def scan(self, option=None):
messages = {'messages': []}
results = sb_utils.os.software.is_installed(pkgname=self.__pkgname)
if results == None:
msg = "Unable to determine if %s installed." % self.__pkgname
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
if results == False:
msg = "Samba (%s) is not installed on the system" % self.__pkgname
self.logger.warn(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' %
(self.module_name, msg))
else:
msg = "Samba (%s) package is installed" % self.__pkgname
messages['messages'].append(msg)
found = False
if not os.path.isfile(self.__conf_file):
msg = "%s does not exist" % self.__conf_file
self.logger.warn(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' %
(self.module_name, msg))
else:
msg = "Checking %s for 'smb guest' parameter" % self.__conf_file
messages['messages'].append(msg)
try:
in_obj = open(self.__conf_file, 'r')
except IOError, err:
msg = "Unable to open %s: %s " % (self.__conf_file, err)
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def scan(self, optionDict=None):
"""
Initiating File System Scan to find world-writable devices
"""
specialDevices = {}
messages = []
retval = True
retmsg = ''
self.validate_input(optionDict)
# Only run FS scan if it hasn't been run this scan
if tcs_utils.fs_scan_is_needed():
sb_utils.filesystem.scan.perform()
if not os.path.isfile(self.__target_file):
msg = "Unable to find %s" % self.__target_file
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
# let others know we ran the fs scanner
tcs_utils.update_fs_scanid()
secure_world_writable_devices = True
try:
in_obj = open(self.__target_file, 'r')
except IOError, err:
msg = "Unable to file %s: %s" % (self.__target_file, err)
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def scan(self, option=None):
if sb_utils.os.info.is_solaris() == True:
results = sb_utils.os.software.is_installed(pkgname='SUNWsndmr')
else:
results = sb_utils.os.software.is_installed(pkgname='sendmail')
if results == False:
msg = "sendmail does not appear to be installed on the system"
self.logger.warn(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' %
(self.module_name, msg))
if not os.path.isfile(self.__file):
msg = "sendmail is installed but %s is missing" % self.__file
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
paramlist = sb_utils.os.config.get_list(
configfile='/etc/mail/sendmail.cf', delim='=')
if paramlist == None:
msg = 'Unable to determine Sendmail Help is enabled'
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
if paramlist.has_key('O HelpFile'):
reason = "Sendmail Help is enabled; found 'O HelpFile' configured "\
"in %s" % (self.__file)
self.logger.notice(self.module_name, 'Scan Failed: ' + reason)
return 'Fail', reason
return 'Pass', ''
def readGrub(self, filename=None):
"""
Verify GRUB is available for this platform
read the entire contents of the file and generate the raw
mline data.
"""
messages = []
if not self._isGrubAvailable():
raise tcs_utils.OSNotApplicable(
"GRand Unified Bootloader (GRUB) not used on this platform.")
if not filename or not os.path.exists(filename):
filename = self._locateGrub()
if not filename:
msg = "No filename given to parse"
self.logger.error(self.__moduleName, msg)
raise tcs_utils.ScanError(msg)
try:
self.__fileName = filename
allMLines = []
mLine = GrubMLine()
for line in open(filename):
mLine.add_text(line)
if not line.strip().endswith('\\'):
allMLines.append(mLine)
mLine = GrubMLine()
except Exception, err:
msg = "Unable to read grub configuration file : %s " % str(err)
self.logger.error(self.__moduleName, msg)
raise tcs_utils.ScanError(msg)
def scan(self, option=None):
messages = {}
messages['messages'] = []
pkg = "sendmail"
if sb_utils.os.info.is_solaris() == True:
pkg = "SUNWsndmr"
results = sb_utils.os.software.is_installed(pkgname = pkg)
if results == False:
msg = "sendmail does not appear to be installed on the system"
self.logger.notice(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' % (self.module_name, msg))
msg = "%s package is installed" % pkg
self.logger.info(self.module_name, msg)
messages['messages'].append(msg)
if not os.path.isfile(self.__file):
msg = "%s is installed but %s is missing" % (pkg, self.__file)
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
try:
in_obj = open(self.__file, 'r')
except (OSError, IOError), err:
msg = "Unable to read file %s: %s" % (self.__file, err)
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def scan(self, optionDict):
if self.validate_input(optionDict):
msg = 'Invalid option value was supplied.'
