def enable(svcname=None):
if svcname == None:
return None
#
# Solaris Operating System (svcadm)
#
if info.is_solaris() == True:
if not os.path.isfile('/usr/sbin/svcadm'):
return None
cmd = '/usr/sbin/svcadm enable -r %s' % svcname
output = tcs_utils.tcs_run_cmd(cmd, True)
msg = 'Solaris: %s' % output[2]
if output[0] != 0:
logger.debug(MODULE_NAME, msg)
return False
else:
msg = """Solaris: 'svcadm enable -r %s' was successful""" % svcname
logger.debug(MODULE_NAME, msg)
return True
#
# Linux Operating System (chkconfig)
#
pattern = re.compile('insserv: Service .* has to be enabled')
cmd = "/sbin/chkconfig %s on" % svcname
output = tcs_utils.tcs_run_cmd(cmd, True)
if output[0] != 0:
msg = """Linux: %s """ % output[2]
logger.debug(MODULE_NAME, msg)
if info.is_LikeSUSE() != True:
return False
if not pattern.search(output[2]):
return False
msg = "Error detected, trying alternative insserv(8) utility with force option (-f)..."
logger.debug(MODULE_NAME, msg)
cmd = "/sbin/insserv -f -d %s " % svcname
output = tcs_utils.tcs_run_cmd(cmd, True)
if output[0] != 0:
msg = """Linux: %s """ % output[2]
logger.debug(MODULE_NAME, msg)
return False
else:
msg = """Linux: 'insserv -f -d %s' was successful""" % svcname
logger.debug(MODULE_NAME, msg)
return True
else:
msg = """Linux: 'chkconfig %s on' was successful""" % svcname
logger.debug(MODULE_NAME, msg)
return True
return False
def apply(self, option=None):
result, reason, messages = self.scan()
if result == True:
return False, '', {}
action_record = []
zonename = sb_utils.os.solaris.zonename()
if zonename != 'global':
msg = "Non-global Solaris zone (%s): Unable to use the pmadm command" % (
zonename)
self.logger.notice(self.module_name, 'Scan: ' + msg)
raise tcs_utils.ZoneNotApplicable('%s %s' %
(self.module_name, msg))
if not os.path.isfile('/usr/sbin/pmadm'):
msg = "Unable to find /usr/sbin/pmadm command"
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
failure_flag = False
cmd = "/usr/sbin/pmadm -L -p zsmon"
results = tcs_utils.tcs_run_cmd(cmd, True)
if results[0] != 0:
msg = "Unable to execute: %s (%s)" % (cmd, results[2])
self.logger.notice(self.module_name, 'Apply Failed: ' + msg)
return False, '', {}
for line in results[1].split('\n'):
fields = line.split(':')
if len(fields) == 1:
continue
if len(fields) < 4:
msg = "Ignoring malformed line: %s" % line
self.logger.debug(self.module_name, msg)
continue
test = fields[3].find('x')
if test < 0:
cmd = "/usr/sbin/pmadm -d -p zsmon -s %s" % str(fields[2])
results = tcs_utils.tcs_run_cmd(cmd, True)
if results[0] != 0:
msg = "Unable to disable %s: %s" % (
fields[2], str(results[2]).rstrip())
self.logger.notice(self.module_name,
"Apply Failed: " + msg)
else:
msg = "Disabled %s" % (fields[2])
self.logger.notice(self.module_name,
"Apply Performed: " + msg)
action_record.append(fields[2])
return True, ' '.join(action_record), {}
def undo(self, change_record):
"""
Reset password aging on user accounts
"""
if not change_record:
msg = "Unable to perform undo operation without change record."
