def apply(self, option=None): """ Applies Changes """ match_re = re.compile('^<console>\s') result, reason, messages = self.scan() if result == True: return False, '', {'messages':[]} if not os.path.isfile(self.__target_file): if self.__target_file != "" : msg = "% does not exist" % self.__target_file raise tcs_utils.ActionError('%s %s' % ( self.module_name, msg)) else: msg = "No configuration found to edit, no action taken." return False, "", {'messages':[msg]} # Protect file tcs_utils.protect_file(self.__target_file) try: origfile = open(self.__target_file, 'r') workfile = open(self.__tmp_file, 'w') except IOError, err: msg = "%s" % err self.logger.error(self.module_name, 'Apply Error: ' + msg) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def apply(self, option=None): messages = {'messages': []} action_record = "" for pref_file in self._get_moz_pref_files(): # Protect file tcs_utils.protect_file(pref_file) try: in_obj = open(pref_file, 'r') except (IOError, OSError), err: msg = "Unable to read %s: %s" % (pref_file, err) self.logger.error(self.module_name, 'Apply Error: ' + msg) messages['messages'].append("Error: %s" % msg) continue try: out_obj = open(pref_file + '.new', 'w') except Exception, err: in_obj.close() msg = "Unable to create temporary file (%s)." % str(err) self.logger.error(self.module_name, 'Apply Error: ' + msg) self.logger.error(self.module_name, 'Apply Error: ' + msg) messages['messages'].append("Error: %s" % msg) continue
def undo(self, change_record=None): """Undo the previous action.""" # Is TFTP server package installed? if sb_utils.os.software.is_installed(pkgname='SUNWtftp') != True: msg = "TFTP Server (SUNWtftp) package is not installed" self.logger.notice(self.module_name, 'Not Applicable: ' + msg) return 0, '' if change_record == 'services': results = sb_utils.os.service.enable(svcname='tftp') if results == True: msg = "Undo Performed: TFTP service re-enabled" self.logger.notice(self.module_name, msg) return 1 newfile = '/etc/inet/inetd.conf.new' oldfile = '/etc/inet/inetd.conf' tcs_utils.protect_file(oldfile) try: outfile = open(newfile, 'w') infile = open(oldfile, 'r') except IOError, err: msg = str(err) self.logger.error(self.module_name, 'Apply Error: ' + msg) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def apply(self, option=None): results, reason = self.scan(option) if results == 'Pass': return 0, '' # Is TFTP server package installed? if sb_utils.os.software.is_installed(pkgname='SUNWtftp') != True: msg = "TFTP Server (SUNWtftp) package is not installed" self.logger.notice(self.module_name, 'Not Applicable: ' + msg) return 0, '' if sb_utils.os.service.is_enabled(svcname='tftp') == True: results = sb_utils.os.service.disable(svcname='tftp') if results == True: msg = "Apply Performed: TFTP service disabled" self.logger.notice(self.module_name, msg) return 1, 'services' change_record = '' newfile = '/etc/inet/inetd.conf.new' oldfile = '/etc/inet/inetd.conf' tcs_utils.protect_file(oldfile) try: outfile = open(newfile, 'w') infile = open(oldfile, 'r') except IOError, err: msg = str(err) self.logger.error(self.module_name, 'Apply Error: ' + msg) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def apply(self, option=None): result, reason = self.scan() if result == 'Pass': return 0, '' # Protect file tcs_utils.protect_file(self.__target_file) try: origfile = open(self.__target_file, 'r') workfile = open(self.__tmp_file, 'w') except IOError, err: self.logger.error(self.module_name, 'Apply Error: ' + err) raise tcs_utils.ActionError('%s %s' % (self.module_name, err))