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
option = optionDict['passwordConsecutiveChars']
paramlist = sb_utils.os.config.get_list(configfile=self.__target_file,
delim='=')
if paramlist == None:
msg = 'Unable to determine parameter setting'
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
if not paramlist.has_key(self.__param):
reason = "%s option is NOT set in %s" % (self.__param,
self.__target_file)
self.logger.info(self.module_name, 'Scan Failed: ' + reason)
return 'Fail', reason
value = paramlist[self.__param]
if value != option:
reason = "%s is set to '%s' instead of '%s'" % (self.__param,
value, option)
self.logger.info(self.module_name, 'Scan Failed: ' + reason)
return 'Fail', reason
else:
return 'Pass', ''
def scan(self, option=None):
"""
Initiating File System Scan to find unowned files
"""
messages = {}
messages['messages'] = []
# Only run FS scan if it hasn't been run this scan
if tcs_utils.fs_scan_is_needed():
sb_utils.filesystem.scan.perform()
if not os.path.isfile(self.__target_file):
msg = "Unable to find %s" % self.__target_file
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
# let others know we ran the fs scanner
tcs_utils.update_fs_scanid()
all_files_owned = True
try:
in_obj = open(self.__target_file, 'r')
lines = in_obj.readlines()
for line in lines:
fields = line.rstrip('\n').split('|')
if len(fields) != 6:
continue
if fields[1][0] == 'X':
all_files_owned = False
msg = "(CCE 4223-4) %s is unowned." % fields[-1]
self.logger.notice(self.module_name, 'Scan Failed: ' + msg)
if len(messages['messages']) < 10:
messages['messages'].append("Fail: %s" % msg)
else:
if len(messages['messages']) > 10:
continue
messages['messages'].append(
"See log for full list of failures...")
if fields[1][1] == 'X':
all_files_owned = False
msg = "(CCE 3573-3) %s has no group assigned." % fields[-1]
self.logger.notice(self.module_name, 'Scan Failed: ' + msg)
if len(messages['messages']) < 10:
messages['messages'].append("Fail: %s" % msg)
else:
if len(messages['messages']) > 10:
continue
messages['messages'].append(
"See log for full list of failures...")
del fields
except IOError, err:
msg = "Unable to open file %s: %s" % (self.__target_file, err)
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def scan(self, option=None):
""" Check to see if the ctrl-alt-del key combination is allowed."""
if not os.path.isfile(self.__target_file):
msg = "%s does not exist" % self.__target_file
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
try:
in_obj = open(self.__target_file, 'r')
except IOError, err:
msg = "Unable to open %s: %s" % (self.__target_file, str(err))
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def scan(self, option=None):
"""
Initiating File System Scan to find .netrc Files
"""
# Only run FS scan if it hasn't been run this scan
if tcs_utils.fs_scan_is_needed():
sb_utils.filesystem.scan.perform()
if not os.path.isfile(self.__target_file):
msg = "Unable to find %s" % self.__target_file
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
# let others know we ran the fs scanner
tcs_utils.update_fs_scanid()
secure_netrc_files = True
netrc_pattern = re.compile(".*/.netrc$")
try:
in_obj = open(self.__target_file, 'r')
except IOError:
msg = "Unable to open file %s." % self.__target_file
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
lines = in_obj.readlines()
for line in lines:
if line.startswith('d|'):
continue
if netrc_pattern.search(line):
fields = line.rstrip('\n').split('|')
if len(fields) != 6:
continue
