def scan(self, option=None): messages = {'messages': []} results = sb_utils.os.software.is_installed(pkgname=self.__pkgname) if results == None: msg = "Unable to determine if %s installed." % self.__pkgname self.logger.error(self.module_name, 'Scan Error: ' + msg) raise tcs_utils.ScanError('%s %s' % (self.module_name, msg)) if results == False: msg = "Samba (%s) is not installed on the system" % self.__pkgname self.logger.warn(self.module_name, 'Not Applicable: ' + msg) raise tcs_utils.ScanNotApplicable('%s %s' % (self.module_name, msg)) else: msg = "Samba (%s) package is installed" % self.__pkgname messages['messages'].append(msg) found = False if not os.path.isfile(self.__conf_file): msg = "%s does not exist" % self.__conf_file self.logger.warn(self.module_name, 'Not Applicable: ' + msg) raise tcs_utils.ScanNotApplicable('%s %s' % (self.module_name, msg)) else: msg = "Checking %s for 'smb guest' parameter" % self.__conf_file messages['messages'].append(msg) try: in_obj = open(self.__conf_file, 'r') except IOError, err: msg = "Unable to open %s: %s " % (self.__conf_file, err) self.logger.error(self.module_name, 'Scan Error: ' + msg) raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def scan(self, optionDict=None): """ Initiating File System Scan to find world-writable devices """ specialDevices = {} messages = [] retval = True retmsg = '' self.validate_input(optionDict) # Only run FS scan if it hasn't been run this scan if tcs_utils.fs_scan_is_needed(): sb_utils.filesystem.scan.perform() if not os.path.isfile(self.__target_file): msg = "Unable to find %s" % self.__target_file self.logger.error(self.module_name, 'Scan Error: ' + msg) raise tcs_utils.ScanError('%s %s' % (self.module_name, msg)) # let others know we ran the fs scanner tcs_utils.update_fs_scanid() secure_world_writable_devices = True try: in_obj = open(self.__target_file, 'r') except IOError, err: msg = "Unable to file %s: %s" % (self.__target_file, err) self.logger.error(self.module_name, 'Scan Error: ' + msg) raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def scan(self, option=None): if sb_utils.os.info.is_solaris() == True: results = sb_utils.os.software.is_installed(pkgname='SUNWsndmr') else: results = sb_utils.os.software.is_installed(pkgname='sendmail') if results == False: msg = "sendmail does not appear to be installed on the system" self.logger.warn(self.module_name, 'Not Applicable: ' + msg) raise tcs_utils.ScanNotApplicable('%s %s' % (self.module_name, msg)) if not os.path.isfile(self.__file): msg = "sendmail is installed but %s is missing" % self.__file self.logger.error(self.module_name, 'Scan Error: ' + msg) raise tcs_utils.ScanError('%s %s' % (self.module_name, msg)) paramlist = sb_utils.os.config.get_list( configfile='/etc/mail/sendmail.cf', delim='=') if paramlist == None: msg = 'Unable to determine Sendmail Help is enabled' self.logger.error(self.module_name, 'Scan Error: ' + msg) raise tcs_utils.ScanError('%s %s' % (self.module_name, msg)) if paramlist.has_key('O HelpFile'): reason = "Sendmail Help is enabled; found 'O HelpFile' configured "\ "in %s" % (self.__file) self.logger.notice(self.module_name, 'Scan Failed: ' + reason) return 'Fail', reason return 'Pass', ''
def readGrub(self, filename=None): """ Verify GRUB is available for this platform read the entire contents of the file and generate the raw mline data. """ messages = [] if not self._isGrubAvailable(): raise tcs_utils.OSNotApplicable( "GRand Unified Bootloader (GRUB) not used on this platform.") if not filename or not os.path.exists(filename): filename = self._locateGrub() if not filename: msg = "No filename given to parse" self.logger.error(self.__moduleName, msg) raise tcs_utils.ScanError(msg) try: self.__fileName = filename allMLines = [] mLine = GrubMLine() for line in open(filename): mLine.add_text(line) if not line.strip().endswith('\\'): allMLines.append(mLine) mLine = GrubMLine() except Exception, err: msg = "Unable to read grub configuration file : %s " % str(err) self.logger.error(self.__moduleName, msg) raise tcs_utils.ScanError(msg)