def apply(self, option=None): action_record = "" # Protect file tcs_utils.protect_file(self.__target_file) msg = 'Opening %s' % self.__target_file self.logger.info(self.module_name, msg) try: in_obj = open(self.__target_file, 'r') except Exception, err: msg = "Unable to open file %s (%s)" % (self.__target_file, str(err)) self.logger.info(self.module_name, 'Apply Error: ' + msg) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def apply(self, option=None): results, reason = self.scan(option) if results == 'Pass': return 0, '' change_record = '' # Is TFTP server package installed? if sb_utils.os.software.is_installed(pkgname='SUNWtftp') != True: msg = "TFTP Server (SUNWtftp) package is not installed" self.logger.notice(self.module_name, 'Not Applicable: ' + msg) return 0, '' boot_pat = re.compile('-s /tftpboot') prop = sb_utils.os.service.getprop(svcname='tftp', property='inetd_start/exec') if prop != None: prop = prop.replace('\\', '') if not boot_pat.search(prop): args = "/usr/sbin/in.tftpd -s /tftpboot" cmd = """/usr/sbin/inetadm -m tftp exec="%s" """ % args results = tcs_utils.tcs_run_cmd(cmd, True) if results[0] != 0: msg = "Unable to execute: %s (%s)" % (cmd, results[2]) self.logger.notice(self.module_name, 'Apply Failed: ' + msg) return 0, '' else: change_record = '|' + prop msg = "Successfully executed: %s" % cmd self.logger.notice(self.module_name, 'Apply Performed: ' + msg) return 1, change_record change_record = '' newfile = '/etc/inet/inetd.conf.new' oldfile = '/etc/inet/inetd.conf' tcs_utils.protect_file(oldfile) try: outfile = open(newfile, 'w') infile = open(oldfile, 'r') except IOError, err: msg = str(err) self.logger.error(self.module_name, 'Apply Error: ' + msg) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def apply(self, option=None): """Enable account locking after 3 unsuccessful login attempts.""" msg = None self._init_fields(option) messages = {'messages': []} # Protect file changeDict = {} retval = False for fileName in self.__target_files: tcs_utils.protect_file(fileName) ret_dict = self.parse_system_auth(fileName, option) if ret_dict['fixes'] == []: continue else: for msg in ret_dict['fixes']: self.logger.notice(self.module_name, msg) messages['messages'].extend(ret_dict['fixes']) try: out_obj = open(fileName + '.new', 'w') except Exception, err: msg = "Unable to create temporary file (%s)" % str(err) self.logger.error(self.module_name, 'Apply Error: ' + msg) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg)) for line in ret_dict['lines']: out_obj.write(line) out_obj.close() try: shutil.copymode(fileName, fileName + '.new') shutil.copy2(fileName + '.new', fileName) sb_utils.SELinux.restoreSecurityContext(fileName) os.unlink(fileName + '.new') changeDict[fileName] = ret_dict['changes'] except OSError: msg = "Unable to replace %s with new version." % fileName self.logger.error(self.module_name, 'Apply Error: ' + msg) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg)) msg = 'Added %s to authentication service' % self.__pam_service self.logger.notice(self.module_name, 'Apply Performed: ' + msg)
def apply(self, option=None): action_record = [] # # PART 1: Update /etc/rmmount.conf # #pattern = re.compile('^mount\s\*\shsfs\sudfs\sufs\s-o\snosuid') pattern = re.compile('^mount\s*\*\s*hsfs\s*udfs\s*ufs\s*-o\s*nosuid') tcs_utils.protect_file('/etc/rmmount.conf') try: infile = open('/etc/rmmount.conf', 'r') outfile = open('/etc/rmmount.conf.new', 'w') except IOError, err: msg = str(err) self.logger.error(self.module_name, 'Scan Error: ' + msg) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def apply(self, option=None): """ Disable the ctrl-alt-del key combination.""" result, reason = self.scan() if result == 'Pass': return 0, reason # Protect file tcs_utils.protect_file(self.__target_file) search_pattern = re.compile(self.__pattern) try: in_obj = open(self.__target_file, 'r') except IOError, err: msg = "Unable to open file %s (%s)" % (self.__target_file, str(err)) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def apply(self, option=None): """ Disable the ctrl-alt-del key combination.""" # Run scan first to see if we need to make the change result, reason = self.scan() if result == 'Pass': return 0, '' # Protect file tcs_utils.protect_file(self.__target_file) try: in_obj = open(self.__target_file, 'r') except Exception, err: msg = "Unable to open file %s (%s)" % (self.__target_file, str(err)) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def apply(self, optionDict=None): """Enable password reuse limits.""" result, reason = self.scan(optionDict) if result == 'Pass': return 0, '' option = optionDict['passwordReuse'] # Protect file tcs_utils.protect_file(self.__target_file) try: in_obj = open(self.