msg = "%s exists" % fields[5]
self.logger.warn(self.module_name, msg)
if fields[4] not in ['0700', '0600', '0400']:
msg = "%s exists with insecure permissions %s " % \
(fields[5], fields[4])
self.logger.notice(self.module_name, "Scan Failed: " + msg)
secure_netrc_files = False
if secure_netrc_files == True:
return 'Pass', ''
msg = 'Insecure .netrc files exist'
self.logger.info(self.module_name, 'Scan Failed: ' + msg)
return 'Fail', msg
def scan(self, option=None):
messages = {}
messages['messages'] = []
msg = "Using routeadm to test ipv4-forwarding and ipv6-forwarding"
messages['messages'].append(msg)
self.logger.debug(self.module_name, msg)
failure_flag = False
for param in ['ipv4-forwarding', 'ipv6-forwarding']:
cmd = '/usr/sbin/routeadm -p %s' % param
results = tcs_utils.tcs_run_cmd(cmd, True)
if results[0] != 0:
msg = 'failed to execute %s: %s' % (cmd, results[2])
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
try:
param_key = results[1].split(' ')[0].split('=')[0]
param_val = results[1].split(' ')[0].split('=')[1]
except IndexError:
msg = 'Can not determine status of %s' % param
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
if param_val == 'enabled':
msg = '%s %s is enabled' % (param, param_key)
messages['messages'].append("Fail: %s" % msg)
self.logger.notice(self.module_name, 'Scan Failed: ' + msg)
failure_flag = True
else:
msg = '%s %s is disabled' % (param, param_key)
messages['messages'].append("Okay: %s" % msg)
self.logger.info(self.module_name, msg)
if not os.path.isfile('/etc/notrouter'):
msg = '/etc/notrouter file is missing'
messages['messages'].append("Fail: %s" % msg)
self.logger.notice(self.module_name, 'Scan Failed: ' + msg)
failure_flag = True
else:
msg = '/etc/notrouter file is present'
messages['messages'].append("Okay: %s" % msg)
self.logger.debug(self.module_name, msg)
if failure_flag == True:
return False, 'IP Forwarding is enabled.', messages
else:
return True, '', messages
def scan(self, optionDict):
if self.validate_input(optionDict):
msg = 'Invalid option value was supplied.'
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
option = optionDict['passwordMaxdays']
try:
in_obj = open(self.__target_file, 'r')
except Exception, err:
msg = "Unable to open file %s for analysis (%s)." % \
(self.__target_file, str(err))
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def scan(self, option=None):
paramlist = sb_utils.os.config.get_list(configfile=self.__target_file,
delim='=')
if paramlist == None:
msg = 'Unable to determine parameter setting'
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
if not paramlist.has_key(self.__param):
reason = "%s option is NOT set in %s" % (self.__param,
self.__target_file)
self.logger.info(self.module_name, 'Scan Failed: ' + reason)
return 'Fail', reason
msg = "Checking BANNER setting in %s" % (self.__target_file)
self.logger.info(self.module_name, msg)
value = str(paramlist[self.__param])
if value != "\"\"":
reason = """%s is set to '%s' instead of "" in %s""" % (
self.__param, value, self.__target_file)
self.logger.notice(self.module_name, 'Scan Failed: ' + reason)
return 'Fail', reason
else:
return 'Pass', ''
def scan(self, option=None):
path = os.getenv('PATH')
msg = "Analyzing PATH environment variable which is currently set "\
"to: %s" % path
self.logger.debug(self.module_name, 'Scan: ' + msg)
if not path:
# don't think this will ever happen, but we'll test for it
return 'Pass', ''
for mydir in path.split(':'):
if mydir == '.':
reason = "root user's PATH environment variable contains '.'"