self.logger.error(self.module_name, 'Undo Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
cmd1 = '/usr/bin/passwd -r files -x -1'
cmd2 = '/usr/sbin/usermod -f 0'
cmd3 = '/usr/sbin/rolemod -f 0'
undo_fail_flag = False
for user in change_record.split('\n'):
if not user:
continue
try:
test = pwd.getpwnam(user)
except Exception:
msg = "User account '%s' does not exist" % user
self.logger.warn(self.module_name, 'Undo: ' + msg)
continue
cmd = "%s %s" % (cmd1, user)
results = tcs_utils.tcs_run_cmd(cmd, True)
if results[0] != 0:
msg = "Failed to execute '%s' (%s)" % (cmd, results[2])
self.logger.error(self.module_name, 'Undo Failed: ' + msg)
undo_fail_flag = True
else:
msg = "Undo Performed: Password aging removed: %s" % cmd
self.logger.notice(self.module_name, msg)
if user in self.__usersWithRoles:
cmd = "%s %s" % (cmd3, user)
else:
cmd = "%s %s" % (cmd2, user)
results = tcs_utils.tcs_run_cmd(cmd, True)
if results[0] != 0:
msg = "Failed to execute '%s' (%s)" % (cmd, results[2])
self.logger.error(self.module_name, 'Undo Failed: ' + msg)
undo_fail_flag = True
else:
msg = "Undo Performed: Inactivity field cleared: %s" % cmd
self.logger.notice(self.module_name, msg)
if undo_fail_flag == True:
return 0
else:
return 1
def listAllFilesForPackage(pkgname=None):
"""Return a list of files that were installed by the package"""
pkgList = []
try:
logger = TCSLogger.TCSLogger.getInstance(6)
except TCSLogger.SingletonException:
logger = TCSLogger.TCSLogger.getInstance()
if not is_installed(pkgname):
return pkgList
if info.is_solaris() == True:
cmd = "/usr/sbin/pkgchk -l %s | grep 'Pathname:'" % pkgname
if not os.path.isfile('/usr/sbin/pkginfo'):
return None
output = tcs_utils.tcs_run_cmd(cmd, True)
if output[0] == 0:
pkgList = [
thisfile[10:] for thisfile in output[1].splitlines()
if thisfile.startswith('Pathname: ')
]
del output
else:
try:
import rpm
except ImportError:
return None
try:
transet = rpm.TransactionSet()
except Exception, err:
logger.error(MODULE_NAME, err)
return None
## First try, the Python RPM API....
pkglist = transet.dbMatch('name', pkgname)
if type(pkglist).__name__ == 'mi':
for hdr in pkglist:
if hdr['name'] == pkgname:
pkgList = hdr['filenames']
break
## Okay, now try the old-fashioned method of using rpm(8) command
else:
msg = "Unable to determine if '%s' is installed using "\
"Python-RPM API, trying the rpm(8) utility" % pkgname
logger.info(MODULE_NAME, msg)
cmd = "/bin/rpm -q --list %s " % pkgname
output = tcs_utils.tcs_run_cmd(cmd, True)
if output[0] == 0:
pkgList = output[1].split()
def undo(self, change_record=None):
"""Undo the previous action."""
result, reason = self.scan()
if result == 'Fail':
return 0
if change_record == None:
msg = "Skipping Undo: No change record in state file."
self.logger.notice(self.module_name, msg)
return 0
if change_record != 'yes':
msg = "Skipping Undo: Unknown change record in state file: '%s'" % change_record
self.logger.error(self.module_name, 'Skipping undo: ' + msg)
return 0
# Set property
cmd = "/usr/sbin/svccfg -s system-log setprop config/log_from_remote = true"
results = tcs_utils.tcs_run_cmd(cmd, True)
if results[0] != 0:
msg = 'failed to execute %s: %s' % (cmd, results[2])
self.logger.error(self.module_name, 'Undo Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
else:
msg = 'Executed %s' % (cmd)
self.logger.info(self.module_name, 'Undo Performed: ' + msg)
# Re-read configuration
cmd = "/usr/sbin/svcadm refresh system-log"
results = tcs_utils.tcs_run_cmd(cmd, True)
if results[0] != 0:
msg = 'failed to execute %s: %s' % (cmd, results[2])
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
else:
msg = 'Executed %s' % (cmd)
self.logger.info(self.module_name, 'Apply Performed: ' + msg)
# Restart Service
cmd = "/usr/sbin/svcadm restart system-log"
results = tcs_utils.tcs_run_cmd(cmd, True)
if results[0] != 0:
msg = 'failed to execute %s: %s' % (cmd, results[2])
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
else:
msg = 'Executed %s' % (cmd)
self.logger.info(self.module_name, 'Apply Performed: ' + msg)
msg = 'Allowing remote syslog messages'
self.logger.notice(self.module_name, 'Undo Performed: ' + msg)
return 1
def apply(self, option=None):
messages = {}
messages['messages'] = []
action_record = []
for param in ['ipv4-forwarding', 'ipv6-forwarding']:
cmd = '/usr/sbin/routeadm -p %s' % param
results = tcs_utils.tcs_run_cmd(cmd, True)
if results[0] != 0:
msg = 'failed to execute %s: %s' % (cmd, results[2])
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
try:
param_key = results[1].split(' ')[0].split('=')[0]
param_val = results[1].split(' ')[0].split('=')[1]
except IndexError:
msg = 'Can not determine status of %s' % param
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