__target_file, 'r') except IOError, err: msg = "Unable to open file %s: %s." % (self.__target_file, str(err)) self.logger.info(self.module_name, 'Apply Error: ' + msg) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def apply(self, option=None): """Enable password requirement for single user mode.""" result, reason = self.scan() if result == 'Pass': return 0, '' # Protect file tcs_utils.protect_file(self.__target_file) try: in_obj = open(self.__target_file, 'r') except Exception, err: msg = "Unable to open file %s (%s)." % (self.__target_file, str(err)) self.logger.info(self.module_name, 'Apply Error: ' + msg) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def apply(self, optionDict=None): result, reason = self.scan(optionDict) if result == 'Pass': return 0, '' option = optionDict['passwordMinLength'] # Protect files tcs_utils.protect_file(self.__target_file) action_record = [] #--------------------------------------------------------------------- try: in_obj = open(self.__target_file, 'r') except Exception, err: msg = "Unable to open file %s (%s)." % (self.__target_file, str(err)) self.logger.error(self.module_name, 'Apply Error: ' + msg) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def undo(self, action_record=None): """Undo the previous action.""" if action_record != "added": msg = "Skipping Undo: No change record to indicate an undo is required." self.logger.notice(self.module_name, msg) return 1 # Protect file tcs_utils.protect_file(self.__target_file) msg = 'Opening %s' % self.__target_file self.logger.info(self.module_name, msg) try: in_obj = open(self.__target_file, 'r') except Exception, err: msg = "Unable to open %s: %s" % (self.__target_file, str(err)) self.logger.info(self.module_name, 'Undo Error: ' + msg) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def apply(self, option=None): """Enable account locking after 3 unsuccessful login attempts.""" action_record = '' (result, reason, messages) = self.scan() if result == True: return False, reason, {} messages = {'messages': []} # Protect file tcs_utils.protect_file(self.__target_file) try: in_obj = open(self.__target_file, 'r') except Exception, err: msg = "Unable to open file %s (%s)." % (self.__target_file, str(err)) self.logger.error(self.module_name, 'Apply Error: ' + msg) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def apply(self, optionDict=None): """Create and replace the audit rules configuration.""" action_record = [] result, reason = self.scan(optionDict) if result == 'Pass': return 0, action_record option = xml.sax.saxutils.unescape(optionDict['auditRules']) if option[-1] != '\n': option = option + '\n' if os.path.exists(self.__target_file): # Protect file tcs_utils.protect_file(self.__target_file) try: out_obj = open(self.__target_file + '.new', 'w') except IOError, err: msg = "Unable to create temporary file (%s)." % str(err) self.logger.error(self.module_name, 'Apply Error: ' + msg) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg)) out_obj.write(option) out_obj.close() action_record.append( tcs_utils.generate_diff_record(self.__target_file + '.new', self.__target_file)) try: shutil.copymode(self.__target_file, self.__target_file + '.new') shutil.copy2(self.__target_file + '.new', self.__target_file) sb_utils.SELinux.restoreSecurityContext(self.__target_file) os.unlink(self.__target_file + '.new') except (IOError, OSError), err: msg = "Unable to replace %s with new version: %s" % ( self.__target_file, err) self.logger.error(self.module_name, 'Apply Error: ' + msg) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def apply(self, option=None): """ Set CONSOLE to /dev/console in /etc/default/login """ result, reason = self.scan() if result == 'Pass': return 0, '' # Protect file tcs_utils.protect_file(self.__target_file) try: origfile = open(self.__target_file, 'r') workfile = open(self.__tmp_file, 'w') except IOError, err: msg = 'Apply Failed: %s' % err self.logger.error(self.module_name, msg) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def apply(self, option=None): """ Set daemon umask to 027 """ result, reason = self.scan() if result == 'Pass': return 0, '' # Protect file tcs_utils.protect_file(self.