def scan(self, option=None): messages = {} messages['messages'] = [] pkg = "sendmail" if sb_utils.os.info.is_solaris() == True: pkg = "SUNWsndmr" results = sb_utils.os.software.is_installed(pkgname = pkg) if results == False: msg = "sendmail does not appear to be installed on the system" self.logger.notice(self.module_name, 'Not Applicable: ' + msg) raise tcs_utils.ScanNotApplicable('%s %s' % (self.module_name, msg)) msg = "%s package is installed" % pkg self.logger.info(self.module_name, msg) messages['messages'].append(msg) if not os.path.isfile(self.__file): msg = "%s is installed but %s is missing" % (pkg, self.__file) self.logger.error(self.module_name, 'Scan Error: ' + msg) raise tcs_utils.ScanError('%s %s' % (self.module_name, msg)) try: in_obj = open(self.__file, 'r') except (OSError, IOError), err: msg = "Unable to read file %s: %s" % (self.__file, err) self.logger.error(self.module_name, 'Scan Error: ' + msg) raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def scan(self, optionDict): if self.validate_input(optionDict): msg = 'Invalid option value was supplied.' self.logger.error(self.module_name, 'Scan Error: ' + msg) raise tcs_utils.ScanError('%s %s' % (self.module_name, msg)) option = optionDict['passwordConsecutiveChars'] paramlist = sb_utils.os.config.get_list(configfile=self.__target_file, delim='=') if paramlist == None: msg = 'Unable to determine parameter setting' self.logger.error(self.module_name, 'Scan Error: ' + msg) raise tcs_utils.ScanError('%s %s' % (self.module_name, msg)) if not paramlist.has_key(self.__param): reason = "%s option is NOT set in %s" % (self.__param, self.__target_file) self.logger.info(self.module_name, 'Scan Failed: ' + reason) return 'Fail', reason value = paramlist[self.__param] if value != option: reason = "%s is set to '%s' instead of '%s'" % (self.__param, value, option) self.logger.info(self.module_name, 'Scan Failed: ' + reason) return 'Fail', reason else: return 'Pass', ''
def scan(self, option=None): """ Initiating File System Scan to find unowned files """ messages = {} messages['messages'] = [] # Only run FS scan if it hasn't been run this scan if tcs_utils.fs_scan_is_needed(): sb_utils.filesystem.scan.perform() if not os.path.isfile(self.__target_file): msg = "Unable to find %s" % self.__target_file self.logger.error(self.module_name, 'Scan Error: ' + msg) raise tcs_utils.ScanError('%s %s' % (self.module_name, msg)) # let others know we ran the fs scanner tcs_utils.update_fs_scanid() all_files_owned = True try: in_obj = open(self.__target_file, 'r') lines = in_obj.readlines() for line in lines: fields = line.rstrip('\n').split('|') if len(fields) != 6: continue if fields[1][0] == 'X': all_files_owned = False msg = "(CCE 4223-4) %s is unowned." % fields[-1] self.logger.notice(self.module_name, 'Scan Failed: ' + msg) if len(messages['messages']) < 10: messages['messages'].append("Fail: %s" % msg) else: if len(messages['messages']) > 10: continue messages['messages'].append( "See log for full list of failures...") if fields[1][1] == 'X': all_files_owned = False msg = "(CCE 3573-3) %s has no group assigned." % fields[-1] self.logger.notice(self.module_name, 'Scan Failed: ' + msg) if len(messages['messages']) < 10: messages['messages'].append("Fail: %s" % msg) else: if len(messages['messages']) > 10: continue messages['messages'].append( "See log for full list of failures...") del fields except IOError, err: msg = "Unable to open file %s: %s" % (self.__target_file, err) self.logger.error(self.module_name, 'Scan Error: ' + msg) raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def scan(self, option=None): """ Check to see if the ctrl-alt-del key combination is allowed.""" if not os.path.isfile(self.__target_file): msg = "%s does not exist" % self.__target_file self.logger.error(self.module_name, 'Scan Error: ' + msg) raise tcs_utils.ScanError('%s %s' % (self.module_name, msg)) try: in_obj = open(self.__target_file, 'r') except IOError, err: msg = "Unable to open %s: %s" % (self.