if param_val == 'enabled':
cmd = '/usr/sbin/routeadm -d %s' % param
results = tcs_utils.tcs_run_cmd(cmd, True)
if results[0] != 0:
msg = 'failed to execute %s: %s' % (cmd, results[2])
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' %
(self.module_name, msg))
else:
action_record.append('/usr/sbin/routeadm -e %s\n' % param)
msg = 'Apply Performed: IP forwarding disabled: %s' % (cmd)
self.logger.notice(self.module_name, msg)
msg = "Disabled by executing /usr/sbin/routeadm -d %s" % param
messages['messages'].append(msg)
if not os.path.isfile('/etc/notrouter'):
try:
out_obj = open('/etc/notrouter', 'w')
out_obj.write('')
out_obj.close()
msg = 'Created /etc/notrouter file'
messages['messages'].append(msg)
self.logger.notice(self.module_name, 'Apply Performed: ' + msg)
action_record.append('/bin/rm -f /etc/notrouter\n')
except IOError, err:
msg = "Unable to create /etc/notrouter: %s" % err
messages['messages'].append("Error: %s" % msg)
self.logger.error(self.module_name, 'Apply Error: ' + msg)
def ndd_set(param=None, paramValue=None, driver=None):
"""
Get ndd parameter
"""
logger = TCSLogger.TCSLogger.getInstance()
if param == None or driver == None or paramValue == None:
return False
if paramValue == "":
msg = "Ndd does not allow 'unsetting' of a value - reboot to pick up the default (if any) in /etc/default/ndd"
logger.log_notice('sb_utils.os.solaris.ndd_set', msg)
return True
logger = TCSLogger.TCSLogger.getInstance()
cmd = '/usr/sbin/ndd -set /dev/%s %s %s' % (driver, param, paramValue)
output = tcs_utils.tcs_run_cmd(cmd, True)
if output[0] != 0:
msg = "Execution of '%s' failed: %s" % (cmd, output[2])
logger.log_err('sb_utils.os.solaris', msg)
del logger
return False
else:
msg = "Execution of '%s' succeeded: %s" % (cmd, output[1])
logger.log_debug('sb_utils.os.solaris', msg)
del logger
return True
def do_metastat(self):
cmd = "/usr/sbin/metastat"
if not os.path.isfile(cmd):
return
results = tcs_utils.tcs_run_cmd(cmd, True)
if results[0] == 0:
barline = ""
for ix in range(0, 50):
barline += '#'
self.logger.warn(self.module_name, barline)
msg = "/usr/sbin/metastat reports that there are metadevice " \
"state database(s) present. Disable Solaris Volume Manager "\
"services with caution."
self.logger.warn(self.module_name, msg)
self.logger.warn(self.module_name, barline)
else:
msg = "/usr/sbin/metastat reports no metadevice " \
"state database(s) present. "
self.logger.debug(self.module_name, msg)
del msg
del results
return
def status(svcname=None):
"""Status of service: return True if successful or False if failed"""
if svcname == None:
return None
if info.is_solaris() == True:
return None
if not os.path.isfile('/sbin/service'):
msg = "Could not find the /sbin/service command."
logger.error(MODULE_NAME, msg)
return False
cmd = '/sbin/service %s status' % (svcname)
output = tcs_utils.tcs_run_cmd(cmd, True)
if output[0] != 0:
msg = "Status of service '%s': (Return Code=%s) %s" % (
svcname, output[0], output[2].rstrip())
logger.notice(MODULE_NAME, msg)
return False
else:
msg = "Status of service '%s': (Return Code=%s) %s" % (
svcname, output[0], output[1].rstrip())
logger.notice(MODULE_NAME, msg)
return True
def get(paramKey=None):
if paramKey == None or sb_utils.os.info.is_solaris() == True:
return None
if CONFIG_SOURCE == "":
msg = "Unable to locate gconf.xml.mandatory file to get value from"
logger.log_err(MODULE_NAME, msg)
return None
cmdString = "%s --direct --config-source %s --get %s" % \
(GCONF_COMMAND, CONFIG_SOURCE, str(paramKey))
output = tcs_utils.tcs_run_cmd(cmdString, True)
keyValue = None
if output[0] != 0:
msg = "Unable get GDM '%s' key from %s (%s)" % (
paramKey, CONFIG_SOURCE, output[2])
logger.log_err(MODULE_NAME, msg)
else:
if output[2].strip().startswith('No value set for '):
msg = "GDM '%s' key is not set" % paramKey
else:
msg = "GDM '%s' key is set" % paramKey
keyValue = output[1].strip()
logger.log_info(MODULE_NAME, msg)
return keyValue
def getXttr(filepath):
if testFile(filepath) == False:
return ''
if sb_utils.os.info.is_solaris() == True:
msg = "Extended File Attributes - Not applicable in Solaris"
logger.log_info(MODULE_NAME, msg)
return ''
results = sb_utils.os.software.is_installed(pkgname='e2fsprogs')
if results == False:
msg = "'e2fsprogs' package is not installed"
logger.log_err(MODULE_NAME, msg)
return ''
if not os.path.exists('/usr/bin/lsattr'):
msg = "'/usr/bin/lsattr' does not exist"
logger.log_err(MODULE_NAME, msg)
return ''
cmd = "/usr/bin/lsattr %s" % filepath
out = tcs_utils.tcs_run_cmd(cmd, True)
if out[0] != 0 or not out[1]:
msg = "Unable to get file attributes: %s" % str(out[2])
logger.log_err(MODULE_NAME, msg)
return ''
return out[1].split()[0].strip()
def undo(self, change_record=None):
"""Undo the previous action."""
result, reason = self.scan()
if result == 'Fail':
return 0
force_flag = ""
if sb_utils.os.info.is_solaris() == False:
force_flag = "-f"
if not change_record:
msg = "Skipping Undo: No change record in state file."
self.logger.notice(self.module_name, 'Skipping undo: ' + msg)
return 0
for user in change_record.split('\n'):
if not user:
break
cmd = '/usr/bin/passwd %s -u %s' % (force_flag, user)
output_tuple = tcs_utils.tcs_run_cmd(cmd)
if output_tuple[0] != 0:
msg = "Unexpected return value (%s)" % output_tuple[0]
self.logger.error(self.module_name, 'Undo Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
else:
msg = "Successfully executed: %s" % cmd
self.logger.debug(self.module_name, 'Undo Performed: ' + msg)
msg = "User (%s) unlocked" % user
self.logger.notice(self.module_name, 'Undo Performed: ' + msg)
msg = 'User accounts with empty passwords have been unlocked.'
self.logger.notice(self.module_name, 'Undo Performed: ' + msg)
return 1
def cracklib_set(option=None, optValue=None):
if option == None or optValue == None:
return False
if os.path.exists('/usr/sbin/pam-config'):
pam_config = '/usr/sbin/pam-config'
cmd_string = "%s -a --cracklib-%s=%s" % (pam_config, str(option),
str(optValue))
results = tcs_utils.tcs_run_cmd(cmd_string, True)
if results[0] != 0:
logger.log_err(MODULE_NAME, results[2])
return False
msg = "SET Value: cracklib '%s' option now set to '%s' " % (option,
optValue)
logger.debug(MODULE_NAME, msg)
return True
try:
in_obj = open('/etc/pam.d/common-password-pc', 'r')
lines = in_obj.readlines()
in_obj.close()
out_obj = open('/etc/pam.d/common-password-pc', 'w')
except IOError, err:
logger.err(MODULE_NAME, str(err))
return False
def setXttr(filepath, immutable=False):
if testFile(filepath) == False:
return False
if sb_utils.os.info.is_solaris() == True:
msg = "Extended File Attributes - Not applicable in Solaris"
logger.log_info(MODULE_NAME, msg)
return False
results = sb_utils.os.software.is_installed(pkgname='e2fsprogs')
if results == False:
msg = "'e2fsprogs' package is not installed"
logger.log_err(MODULE_NAME, msg)
return False
if not os.path.exists('/usr/bin/lsattr'):
msg = "'/usr/bin/lsattr' does not exist"
logger.log_err(MODULE_NAME, msg)
return False
if immutable == True:
cmd = "/usr/bin/chattr +i %s" % filepath
else:
cmd = "/usr/bin/chattr -i %s" % filepath
out = tcs_utils.tcs_run_cmd(cmd, True)
if out[0] != 0:
msg = "Unable to set file attributes: %s" % str(out[2])
logger.log_err(MODULE_NAME, msg)
return False
return True
def version(pkgname=None):
"""
Determine version and release of software package
Return a tuple: [version, release]
"""
try:
logger = TCSLogger.TCSLogger.getInstance(6)
except TCSLogger.SingletonException:
logger = TCSLogger.TCSLogger.getInstance()
if pkgname == None:
return None
if info.is_solaris() == True:
if not os.path.isfile('/usr/bin/pkgparam'):
return None
cmd = '/usr/bin/pkgparam %s VERSION' % pkgname
else:
if not os.path.isfile('/bin/rpm'):
return None
cmd = """/bin/rpm -q %s --queryformat "%%{VERSION},%%{RELEASE}" """ % pkgname
results = tcs_utils.tcs_run_cmd(cmd, True)
if results[0] != 0:
msg = """Unable to get version of %s: %s""" % (pkgname, results[2])
logger.error(MODULE_NAME, msg)
return None
msg = """Package '%s' is installed""" % pkgname
logger.debug(MODULE_NAME, msg)
return results[1].rstrip('\n').split(',')
def zonelist():
"""
Return a list of zone names
"""
logger = TCSLogger.TCSLogger.getInstance()
myzonelist = []
cmd = '/usr/sbin/zoneadm list'
if not os.path.isfile('/usr/sbin/zoneadm'):
msg = "%s command not available" % cmd
logger.log_notice('sb_utils.os.solaris', msg)
return None
output = tcs_utils.tcs_run_cmd(cmd, True)
if output[0] != 0:
msg = "Execution of '%s' failed: %s" % (cmd, output[2])
logger.log_err('sb_utils.os.solaris', msg)
del logger
return None
msg = "Execution of '%s' succeeded: %s" % (cmd, output[1])
logger.log_debug('sb_utils.os.solaris', msg)
for zone in output[1].split('\n'):
if not zone:
continue
else:
myzonelist.append(zone)
return myzonelist
def zonepath(zonename=None):
"""
Get Zone's filesystem path
"""
if zonename == None:
return None
if zonename == 'global':
return None
try:
logger = TCSLogger.TCSLogger.getInstance(6)
except TCSLogger.SingletonException:
logger = TCSLogger.TCSLogger.getInstance()
cmd = "/usr/sbin/zonecfg -z %s info zonepath" % zonename
output = tcs_utils.tcs_run_cmd(cmd, True)
if output[0] != 0:
msg = "Execution of '%s' failed: %s" % (cmd, output[2])
logger.log_err('sb_utils.os.solaris', msg)
del logger
return None
else:
msg = "Execution of '%s' succeeded: %s" % (cmd, output[1])
logger.log_debug('sb_utils.os.solaris', msg)
del logger
line = output[1].rstrip('\n')
try:
line = line.split(':')[1].lstrip(' ')
except IndexError:
return None
return line
def apply(self, option=None):
"""
Lock user accounts with UID 0 which are not ROOT
"""
if option != None:
option = None
action_record = ''
lockstatus = self.lock_status()
# look for duplicates including any external account sources
for user in pwd.getpwall():
if user.pw_name != 'root' and user.pw_uid == 0:
if lockstatus[user.pw_name] == 'unlocked':
cmd = "/usr/bin/passwd -l %s" % user.pw_name
output = tcs_utils.tcs_run_cmd(cmd, True)
if output[0] != 0:
msg = "Unable to lock %s: %s" % (user.pw_name, output[2])
self.logger.error(self.module_name, 'Scan Failed: ' + msg)
continue
action_record += user.pw_name + ':'
msg = 'User ' + user.pw_name + ' locked'
self.logger.notice(self.module_name,
'Apply Performed: ' + msg)
else:
msg = 'User ' + user.pw_name + ' already locked'
self.logger.notice(self.module_name,
'Apply Performed: ' + msg)
if action_record == '':
return 0, ''
else:
return 1, action_record
def setprop(svcname=None, property=None, propval=None):
"""
Set a Solaris service property, return the following:
None - if it couldn't do anything (missing params or commands)
True - Successful
False - Unsuccessful
"""
if svcname == None or property == None or propval == None:
return None
if info.is_solaris() == False:
return None
if not os.path.isfile('/usr/sbin/svccfg'):
return None
# Example format of command:
# svccfg -s service_fmri setprop property = value
cmd = """/usr/sbin/svccfg -s %s setprop %s = "%s" """ % \
(svcname, property, propval)
output = tcs_utils.tcs_run_cmd(cmd, True)
if output[0] != 0:
msg = "Solaris: '%s' failed: %s" % (cmd, output[2])
logger.debug(MODULE_NAME, msg)
return False
else:
msg = "Solaris: '%s' succeeded: %s" % (cmd, output[1])
logger.debug(MODULE_NAME, msg)
return True
def restart(svcname=None):
"""Restart a service: return True if successful or False if failed"""
if svcname == None:
return False
if info.is_solaris() == True:
disable(svcname=svcname)
return enable(svcname=svcname)
if not os.path.isfile('/sbin/service'):
msg = "Could not find the /sbin/service command."
logger.error(MODULE_NAME, msg)
return False
cmd = '/sbin/service %s restart' % (svcname)
output = tcs_utils.tcs_run_cmd(cmd, True)
if output[0] != 0:
msg = "Unable to stop '%s': %s" % (svcname, output[2])
logger.error(MODULE_NAME, msg)
return False
else:
msg = "Successfully restarted service '%s': %s" % (svcname,
output[1].rstrip())
logger.notice(MODULE_NAME, msg)
return True
def apply(self, optionDict=None):
messages = {'messages': []}
result, reason, msg = self.scan(optionDict)
if result == True:
return False, 'none', {}
option = optionDict['gnomeSaverActivate']
old_state = {}
for line in self.__settings:
optkey, optval, opttype = line.split(',')
getconf = "%s %s --get %s 2>&1" % (self.__cmd, self.__cfg_src,
optkey)
msg = "Executing: %s" % getconf
self.logger.info(self.module_name, msg)
pipe = os.popen(getconf)
curval = pipe.readlines()
for retval in curval:
retval = retval.rstrip('\n')
if retval.startswith('Resolved address'):
continue
if retval.startswith('No value'):
msg = "gconftool-2 reports: %s" % retval
self.logger.info(self.module_name, msg)
old_state[optkey.split('/')[-1]] = ''
else:
old_state[optkey.split('/')[-1]] = retval
pipe.close()
change_record = old_state
setlist = (self.CMD1, self.CMD2, self.CMD3, self.CMD4)
for cmd in setlist:
if cmd == self.CMD4:
cmd = str(self.CMD4 + str(option))
cmd = "%s %s" % (self.__cmd, cmd)
results = tcs_utils.tcs_run_cmd(cmd, True)
if results[0] != 0:
msg = "Failed to execute: %s (%s)" % (cmd, results[2])
self.logger.error(self.module_name, msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
else:
msg = "Executed: %s" % (cmd)
messages['messages'].append(msg)
self.logger.notice(self.module_name, 'Apply Performed: ' + msg)
msg = 'Mandatory Screen locking security settings now configured.'
self.logger.notice(self.module_name, 'Apply performed: ' + msg)
return True, str(change_record), messages
def apply(self, option=None):
"""Apply changes."""
action_record = ''
result, reason = self.scan()
if result == 'Pass':
return 0, action_record
# Set Property
cmd = "/usr/sbin/svccfg -s system-log setprop config/log_from_remote = false"
results = tcs_utils.tcs_run_cmd(cmd, True)
if results[0] != 0:
msg = 'failed to execute %s: %s' % (cmd, results[2])
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
else:
msg = 'Executed %s' % (cmd)
self.logger.info(self.module_name, 'Apply Performed: ' + msg)
# Re-read/refresh configuration
cmd = "/usr/sbin/svcadm refresh system-log"
results = tcs_utils.tcs_run_cmd(cmd, True)
if results[0] != 0:
msg = 'failed to execute %s: %s' % (cmd, results[2])
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
else:
msg = 'Executed %s' % (cmd)
self.logger.info(self.module_name, 'Apply Performed: ' + msg)
# Restart Service
cmd = "/usr/sbin/svcadm restart system-log"
results = tcs_utils.tcs_run_cmd(cmd, True)
if results[0] != 0:
msg = 'failed to execute %s: %s' % (cmd, results[2])
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
else:
msg = 'Executed %s' % (cmd)
self.logger.info(self.module_name, 'Apply Performed: ' + msg)
msg = 'Disallowing remote syslog messages'
return 1, 'yes'
def undo(self, change_record):
if not change_record:
return 0, 'No change record provided'
fieldArgs = ['spaceholder', 'M', 'm', 'W', 'I']
# Note - legacy RedHat/Fedora change records used a space as the record delimiter, and also had
# the fields in slightly altered order. So we need to detect if we have such a record and
# reorder it before proceeding. Both change records will have 5 fields, with either ' ' or '|' as
# the field delimiter.
# The legacy RH/Fedora order is 'user sp_min sp_max sp_warn sp_inact', and current ordering
# is 'user sp_max sp_min sp_warn sp_inact'
# The change record will record 'empty' fields if the setting in the shadow file for the account
# in question was strict enough and did not require changing.
changelist = change_record.split('\n')
for record in changelist:
# if we have a space, assume legacy Redhat/Fedora style and fix
if not record:
continue
if '|' in record:
fields = record.split('|')
else:
fieldsRH = record.split(' ')
fields = [fieldsRH[elem] for elem in [0, 2, 1, 3, 4]]
if len(fields) != 5:
msg = "Element of change record has incorect number of fields, skipping '%s'" % record
self.logger.error(self.module_name, "Undo Error: " + msg)
continue
try:
pwd.getpwnam(fields[0])
except Exception, err:
msg = "Unable to get information on account '%s' " % fields[0]
self.logger.error(self.module_name, 'Undo Error: ' + msg)
continue
cmdArgs = []
for i in range(1, len(fields)):
if fields[i]:
cmdArgs.append("-%s %s" % (fieldArgs[i], fields[i]))
cmd = "/usr/bin/chage %s %s" % (' '.join(cmdArgs), fields[0])
output = tcs_utils.tcs_run_cmd(cmd, True)
if output[0] != 0:
msg = "Unable to undo password aging on '%s': %s" % (fields[0],
output[2])
self.logger.error(self.module_name, 'Undo Failed: ' + msg)
continue
else:
msg = "Password aging reset on '%s'" % (fields[0])
self.logger.notice(self.module_name, 'Undo Performed: ' + msg)
def serviceExists(self, svcname):
"""
See if the service even exists, needed because the hplip software has migrated
away from a service (which we could disable) to simply a package that should be removed
So process the chkconfig --list hplip command looking for any error string (field 2)
"""
cmd = "/sbin/chkconfig --list %s" % svcname
results = tcs_utils.tcs_run_cmd(cmd, True)
if results[2] != '':
return False
else: return True
def setparam(self, paramname=None, paramval=None):
if paramname == None or paramval == None:
return False
cmd = "/sbin/sysctl -w %s=%s" % (str(paramname), str(paramval))
results = tcs_utils.tcs_run_cmd(cmd, True)
if results[0] != 0:
self.logger.log_err(MODULE_NAME, results[2])
return False
del results
return True
def scan(self, option=None):
zonename = sb_utils.os.solaris.zonename()
if zonename != 'global':
msg = "Non-global Solaris zone (%s): Unable to use pmadm command" % (
zonename)
self.logger.notice(self.module_name, 'Scan: ' + msg)
raise tcs_utils.ZoneNotApplicable('%s %s' %
(self.module_name, msg))
if not os.path.isfile('/usr/sbin/pmadm'):
msg = "Unable to find /usr/sbin/pmadm command"
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
failure_flag = False
cmd = "/usr/sbin/pmadm -L -p zsmon"
results = tcs_utils.tcs_run_cmd(cmd, True)
if results[0] != 0:
msg = "Unable to execute: %s (%s)" % (cmd, results[2])
self.logger.notice(self.module_name, 'Scan Failed: ' + msg)
return False, '', {'messages': [msg]}
for line in results[1].split('\n'):
fields = line.split(':')
if len(fields) == 1:
continue
if len(fields) < 4:
msg = "Ignoring malformed line: %s" % line
self.logger.debug(self.module_name, msg)
continue
test = fields[3].find('x')
if test < 0:
msg = "%s is NOT disabled through port monitor %s" % (
fields[2], fields[0])
self.logger.notice(self.module_name, "Scan Failed: " + msg)
failure_flag = True
else:
msg = "%s is disabled through port monitor %s" % (fields[2],
fields[0])
self.logger.info(self.module_name, msg)
if failure_flag == True:
return False, 'Some services are not disabled through the zsmon port monitor', {
'messages': [msg]
}
else:
return True, '', {}
def scan(self, option=None):
messages = {}
messages['messages'] = []
msg = "Using routeadm to test ipv4-forwarding and ipv6-forwarding"
messages['messages'].append(msg)
self.logger.debug(self.module_name, msg)
failure_flag = False
for param in ['ipv4-forwarding', 'ipv6-forwarding']:
cmd = '/usr/sbin/routeadm -p %s' % param
results = tcs_utils.tcs_run_cmd(cmd, True)
if results[0] != 0:
msg = 'failed to execute %s: %s' % (cmd, results[2])
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
try:
param_key = results[1].split(' ')[0].split('=')[0]
param_val = results[1].split(' ')[0].split('=')[1]
except IndexError:
msg = 'Can not determine status of %s' % param
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
if param_val == 'enabled':
msg = '%s %s is enabled' % (param, param_key)
messages['messages'].append("Fail: %s" % msg)
self.logger.notice(self.module_name, 'Scan Failed: ' + msg)
failure_flag = True
else:
msg = '%s %s is disabled' % (param, param_key)
messages['messages'].append("Okay: %s" % msg)
self.logger.info(self.module_name, msg)
if not os.path.isfile('/etc/notrouter'):
msg = '/etc/notrouter file is missing'
messages['messages'].append("Fail: %s" % msg)
self.logger.notice(self.module_name, 'Scan Failed: ' + msg)
failure_flag = True
else:
msg = '/etc/notrouter file is present'
messages['messages'].append("Okay: %s" % msg)
self.logger.debug(self.module_name, msg)
if failure_flag == True:
return False, 'IP Forwarding is enabled.', messages
else:
return True, '', messages
def undo(self, change_record=None):
"""Undo the previous action."""