__target_file) try: origfile = open(self.__target_file, 'r') workfile = open(self.__tmp_file, 'w') except IOError, err: msg = 'Apply Error: %s' % err self.logger.error(self.module_name, msg) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def apply(self, option=None): """Enable account locking after 3 unsuccessful login attempts.""" action_record = '' result, reason = self.scan() if result == 'Pass': return 0, action_record # # /etc/default/login needs RETRIES=3 (or less) # # Protect file tcs_utils.protect_file('/etc/default/login') try: in_obj = open('/etc/default/login', 'r') except Exception, err: msg = "Unable to open file /etc/default/login (%s)." % str(err) self.logger.error(self.module_name, 'Apply Error: ' + msg) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def apply(self, option=None): """ Disable the ctrl-alt-del key combination.""" change_record = {} result, reason, messages = self.scan() if result == True: return False, 'none', messages messages = {'messages':[]} retval = False # Protect file tcs_utils.protect_file(self.__target_file) search_pattern = re.compile(self.__pattern) try: in_obj = open(self.__target_file, 'r') except IOError, err: msg = "Unable to open file %s (%s)" % (self.__target_file, str(err)) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def apply(self, optionDict=None): zonename = sb_utils.os.solaris.zonename() if zonename != 'global': msg = "Unable to change /etc/system parameters in a non-global zone" self.logger.notice(self.module_name, 'Not Applicable: ' + msg) raise tcs_utils.ZoneNotApplicable('%s %s' % (self.module_name, msg)) action_record = [] tcs_utils.protect_file('/etc/system') failure_flag = False try: infile = open('/etc/system', 'r') outfile = open('/etc/system.new', 'w') except IOError, err: msg = str(err) self.logger.error(self.module_name, 'Apply Error: ' + msg) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def apply(self, option=None): action_record = [] (result, reason, messages) = self.scan() if result == True: return False, '', {} messages = {} messages['messages'] = [] tcs_utils.protect_file(self.__file) msg = "Made backup copy of %s" % self.__file messages['messages'].append(msg) try: in_obj = open(self.__file, 'r') except (OSError, IOError), err: msg = "Unable to read file %s: %s" % (self.__file, err) self.logger.error(self.module_name, 'Apply Error: ' + msg) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def _change_one_file(self, action, fileName): # generate exclusion list *early* to avoid cluttering log sb_utils.file.exclusion.exlist() # Protect file tcs_utils.protect_file(fileName) action_record = "" madeChange = False mesg_found = False actionName = action[0].upper() + action[1:] msg = "%s: Examining '%s' " % (actionName, fileName) self.logger.debug(self.module_name, msg) lines = [] try: lines = open(fileName, 'r').readlines() except Exception, err: msg = "Unable to open file %s (%s)." % (fileName, str(err)) self.logger.error(self.module_name, '%s Error: %s' % (actionName, msg))
def undo(self, change_record=None): """Undo the previous action.""" # Is TFTP server package installed? if sb_utils.os.software.is_installed(pkgname='SUNWtftp') != True: msg = "TFTP Server (SUNWtftp) package is not installed" self.logger.notice(self.module_name, 'Not Applicable: ' + msg) return 0, '' if not change_record: msg = "Unable to perform undo operation without change record." self.logger.error(self.module_name, 'Undo Error: ' + msg) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg)) if change_record[0] == '|': cmd = """/usr/sbin/inetadm -m tftp exec="%s" """ % change_record[1:] results = tcs_utils.tcs_run_cmd(cmd, True) if results[0] != 0: msg = "Unable to execute: %s (%s)" % (cmd, results[2]) self.logger.notice(self.module_name, 'Undo Failed: ' + msg) return 0 else: msg = "Successfully executed: %s" % cmd self.logger.notice(self.module_name, 'Apply Performed: ' + msg) return 1 newfile = '/etc/inet/inetd.conf.new' oldfile = '/etc/inet/inetd.conf' tcs_utils.protect_file(oldfile) try: outfile = open(newfile, 'w') infile = open(oldfile, 'r') except IOError, err: msg = str(err) self.logger.error(self.module_name, 'Apply Error: ' + msg) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def apply(self, optionDict): """ Modify warning days parameter to user value. """ result, reason = self.scan(optionDict) if result == 'Pass': return 0, '' option = optionDict['passwordExpireWarning'] # Protect file tcs_utils.protect_file(self.