__target_file, str(err)) raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def scan(self, option=None): """ Initiating File System Scan to find .netrc Files """ # Only run FS scan if it hasn't been run this scan if tcs_utils.fs_scan_is_needed(): sb_utils.filesystem.scan.perform() if not os.path.isfile(self.__target_file): msg = "Unable to find %s" % self.__target_file self.logger.error(self.module_name, 'Scan Error: ' + msg) raise tcs_utils.ScanError('%s %s' % (self.module_name, msg)) # let others know we ran the fs scanner tcs_utils.update_fs_scanid() secure_netrc_files = True netrc_pattern = re.compile(".*/.netrc$") try: in_obj = open(self.__target_file, 'r') except IOError: msg = "Unable to open file %s." % self.__target_file self.logger.error(self.module_name, 'Scan Error: ' + msg) raise tcs_utils.ScanError('%s %s' % (self.module_name, msg)) lines = in_obj.readlines() for line in lines: if line.startswith('d|'): continue if netrc_pattern.search(line): fields = line.rstrip('\n').split('|') if len(fields) != 6: continue msg = "%s exists" % fields[5] self.logger.warn(self.module_name, msg) if fields[4] not in ['0700', '0600', '0400']: msg = "%s exists with insecure permissions %s " % \ (fields[5], fields[4]) self.logger.notice(self.module_name, "Scan Failed: " + msg) secure_netrc_files = False if secure_netrc_files == True: return 'Pass', '' msg = 'Insecure .netrc files exist' self.logger.info(self.module_name, 'Scan Failed: ' + msg) return 'Fail', msg
def scan(self, option=None): messages = {} messages['messages'] = [] msg = "Using routeadm to test ipv4-forwarding and ipv6-forwarding" messages['messages'].append(msg) self.logger.debug(self.module_name, msg) failure_flag = False for param in ['ipv4-forwarding', 'ipv6-forwarding']: cmd = '/usr/sbin/routeadm -p %s' % param results = tcs_utils.tcs_run_cmd(cmd, True) if results[0] != 0: msg = 'failed to execute %s: %s' % (cmd, results[2]) self.logger.error(self.module_name, 'Scan Error: ' + msg) raise tcs_utils.ScanError('%s %s' % (self.module_name, msg)) try: param_key = results[1].split(' ')[0].split('=')[0] param_val = results[1].split(' ')[0].split('=')[1] except IndexError: msg = 'Can not determine status of %s' % param self.logger.error(self.module_name, 'Scan Error: ' + msg) raise tcs_utils.ScanError('%s %s' % (self.module_name, msg)) if param_val == 'enabled': msg = '%s %s is enabled' % (param, param_key) messages['messages'].append("Fail: %s" % msg) self.logger.notice(self.module_name, 'Scan Failed: ' + msg) failure_flag = True else: msg = '%s %s is disabled' % (param, param_key) messages['messages'].append("Okay: %s" % msg) self.logger.info(self.module_name, msg) if not os.path.isfile('/etc/notrouter'): msg = '/etc/notrouter file is missing' messages['messages'].append("Fail: %s" % msg) self.logger.notice(self.module_name, 'Scan Failed: ' + msg) failure_flag = True else: msg = '/etc/notrouter file is present' messages['messages'].append("Okay: %s" % msg) self.logger.debug(self.module_name, msg) if failure_flag == True: return False, 'IP Forwarding is enabled.', messages else: return True, '', messages
def scan(self, optionDict): if self.validate_input(optionDict): msg = 'Invalid option value was supplied.' self.logger.error(self.module_name, 'Scan Error: ' + msg) raise tcs_utils.ScanError('%s %s' % (self.module_name, msg)) option = optionDict['passwordMaxdays'] try: in_obj = open(self.__target_file, 'r') except Exception, err: msg = "Unable to open file %s for analysis (%s)." % \ (self.__target_file, str(err)) self.logger.error(self.module_name, 'Scan Error: ' + msg) raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def scan(self, option=None): paramlist = sb_utils.os.config.get_list(configfile=self.__target_file, delim='=') if paramlist == None: msg = 'Unable to determine parameter setting' self.logger.error(self.module_name, 'Scan Error: ' + msg) raise tcs_utils.ScanError('%s %s' % (self.module_name, msg)) if not paramlist.has_key(self.__param): reason = "%s option is NOT set in %s" % (self.__param, self.__target_file) self.logger.info(self.module_name, 'Scan Failed: ' + reason) return 'Fail', reason msg = "Checking BANNER setting in %s" % (self.__target_file) self.logger.info(self.module_name, msg) value = str(paramlist[self.__param]) if value != "\"\"": reason = """%s is set to '%s' instead of "" in %s""" % ( self.__param, value, self.__target_file) self.logger.notice(self.module_name, 'Scan Failed: ' + reason) return 'Fail', reason else: return 'Pass', ''