self.logger.info(self.module_name, 'Scan Failed: ' + reason)
return 'Fail', reason
# check for world-writable dirs
if not os.path.isdir(mydir):
continue
try:
statinfo = os.stat(mydir)
except OSError, err:
msg = "Unable to stat directory %s: %s" % (mydir, err)
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
if statinfo.st_mode & stat.S_IWGRP or \
statinfo.st_mode & stat.S_IWOTH:
msg = "root user has writable directories in PATH"
self.logger.error(self.module_name, 'Scan Failed: ' + msg)
return 'Fail', msg
def scan(self, option=None):
results = sb_utils.os.software.is_installed(pkgname=self.__pkgName)
if results != True:
msg = "'%s' package is not installed." % self.__pkgName
self.logger.info(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' %
(self.module_name, msg))
# first, check to see whether the target file exists at all
if not os.path.isfile(self.__target_file):
msg = "File %s does not exist" % self.__target_file
self.logger.info(self.module_name, 'Scan Failed: ' + msg)
return 'Fail', msg
# now check its contents to be sure it contains what we want
if not os.path.isfile(self.__target_file):
msg = "%s does not exist" % self.__target_file
self.logger.notice(self.module_name, 'Scan Failed: ' + msg)
return 'Fail', msg
try:
infile = open(self.__target_file, 'r')
except (OSError, IOError), err:
msg = "Unable to open file %s: %s" % (self.__target_file, err)
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def scan(self, optionDict=None):
"""
Analyze system
"""
if optionDict == None or not 'shellTimeout' in optionDict:
msg = "Missing option value"
self.logger.notice(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
option = optionDict['shellTimeout']
try:
value = int(option)
except ValueError, err:
msg = "Bad option value: %s" % err
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def scan(self, option=None):
zonename = sb_utils.os.solaris.zonename()
if zonename != 'global':
msg = "Non-global Solaris zone (%s): Unable to set %s" % (
zonename, self.__param)
self.logger.notice(self.module_name, 'Scan: ' + msg)
raise tcs_utils.ZoneNotApplicable('%s %s' %
(self.module_name, msg))
paramlist = sb_utils.os.config.get_list(configfile=self.__target_file,
delim='=')
if paramlist == None:
msg = 'Unable to determine parameter setting'
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
if not paramlist.has_key(self.__param):
reason = "%s option is NOT set in %s" % (self.__param,
self.__target_file)
self.logger.info(self.module_name, 'Scan Failed: ' + reason)
return 'Fail', reason
value = paramlist[self.__param]
if int(value) != 2:
reason = "%s is set to '%s' instead of 2 in %s" % (
self.__param, value, self.__target_file)
self.logger.info(self.module_name, 'Scan Failed: ' + reason)
return 'Fail', reason
else:
return 'Pass', ''
def scan(self, option=None):
"""Check for rpm and for -s mode"""
if option != None:
option = None
messages = {'messages': []}
flagIndex = None
dirIndex = None
dirName = None
results = sb_utils.os.software.is_installed(pkgname=self.rpm_name)
if results != True:
msg = "'%s' package is not installed" % self.rpm_name
self.logger.notice(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' %
(self.module_name, msg))
else:
msg = "'%s' package is installed" % self.rpm_name
self.logger.info(self.module_name, msg)
messages['messages'].append(msg)
try:
myfile = open('/etc/xinetd.d/tftp', 'r')
except IOError, err:
msg = "Unable to open /etc/xinetd.d/tftp: %s" % str(err)
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def scan(self, option=None):
messages = {}
messages['messages'] = []
results = sb_utils.os.software.is_installed(pkgname='finger-server')
if results != True:
msg = "'finger-server' package is not installed."
self.logger.notice(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' %
(self.module_name, msg))
else:
msg = "'finger-server' package is installed."
messages['messages'].append(msg)
self.logger.info(self.module_name, msg)
results = sb_utils.os.xinetd.is_enabled(svcname='finger')
if results == None:
msg = "Unable to determine status of the 'finger' service"
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
if results == True:
msg = "'finger' service is enabled."
self.logger.notice(self.module_name, 'Scan Failed: ' + msg)
return False, msg, messages
msg = "'finger' service is disabled"
messages['messages'].append(msg)
self.logger.notice(self.module_name, 'Scan Passed: ' + msg)
return True, msg, messages
def validate_input(self, optionDict=None):
"""
Validate optionDict has required args, within acceptable ranges
"""
self.__pass_min = self.validate_argument('passwordAgingMindays',
optionDict)
self.__pass_max = self.validate_argument('passwordAgingMaxdays',
optionDict)
self.__pass_warn = self.validate_argument('passwordAgingExpireWarning',
optionDict)
self.__pass_inact = self.validate_argument('passwordAgingInvalidate',
optionDict)
if optionDict['exemptSystemAccounts'] == '1':
self.__exemptSystemAccounts = sb_utils.acctmgt.users.local_SystemUsers(
)
else:
self.__exemptSystemAccounts = []
self.__exemptSpecificAccounts = tcs_utils.splitNaturally(
optionDict['exemptSpecificAccounts'])
flag = 0
if self.__pass_min < 1 or self.__pass_max < 1 or \
self.__pass_inact < 0 or self.__pass_warn < 1:
flag = 1
if self.__pass_max < self.__pass_min:
flag = 1
if flag == 1:
msg = 'Invalid option arg provided'
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def validate_input(self, optionDict):
try:
self.__specialFiles = sb_utils.file.fileperms.splitStringIntoFiles(
optionDict['specialDevices'])
except ValueError:
msg = "Invalid option value -> '%s'" % optionDict
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def scan(self, option=None):
boot_pat = re.compile('-s /tftpboot')
# Is TFTP server package installed?
if sb_utils.os.software.is_installed(pkgname='SUNWtftp') != True:
msg = "TFTP Server (SUNWtftp) package is not installed"
self.logger.notice(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' %
(self.module_name, msg))
prop = sb_utils.os.service.getprop(svcname='tftp',
property='inetd_start/exec')
if prop != None:
prop = prop.replace('\\', '')
if not boot_pat.search(prop):
msg = "Tftp service 'inetd_start/exec' property (%s) does not "\
"contain '-s /tftpboot'" % prop
self.logger.notice(self.module_name, 'Scan Failed: ' + msg)
return 'Fail', msg
self.logger.debug(self.module_name, 'Checking /etc/inet/inetd.conf')
try:
infile = open('/etc/inet/inetd.conf', 'r')
except IOError, err:
msg = "Unable to read /etc/inet/inetd.conf: %s" % err
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def apply(self, option=None):
"""
Corrects the permissions
"""
change_record = {}
# Only run FS scan if it hasn't been run this scan
if tcs_utils.fs_scan_is_needed():
sb_utils.filesystem.scan.perform()
if not os.path.isfile(self.__target_file):
msg = "Unable to find %s" % self.__target_file
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
# let others know we ran the fs scanner
tcs_utils.update_fs_scanid()
try:
in_obj = open(self.__target_file, 'r')
except (OSError, IOError), err:
msg = "Unable to open %s: %s" % (self.__target_file, err)
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def scan(self, optionDict=None):
"""Check for password reuse support."""
if self.validate_input(optionDict):
msg = 'Invalid option value was supplied.'
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
option = optionDict['passwordReuse']
try:
in_obj = open(self.__target_file, 'r')
except IOError, err:
msg = "Unable to open file %s: %s." % (self.__target_file,
str(err))
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def scan(self, option=None):
messages = {'messages': []}
retval = True
# leave quickly if we are N/A due to architecture.
test_arch = platform.machine()
if test_arch == 's390x':
msg = "GRand Unified Bootloader (GRUB) not used on S390 hardware"
self.logger.notice(self.module_name, "Not Applicable: " + msg)
raise tcs_utils.ScanNotApplicable('%s %s' %
(self.module_name, msg))
elif sb_utils.os.info.is_solaris() == True and sb_utils.os.info.is_x86(
) == False:
msg = "GRand Unified Bootloader (GRUB) not used on SPARC hardware"
self.logger.notice(self.module_name, "Not Applicable: " + msg)
raise tcs_utils.ScanNotApplicable('%s %s' %
(self.module_name, msg))
# Ok, quickly test the permissions on the grub file. It should be owned by root and perms no greater than 0600:
# This module won't fix the problems, but so only indicate any issues with a warning. Permission problems do not
# Constitute a failure case, as the 'System Configuration File Permissions' module will fix (if that module is enabled).
msg = "Checking access controls on %s" % self.__target_file
self.logger.info(self.module_name, 'Scan: ' + msg)
try:
statinfo = os.stat(self.__target_file)
except OSError, err:
msg = "Unable to stat %s: %s" % (self.__target_file, err)
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def scan(self, option=None):
messages = {}
messages['messages'] = []
# first see if all of our dependencies (services, packages) are here...
# and don't bother if we're missing stuff
messages.update(self._is_cups_installed())
changes_to_make = [['Browsing', 'Off'], ['BrowseAllow', 'none']]
if not os.path.isfile(self.__target_file):
msg = "%s file does not exist." % self.__target_file
#indicate that we hit a snag...
messages['messages'].append(msg)
change_record = "missing file"
else:
try:
lines = open(self.__target_file).readlines()
except Exception, err:
msg = "Unable to process file %s: %s" % (self.__target_file,
str(err))
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
results, change_record, lines = self.process_file(
lines, changes_to_make, False)
for msg in results:
if msg[0] in ['ok', 'problem']:
self.logger.notice(self.module_name, msg[1])
messages['messages'].append(msg[1])
def scan(self, optionDict=None):
if self.validate_input(optionDict):
msg = 'Invalid option value was supplied.'
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
option = optionDict['daysInactive']
option = int(option)
msg = "Looking for '%s' in %s" % (self.keyname, self._config_file)
self.logger.info(self.module_name, msg)
# Grab parameters separated by the OS's specific delimeter(s)
paramlist = {}
paramlist.update(
sb_utils.os.config.get_list(configfile=self._config_file,
delim=self.delim))
if not paramlist.has_key(self.keyname):
msg = "Could not find '%s' in %s" % (self.keyname,
self._config_file)
self.logger.notice(self.module_name, 'Scan Failed: ' + msg)
del paramlist
return 'Fail', msg
else:
if int(paramlist[self.keyname]) != option:
msg = "'%s' is set to %d but expected it to be %d" % \
(self.keyname, int(paramlist[self.keyname]), option)
self.logger.notice(self.module_name, 'Scan Failed: ' + msg)
del paramlist
return 'Fail', msg
return 'Pass', ''
def scan(self, option=None):
"""Check for file and file permissions"""
if option != None:
option = None
loc = 'None'
found = False
for loc in self.__targetpath:
msg = "Looking for %s" % loc
self.logger.debug(self.module_name, msg)
if os.path.isfile(loc):
msg = "Found %s" % loc
self.logger.info(self.module_name, msg)
found = True
else:
continue
#Now check the file permissions$
try:
statinfo = os.stat(loc)
except (IOError, OSError), err:
msg = "Unable to stat %s: %s" % (loc, err)
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
# We want the permissions to 000
if statinfo.st_mode & 0777 ^ 0000 != 0:
reason = loc + ' has permissions of %o instead of 000' % \
stat.S_IMODE(statinfo.st_mode)
self.logger.notice(self.module_name, 'Scan Failed: ' \
+ reason)
return 'Fail', reason
def scan(self, option=None):
messages = {}
messages['messages'] = []
results = sb_utils.os.software.is_installed(pkgname=self.__pkgname)
if results == False:
msg = "%s package is not installed on the system" % self.__pkgname
self.logger.info(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' %
(self.module_name, msg))
if not os.path.isfile(self.__target_file):
msg = "%s package is installed but %s is missing" % self.__target_file
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
try:
in_obj = open(self.__target_file, 'r')
except (OSError, IOError), err:
msg = "Unable to read %s: %s" % (self.__target_file, err)
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' %
(self.module_name, msg))
def scan(self, option=None):
"""
Scan system to see if /etc/logrotate.d/audit is
rotating audit logs daily
"""
results = sb_utils.os.software.is_installed(pkgname='logrotate')
if results != True:
msg = "logrotate is not installed on the system; you should install"\
"this package."
self.logger.warn(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' %
(self.module_name, msg))
if not os.path.isfile(self.__target_file):
msg = "%s does not exist" % (self.__target_file)
self.logger.notice(self.module_name, 'Scan Failed: ' + msg)
return 'Fail', msg
try:
in_obj = open(self.__target_file, 'r')
except IOError, err:
msg = "Unable to open %s: %s" % (self.__target_file, str(err))
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def scan(self, option=None):
"""
Examine /etc/samba/smb.conf for missing or invalid values
"""
if option != None:
option = None
messages = {'messages':[]}
results = sb_utils.os.software.is_installed(pkgname=self.__pkgname)
if results == False:
msg = "%s package is not installed" % self.__pkgname
self.logger.warn(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' % (self.module_name, msg))
if not os.path.isfile(self.__smb_ini):
msg = "Missing %s but samba is installed" % self.__smb_ini
self.logger.notice(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' % (self.module_name, msg))
try:
in_obj = open(self.__smb_ini, 'r')
except (IOError, OSError), err:
msg = "Unable to read %s: %s" % (self.__smb_ini, err)
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