if not change_record or change_record != 'disabled':
msg = 'unable to undo without valid change record'
self.logger.error(self.module_name, 'Undo Error: ' + msg)
return 0
cmd = '/bin/grep "release 5" /etc/redhat-release'
output = tcs_utils.tcs_run_cmd(cmd, True)
# RHEL 4 PCMCIA
# NOTE: This requires testing on RHEL4
if output[0] != 0:
cmd = "/bin/rpm -q pcmcia-cs"
output = tcs_utils.tcs_run_cmd(cmd, True)
if output[0] == 0:
cmd = "/sbin/chkconfig pcmcia on"
output = tcs_utils.tcs_run_cmd(cmd, True)
if output[0] != 0:
msg = 'Failed to enable pcmcia'
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' %
(self.module_name, msg))
cmd = "/sbin/grubby --update-kernel=`/sbin/grubby --default-kernel` "
cmd += "--remove-args 'nopcmcia=1 nousb nousbstorage'"
output = tcs_utils.tcs_run_cmd(cmd, True)
sb_utils.SELinux.restoreSecurityContext(self.__target_file)
if output[0] != 0:
msg = 'Failed to remove disable USB/PCMCIA kernel arguments'
self.logger.error(self.module_name, 'Apply Error: ' + msg)
return 0
msg = 'USB/PCMCIA service enabled'
self.logger.notice(self.module_name, 'Undo Performed: ' + msg)
return 1
def scan(self, option=None):
cmd = '/usr/bin/svcprop -p config/log_from_remote system-log'
results = tcs_utils.tcs_run_cmd(cmd, True)
if results[0] != 0:
msg = 'failed to execute %s: %s' % (cmd, results[2])
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
if results[1].rstrip('\n') == 'true':
msg = "system-log 'config/log_from_remote' property is set to true"
self.logger.notice(self.module_name, 'Scan Failed: ' + msg)
return 'Fail', msg
return 'Pass', ''
def apply(self, optionDict=None):
"""
Update grub.conf with correct parameters
"""
result, reason = self.scan(optionDict)
if result == 'Pass':
return 0, ''
option = optionDict['usbDevices']
# Note: Not that this case can even exist, but keeping it for
# standard's sake
cmd = '/bin/grep "release 5" /etc/redhat-release'
output = tcs_utils.tcs_run_cmd(cmd, True)
# RHEL 4 PCMCIA
# NOTE: This requires testing on RHEL4
if output[0] != 0:
cmd = "/bin/rpm -q pcmcia-cs"
output = tcs_utils.tcs_run_cmd(cmd, True)
if output[0] == 0:
cmd = "/sbin/chkconfig pcmcia off"
output = tcs_utils.tcs_run_cmd(cmd, True)
if output[0] != 0:
msg = 'Failed to disable pcmcia'
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' %
(self.module_name, msg))
# Checking if USB is disabled in default kernel
cmd = "/sbin/grubby --info=`/sbin/grubby --default-kernel` "
cmd += "| /bin/grep nousb"
output = tcs_utils.tcs_run_cmd(cmd, True)
if output[0] != 0:
opt = str(option)
if opt == '1':
cmd = "/sbin/grubby --update-kernel=`/sbin/grubby --default-kernel` "
cmd += "--args='nousb nopcmcia=1'"
output = tcs_utils.tcs_run_cmd(cmd, True)
elif opt == '2':
cmd = "/sbin/grubby --update-kernel=`/sbin/grubby --default-kernel` "
cmd += "--args='nousbstorage nopcmcia=1'"
output = tcs_utils.tcs_run_cmd(cmd, True)
else:
msg = 'You must supply either a 1 or 2 as the option for %s' \
% self.module_name
raise tcs_utils.ActionError(msg)
if output[0] != 0:
msg = 'Failed to disable usb'
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
sb_utils.SELinux.restoreSecurityContext(self.__target_file)
msg = 'USB & PCMCIA disabled'
self.logger.notice(self.module_name, 'Apply Performed: ' + msg)
return 1, 'disabled'