def scan(self, option=None): path = os.getenv('PATH') msg = "Analyzing PATH environment variable which is currently set "\ "to: %s" % path self.logger.debug(self.module_name, 'Scan: ' + msg) if not path: # don't think this will ever happen, but we'll test for it return 'Pass', '' for mydir in path.split(':'): if mydir == '.': reason = "root user's PATH environment variable contains '.'" self.logger.info(self.module_name, 'Scan Failed: ' + reason) return 'Fail', reason # check for world-writable dirs if not os.path.isdir(mydir): continue try: statinfo = os.stat(mydir) except OSError, err: msg = "Unable to stat directory %s: %s" % (mydir, err) self.logger.error(self.module_name, 'Scan Error: ' + msg) raise tcs_utils.ScanError('%s %s' % (self.module_name, msg)) if statinfo.st_mode & stat.S_IWGRP or \ statinfo.st_mode & stat.S_IWOTH: msg = "root user has writable directories in PATH" self.logger.error(self.module_name, 'Scan Failed: ' + msg) return 'Fail', msg
def scan(self, option=None): results = sb_utils.os.software.is_installed(pkgname=self.__pkgName) if results != True: msg = "'%s' package is not installed." % self.__pkgName self.logger.info(self.module_name, 'Not Applicable: ' + msg) raise tcs_utils.ScanNotApplicable('%s %s' % (self.module_name, msg)) # first, check to see whether the target file exists at all if not os.path.isfile(self.__target_file): msg = "File %s does not exist" % self.__target_file self.logger.info(self.module_name, 'Scan Failed: ' + msg) return 'Fail', msg # now check its contents to be sure it contains what we want if not os.path.isfile(self.__target_file): msg = "%s does not exist" % self.__target_file self.logger.notice(self.module_name, 'Scan Failed: ' + msg) return 'Fail', msg try: infile = open(self.__target_file, 'r') except (OSError, IOError), err: msg = "Unable to open file %s: %s" % (self.__target_file, err) self.logger.error(self.module_name, 'Scan Error: ' + msg) raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def scan(self, optionDict=None): """ Analyze system """ if optionDict == None or not 'shellTimeout' in optionDict: msg = "Missing option value" self.logger.notice(self.module_name, 'Scan Error: ' + msg) raise tcs_utils.ScanError('%s %s' % (self.module_name, msg)) option = optionDict['shellTimeout'] try: value = int(option) except ValueError, err: msg = "Bad option value: %s" % err self.logger.error(self.module_name, 'Scan Error: ' + msg) raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def scan(self, option=None): zonename = sb_utils.os.solaris.zonename() if zonename != 'global': msg = "Non-global Solaris zone (%s): Unable to set %s" % ( zonename, self.__param) self.logger.notice(self.module_name, 'Scan: ' + msg) raise tcs_utils.ZoneNotApplicable('%s %s' % (self.module_name, msg)) paramlist = sb_utils.os.config.get_list(configfile=self.__target_file, delim='=') if paramlist == None: msg = 'Unable to determine parameter setting' self.logger.error(self.module_name, 'Scan Error: ' + msg) raise tcs_utils.ScanError('%s %s' % (self.module_name, msg)) if not paramlist.has_key(self.__param): reason = "%s option is NOT set in %s" % (self.__param, self.__target_file) self.logger.info(self.module_name, 'Scan Failed: ' + reason) return 'Fail', reason value = paramlist[self.__param] if int(value) != 2: reason = "%s is set to '%s' instead of 2 in %s" % ( self.__param, value, self.__target_file) self.logger.info(self.module_name, 'Scan Failed: ' + reason) return 'Fail', reason else: return 'Pass', ''
def scan(self, option=None): """Check for rpm and for -s mode""" if option != None: option = None messages = {'messages': []} flagIndex = None dirIndex = None dirName = None results = sb_utils.os.software.is_installed(pkgname=self.rpm_name) if results != True: msg = "'%s' package is not installed" % self.rpm_name self.logger.notice(self.module_name, 'Not Applicable: ' + msg) raise tcs_utils.ScanNotApplicable('%s %s' % (self.module_name, msg)) else: msg = "'%s' package is installed" % self.rpm_name self.logger.info(self.module_name, msg) messages['messages'].append(msg) try: myfile = open('/etc/xinetd.d/tftp', 'r') except IOError, err: msg = "Unable to open /etc/xinetd.d/tftp: %s" % str(err) self.logger.error(self.module_name, 'Scan Error: ' + msg) raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def scan(self, option=None): messages = {} messages['messages'] = [] results = sb_utils.os.software.is_installed(pkgname='finger-server') if results != True: msg = "'finger-server' package is not installed." self.logger.notice(self.module_name, 'Not Applicable: ' + msg) raise tcs_utils.ScanNotApplicable('%s %s' % (self.module_name, msg)) else: msg = "'finger-server' package is installed." messages['messages'].append(msg) self.logger.info(self.module_name, msg) results = sb_utils.os.xinetd.is_enabled(svcname='finger') if results == None: msg = "Unable to determine status of the 'finger' service" self.logger.error(self.module_name, 'Scan Error: ' + msg) raise tcs_utils.ScanError('%s %s' % (self.module_name, msg)) if results == True: msg = "'finger' service is enabled." self.logger.notice(self.module_name, 'Scan Failed: ' + msg) return False, msg, messages msg = "'finger' service is disabled" messages['messages'].append(msg) self.logger.notice(self.module_name, 'Scan Passed: ' + msg) return True, msg, messages
def validate_input(self, optionDict=None): """ Validate optionDict has required args, within acceptable ranges """ self.__pass_min = self.validate_argument('passwordAgingMindays', optionDict) self.__pass_max = self.validate_argument('passwordAgingMaxdays', optionDict) self.__pass_warn = self.validate_argument('passwordAgingExpireWarning', optionDict) self.__pass_inact = self.validate_argument('passwordAgingInvalidate', optionDict) if optionDict['exemptSystemAccounts'] == '1': self.__exemptSystemAccounts = sb_utils.acctmgt.users.local_SystemUsers( ) else: self.__exemptSystemAccounts = [] self.__exemptSpecificAccounts = tcs_utils.splitNaturally( optionDict['exemptSpecificAccounts']) flag = 0 if self.__pass_min < 1 or self.__pass_max < 1 or \ self.__pass_inact < 0 or self.__pass_warn < 1: flag = 1 if self.__pass_max < self.__pass_min: flag = 1 if flag == 1: msg = 'Invalid option arg provided' self.logger.error(self.module_name, 'Scan Error: ' + msg) raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def validate_input(self, optionDict): try: self.__specialFiles = sb_utils.file.fileperms.splitStringIntoFiles( optionDict['specialDevices']) except ValueError: msg = "Invalid option value -> '%s'" % optionDict raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def scan(self, option=None): boot_pat = re.compile('-s /tftpboot') # Is TFTP server package installed? if sb_utils.os.software.is_installed(pkgname='SUNWtftp') != True: msg = "TFTP Server (SUNWtftp) package is not installed" self.logger.notice(self.module_name, 'Not Applicable: ' + msg) raise tcs_utils.ScanNotApplicable('%s %s' % (self.module_name, msg)) prop = sb_utils.os.service.getprop(svcname='tftp', property='inetd_start/exec') if prop != None: prop = prop.replace('\\', '') if not boot_pat.search(prop): msg = "Tftp service 'inetd_start/exec' property (%s) does not "\ "contain '-s /tftpboot'" % prop self.logger.notice(self.module_name, 'Scan Failed: ' + msg) return 'Fail', msg self.logger.debug(self.module_name, 'Checking /etc/inet/inetd.conf') try: infile = open('/etc/inet/inetd.conf', 'r') except IOError, err: msg = "Unable to read /etc/inet/inetd.conf: %s" % err self.logger.error(self.module_name, 'Scan Error: ' + msg) raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def apply(self, option=None): """ Corrects the permissions """ change_record = {} # Only run FS scan if it hasn't been run this scan if tcs_utils.fs_scan_is_needed(): sb_utils.filesystem.scan.perform() if not os.path.isfile(self.__target_file): msg = "Unable to find %s" % self.__target_file self.logger.error(self.module_name, 'Apply Error: ' + msg) raise tcs_utils.ScanError('%s %s' % (self.module_name, msg)) # let others know we ran the fs scanner tcs_utils.update_fs_scanid() try: in_obj = open(self.__target_file, 'r') except (OSError, IOError), err: msg = "Unable to open %s: %s" % (self.__target_file, err) self.logger.error(self.module_name, 'Apply Error: ' + msg) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def scan(self, optionDict=None): """Check for password reuse support.""" if self.validate_input(optionDict): msg = 'Invalid option value was supplied.' self.logger.error(self.module_name, 'Scan Error: ' + msg) raise tcs_utils.ScanError('%s %s' % (self.module_name, msg)) option = optionDict['passwordReuse'] try: in_obj = open(self.__target_file, 'r') except IOError, err: msg = "Unable to open file %s: %s." % (self.__target_file, str(err)) self.logger.error(self.module_name, 'Scan Error: ' + msg) raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def scan(self, option=None): messages = {'messages': []} retval = True # leave quickly if we are N/A due to architecture. test_arch = platform.machine() if test_arch == 's390x': msg = "GRand Unified Bootloader (GRUB) not used on S390 hardware" self.logger.notice(self.module_name, "Not Applicable: " + msg) raise tcs_utils.ScanNotApplicable('%s %s' % (self.module_name, msg)) elif sb_utils.os.info.is_solaris() == True and sb_utils.os.info.is_x86( ) == False: msg = "GRand Unified Bootloader (GRUB) not used on SPARC hardware" self.logger.notice(self.module_name, "Not Applicable: " + msg) raise tcs_utils.ScanNotApplicable('%s %s' % (self.module_name, msg)) # Ok, quickly test the permissions on the grub file. It should be owned by root and perms no greater than 0600: # This module won't fix the problems, but so only indicate any issues with a warning. Permission problems do not # Constitute a failure case, as the 'System Configuration File Permissions' module will fix (if that module is enabled). msg = "Checking access controls on %s" % self.__target_file self.logger.info(self.module_name, 'Scan: ' + msg) try: statinfo = os.stat(self.__target_file) except OSError, err: msg = "Unable to stat %s: %s" % (self.__target_file, err) self.logger.error(self.module_name, 'Scan Error: ' + msg) raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def scan(self, option=None): messages = {} messages['messages'] = [] # first see if all of our dependencies (services, packages) are here... # and don't bother if we're missing stuff messages.update(self._is_cups_installed()) changes_to_make = [['Browsing', 'Off'], ['BrowseAllow', 'none']] if not os.path.isfile(self.__target_file): msg = "%s file does not exist." % self.__target_file #indicate that we hit a snag... messages['messages'].append(msg) change_record = "missing file" else: try: lines = open(self.__target_file).readlines() except Exception, err: msg = "Unable to process file %s: %s" % (self.__target_file, str(err)) raise tcs_utils.ScanError('%s %s' % (self.module_name, msg)) results, change_record, lines = self.process_file( lines, changes_to_make, False) for msg in results: if msg[0] in ['ok', 'problem']: self.logger.notice(self.module_name, msg[1]) messages['messages'].append(msg[1])