__target_file) # The line we're looking for is search_pattern = re.compile("^PASS_WARN_AGE\s*\d+") msg = 'Opening %s' % self.__target_file self.logger.info(self.module_name, msg) try: in_obj = open(self.__target_file, 'r') except Exception, err: msg = "Unable to open file %s (%s)." % (self.__target_file, str(err)) self.logger.info(self.module_name, 'Apply Error: ' + msg) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def apply(self, optionDict): """ Modify minimum password delay parameter to user value greater than 1. """ result, reason = self.scan(optionDict) if result == 'Pass': return 0, '' option = optionDict['passwordMaxdays'] # Protect file tcs_utils.protect_file(self.__target_file) # The line we're looking for is search_pattern = re.compile("#*\s*PASS_MAX_DAYS\s*\d") try: in_obj = open(self.__target_file, 'r') except Exception, err: msg = "Unable to open file %s (%s)." % (self.__target_file, str(err)) self.logger.error(self.module_name, 'Apply Error: ' + msg) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
# Create logrotate audit file if missing action_record = "empty" try: out_obj = open(self.__target_file, 'w') out_obj.write(new_lines) out_obj.close() except Exception, err: msg = "Unable to create temporary file (%s)." % str(err) self.logger.error(self.module_name, 'Apply Error: ' + msg) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg)) else: # If file exists, create a temporary one and then generate a # diff record to be used to restore it during an undo tcs_utils.protect_file(self.__target_file) newfile = self.__target_file + '.new' oldfile = self.__target_file try: out_obj = open(newfile, 'w') out_obj.write(new_lines) out_obj.close() except IOError, err: msg = "Unable to create temporary file: %s" % str(err) self.logger.error(self.module_name, 'Apply Error: ' + msg) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg)) action_record = tcs_utils.generate_diff_record(newfile, oldfile)
shutil.copymode('/etc/default/login', '/tmp/.default_login.new') shutil.copy2('/tmp/.default_login.new', '/etc/default/login') os.unlink('/tmp/.default_login.new') except OSError: msg = "Unable to replace /etc/default/login with new version." self.logger.error(self.module_name, 'Apply Error: ' + msg) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg)) msg = 'RETRIES=3 set in /etc/default/login' self.logger.notice(self.module_name, 'Apply Performed: ' + msg) # # /etc/security/policy.conf needs LOCK_AFTER_RETRIES=YES # # Protect file tcs_utils.protect_file('/etc/security/policy.conf') try: in_obj = open('/etc/security/policy.conf', 'r') except Exception, err: msg = "Unable to open file /etc/security/policy.conf (%s)." % str( err) self.logger.error(self.module_name, 'Apply Error: ' + msg) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg)) try: out_obj = open('/tmp/.policy.new', 'w') except Exception, err: msg = "Unable to create temporary file (%s)" % str(err) self.logger.error(self.module_name, 'Apply Error: ' + msg) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg)) msg = "Updated /etc/rmmount.conf" self.logger.info(self.module_name, 'Apply Performed: ' + msg) else: try: os.unlink('/etc/rmmount.conf.new') except OSError, err: msg = 'Unable to remove temporary workfile /etc/rmmount.conf.new' self.logger.error(self.module_name, 'Apply Error: ' + msg) # # PART 2: Check /etc/vfstab # tcs_utils.protect_file('/etc/vfstab') try: infile = open('/etc/vfstab', 'r') outfile = open('/etc/vfstab.new', 'w') except IOError, err: msg = str(err) self.logger.error(self.module_name, 'Apply Error: ' + msg) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg)) line_nr = 0 made_changes = False for line in infile.readlines(): line_nr += 1 line = line.strip() fields = line.split() try: