
                             "defaults",
                             "NSGlobalDomain",
                             "",
                             {"NSDocumentSaveNewDocumentsToCloud":
                              ["0", "-bool no"]},
                             "present",
                             "",
                             "Save new documents to disk not to iCloud.",
                             None,
                             False,
                             {"NSDocumentSaveNewDocumentsToCloud":
                              ["1", "-bool yes"]})
        else:
            self.debianpkglist = ['unity-webapps-common',
                                  'unity-lens-shopping']
        self.sethelptext()
Beispiel #24
0
    def reportMac(self):
        """Mac osx specific report submethod
        
        @author: dwalker

        :param self: essential if you override this definition
        :returns: bool - True if system is compliant, False if it isn't

        """
        success = RuleKVEditor.report(self, True)
        return success
Beispiel #25
0
    def fixMac(self):
        """Mac osx specific fix submethod
        
        @author: dwalker

        :param self: essential if you override this definition
        :returns: bool - True if system is successfully fix, False if it isn't

        """
        success = RuleKVEditor.fix(self, True)
        return success
Beispiel #26
0
    def fix(self):
        '''Make secure configuration changes to smb.conf


        :returns: self.rulesuccess

        :rtype: bool
@author: Breen Malmberg

        '''

        # defaults
        self.detailedresults = ""
        self.rulesuccess = True

        try:

            if self.SecureWinFileSharing.getcurrvalue():

                if os.path.exists(self.smbconflocation):

                    myid = '0142001'

                    self.kvosmb.setEventID(myid)
                    if not self.kvosmb.fix():
                        self.rulesuccess = False
                        self.detailedresults += "KVEditor.fix() failed"
                    if not self.kvosmb.commit():
                        self.rulesuccess = False
                        self.detailedresults += "KVEditor.commit() failed"

                if self.environ.getostype() == "Mac OS X":
                    if not RuleKVEditor.fix(self, True):
                        self.rulesuccess = False
                        self.detailedresults += "RuleKVEditor.fix() failed"

            else:
                self.logger.log(
                    LogPriority.DEBUG,
                    "The SecureWinFileSharing CI was disabled when fix() ran, so nothing was done."
                )
                self.detailedresults += "\nThe CI for this rule was already set to disabled when the rule ran, so nothing was fixed."

        except (KeyboardInterrupt, SystemExit):
            raise
        except Exception:
            self.rulesuccess = False
            self.detailedresults = traceback.format_exc()
            self.logger.log(LogPriority.ERROR, self.detailedresults)
        self.formatDetailedResults("fix", self.rulesuccess,
                                   self.detailedresults)
        self.logdispatch.log(LogPriority.INFO, self.detailedresults)
        return self.rulesuccess
Beispiel #27
0
 def __init__(self, config, environ, logger, statechglogger):
     RuleKVEditor.__init__(self, config, environ, logger, statechglogger)
     self.logger = logger
     self.rulenumber = 101
     self.formatDetailedResults("initialize")
     self.mandatory = True
     self.rulename = "EncryptSwap"
     self.applicable = {'type': 'white',
                        'os': {'Mac OS X': ['10.15', 'r', '10.15.10']}}
     self.addKVEditor("swapEncrypt",
                      "defaults",
                      "/Library/Preferences/com.apple.virtualMemory",
                      "",
                      {"UseEncryptedSwap": ["1", "-bool yes"]},
                       "present",
                       "",
                       "Secure Virtual memory.",
                       None,
                       False,
                       {})
     self.sethelptext()
Beispiel #28
0
    def __init__(self, config, environ, logdispatcher, statechglogger):
        """
        private method to initialize the module

        :param config:
        :param environ:
        :param logdispatcher:
        :param statechglogger:
        """

        RuleKVEditor.__init__(self, config, environ, logdispatcher,
                              statechglogger)
        self.rulenumber = 263
        self.rulename = 'ConfigureAppleAppStore'
        self.formatDetailedResults("initialize")
        self.mandatory = True
        self.sethelptext()
        self.rootrequired = True
        self.guidance = [
            'CCE 14813-0', 'CCE 14914-6', 'CCE 4218-4', 'CCE 14440-2'
        ]
        self.applicable = {
            'type': 'white',
            'os': {
                'Mac OS X': ['10.15', 'r', '10.15.10']
            }
        }

        if self.environ.getostype() == "Mac OS X":
            self.addKVEditor(
                "EnableAutomaticAppUpdate", "defaults",
                "/Library/Preferences/com.apple.commerce", "",
                {"AutoUpdate": ["1", "-bool yes"]}, "present", "",
                "Enable Automatic Application Update. " +
                "This should be enabled.", None, False,
                {"AutoUpdate": ["0", "-bool no"]})

        self.ch = CommandHelper(self.logdispatch)
        self.appstorehasnotrun = True
Beispiel #29
0
 def __init__(self, config, environ, logdispatcher, statechglogger):
     RuleKVEditor.__init__(self, config, environ, logdispatcher,
                           statechglogger)
     self.rulenumber = 3
     self.rulename = 'ConfigureDiagnosticReporting'
     self.formatDetailedResults("initialize")
     self.mandatory = True
     self.sethelptext()
     self.rootrequired = True
     self.guidance = []
     self.applicable = {
         'type': 'white',
         'os': {
             'Mac OS X': ['10.15', 'r', '10.15.10']
         }
     }
     self.addKVEditor(
         "AutoSubmit", "defaults",
         "/Library/Application Support/CrashReporter/" +
         "DiagnosticMessagesHistory.plist", "",
         {"AutoSubmit": ["0", "-bool no"]}, "present", "",
         "Automatically submits diagnostic information to " + "Apple", None,
         False, {"AutoSubmit": ["1", "-bool yes"]})
     version = self.environ.getosver()
     versionsplit = version.split(".")
     if len(versionsplit) >= 2:
         minorversion = int(versionsplit[1])
     else:
         minorversion = 0
     if minorversion >= 10:
         self.addKVEditor(
             "ThirdPartyDataSubmit", "defaults",
             "/Library/Application Support/CrashReporter/" +
             "DiagnosticMessagesHistory.plist", "",
             {"ThirdPartyDataSubmit": ["0", "-bool no"]}, "present", "",
             "Automatically submits diagnostic information " +
             "to third-party developers", None, False,
             {"ThirdPartyDataSubmit": ["1", "-bool yes"]})
Beispiel #30
0
 def __init__(self, config, environ, logger, statechglogger):
     RuleKVEditor.__init__(self, config, environ, logger, statechglogger)
     self.rulenumber = 202
     self.rulename = "DisableIRReceiver"
     self.formatDetailedResults("initialize")
     self.mandatory = True
     self.rootrequired = True
     self.guidance = ['CIS 2.4.13.7']
     self.applicable = {'type': 'white',
                        'os': {'Mac OS X': ['10.15', 'r', '10.15.10']}}
     self.addKVEditor("DisableIRReceiver",
                      "defaults",
                      "/Library/Preferences/com.apple.driver.AppleIRController.plist",
                      "",
                      {"DeviceEnabled": ["0", "-bool no"]},
                      "present",
                      "",
                      "Disable Infrared receiver. " +
                      "This should be enabled.",
                      None,
                      False,
                      {})
     self.sethelptext()