def scan(self, optionDict=None): if self.validate_input(optionDict): msg = 'Invalid option value was supplied.' self.logger.error(self.module_name, 'Scan Error: ' + msg) raise tcs_utils.ScanError('%s %s' % (self.module_name, msg)) option = optionDict['daysInactive'] option = int(option) msg = "Looking for '%s' in %s" % (self.keyname, self._config_file) self.logger.info(self.module_name, msg) # Grab parameters separated by the OS's specific delimeter(s) paramlist = {} paramlist.update( sb_utils.os.config.get_list(configfile=self._config_file, delim=self.delim)) if not paramlist.has_key(self.keyname): msg = "Could not find '%s' in %s" % (self.keyname, self._config_file) self.logger.notice(self.module_name, 'Scan Failed: ' + msg) del paramlist return 'Fail', msg else: if int(paramlist[self.keyname]) != option: msg = "'%s' is set to %d but expected it to be %d" % \ (self.keyname, int(paramlist[self.keyname]), option) self.logger.notice(self.module_name, 'Scan Failed: ' + msg) del paramlist return 'Fail', msg return 'Pass', ''
def scan(self, option=None): """Check for file and file permissions""" if option != None: option = None loc = 'None' found = False for loc in self.__targetpath: msg = "Looking for %s" % loc self.logger.debug(self.module_name, msg) if os.path.isfile(loc): msg = "Found %s" % loc self.logger.info(self.module_name, msg) found = True else: continue #Now check the file permissions$ try: statinfo = os.stat(loc) except (IOError, OSError), err: msg = "Unable to stat %s: %s" % (loc, err) self.logger.error(self.module_name, 'Scan Error: ' + msg) raise tcs_utils.ScanError('%s %s' % (self.module_name, msg)) # We want the permissions to 000 if statinfo.st_mode & 0777 ^ 0000 != 0: reason = loc + ' has permissions of %o instead of 000' % \ stat.S_IMODE(statinfo.st_mode) self.logger.notice(self.module_name, 'Scan Failed: ' \ + reason) return 'Fail', reason
def scan(self, option=None): messages = {} messages['messages'] = [] results = sb_utils.os.software.is_installed(pkgname=self.__pkgname) if results == False: msg = "%s package is not installed on the system" % self.__pkgname self.logger.info(self.module_name, 'Not Applicable: ' + msg) raise tcs_utils.ScanNotApplicable('%s %s' % (self.module_name, msg)) if not os.path.isfile(self.__target_file): msg = "%s package is installed but %s is missing" % self.__target_file self.logger.error(self.module_name, 'Scan Error: ' + msg) raise tcs_utils.ScanError('%s %s' % (self.module_name, msg)) try: in_obj = open(self.__target_file, 'r') except (OSError, IOError), err: msg = "Unable to read %s: %s" % (self.__target_file, err) self.logger.error(self.module_name, 'Scan Error: ' + msg) raise tcs_utils.ScanNotApplicable('%s %s' % (self.module_name, msg))
def scan(self, option=None): """ Scan system to see if /etc/logrotate.d/audit is rotating audit logs daily """ results = sb_utils.os.software.is_installed(pkgname='logrotate') if results != True: msg = "logrotate is not installed on the system; you should install"\ "this package." self.logger.warn(self.module_name, 'Not Applicable: ' + msg) raise tcs_utils.ScanNotApplicable('%s %s' % (self.module_name, msg)) if not os.path.isfile(self.__target_file): msg = "%s does not exist" % (self.__target_file) self.logger.notice(self.module_name, 'Scan Failed: ' + msg) return 'Fail', msg try: in_obj = open(self.__target_file, 'r') except IOError, err: msg = "Unable to open %s: %s" % (self.__target_file, str(err)) self.logger.error(self.module_name, 'Scan Error: ' + msg) raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def scan(self, option=None): """ Examine /etc/samba/smb.conf for missing or invalid values """ if option != None: option = None messages = {'messages':[]} results = sb_utils.os.software.is_installed(pkgname=self.__pkgname) if results == False: msg = "%s package is not installed" % self.__pkgname self.logger.warn(self.module_name, 'Not Applicable: ' + msg) raise tcs_utils.ScanNotApplicable('%s %s' % (self.module_name, msg)) if not os.path.isfile(self.__smb_ini): msg = "Missing %s but samba is installed" % self.__smb_ini self.logger.notice(self.module_name, 'Not Applicable: ' + msg) raise tcs_utils.ScanNotApplicable('%s %s' % (self.module_name, msg)) try: in_obj = open(self.__smb_ini, 'r') except (IOError, OSError), err: msg = "Unable to read %s: %s" % (self.__smb_ini, err) self.logger.error(self.module_name, 'Scan Error: ' + msg) raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))