def apply(self, option=None):
"""
Applies Changes
"""
match_re = re.compile('^<console>\s')
result, reason, messages = self.scan()
if result == True:
return False, '', {'messages':[]}
if not os.path.isfile(self.__target_file):
if self.__target_file != "" :
msg = "% does not exist" % self.__target_file
raise tcs_utils.ActionError('%s %s' % ( self.module_name, msg))
else:
msg = "No configuration found to edit, no action taken."
return False, "", {'messages':[msg]}
# Protect file
tcs_utils.protect_file(self.__target_file)
try:
origfile = open(self.__target_file, 'r')
workfile = open(self.__tmp_file, 'w')
except IOError, err:
msg = "%s" % err
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def apply(self, option=None):
messages = {'messages': []}
action_record = ""
for pref_file in self._get_moz_pref_files():
# Protect file
tcs_utils.protect_file(pref_file)
try:
in_obj = open(pref_file, 'r')
except (IOError, OSError), err:
msg = "Unable to read %s: %s" % (pref_file, err)
self.logger.error(self.module_name, 'Apply Error: ' + msg)
messages['messages'].append("Error: %s" % msg)
continue
try:
out_obj = open(pref_file + '.new', 'w')
except Exception, err:
in_obj.close()
msg = "Unable to create temporary file (%s)." % str(err)
self.logger.error(self.module_name, 'Apply Error: ' + msg)
self.logger.error(self.module_name, 'Apply Error: ' + msg)
messages['messages'].append("Error: %s" % msg)
continue
def undo(self, change_record=None):
"""Undo the previous action."""
# Is TFTP server package installed?
if sb_utils.os.software.is_installed(pkgname='SUNWtftp') != True:
msg = "TFTP Server (SUNWtftp) package is not installed"
self.logger.notice(self.module_name, 'Not Applicable: ' + msg)
return 0, ''
if change_record == 'services':
results = sb_utils.os.service.enable(svcname='tftp')
if results == True:
msg = "Undo Performed: TFTP service re-enabled"
self.logger.notice(self.module_name, msg)
return 1
newfile = '/etc/inet/inetd.conf.new'
oldfile = '/etc/inet/inetd.conf'
tcs_utils.protect_file(oldfile)
try:
outfile = open(newfile, 'w')
infile = open(oldfile, 'r')
except IOError, err:
msg = str(err)
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def apply(self, option=None):
results, reason = self.scan(option)
if results == 'Pass':
return 0, ''
# Is TFTP server package installed?
if sb_utils.os.software.is_installed(pkgname='SUNWtftp') != True:
msg = "TFTP Server (SUNWtftp) package is not installed"
self.logger.notice(self.module_name, 'Not Applicable: ' + msg)
return 0, ''
if sb_utils.os.service.is_enabled(svcname='tftp') == True:
results = sb_utils.os.service.disable(svcname='tftp')
if results == True:
msg = "Apply Performed: TFTP service disabled"
self.logger.notice(self.module_name, msg)
return 1, 'services'
change_record = ''
newfile = '/etc/inet/inetd.conf.new'
oldfile = '/etc/inet/inetd.conf'
tcs_utils.protect_file(oldfile)
try:
outfile = open(newfile, 'w')
infile = open(oldfile, 'r')
except IOError, err:
msg = str(err)
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def apply(self, option=None):
result, reason = self.scan()
if result == 'Pass':
return 0, ''
# Protect file
tcs_utils.protect_file(self.__target_file)
try:
origfile = open(self.__target_file, 'r')
workfile = open(self.__tmp_file, 'w')
except IOError, err:
self.logger.error(self.module_name, 'Apply Error: ' + err)
raise tcs_utils.ActionError('%s %s' % (self.module_name, err))
def apply(self, option=None):
action_record = ""
# Protect file
tcs_utils.protect_file(self.__target_file)
msg = 'Opening %s' % self.__target_file
self.logger.info(self.module_name, msg)
try:
in_obj = open(self.__target_file, 'r')
except Exception, err:
msg = "Unable to open file %s (%s)" % (self.__target_file,
str(err))
self.logger.info(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def apply(self, option=None):
results, reason = self.scan(option)
if results == 'Pass':
return 0, ''
change_record = ''
# Is TFTP server package installed?
if sb_utils.os.software.is_installed(pkgname='SUNWtftp') != True:
msg = "TFTP Server (SUNWtftp) package is not installed"
self.logger.notice(self.module_name, 'Not Applicable: ' + msg)
return 0, ''
boot_pat = re.compile('-s /tftpboot')
prop = sb_utils.os.service.getprop(svcname='tftp',
property='inetd_start/exec')
if prop != None:
prop = prop.replace('\\', '')
if not boot_pat.search(prop):
args = "/usr/sbin/in.tftpd -s /tftpboot"
cmd = """/usr/sbin/inetadm -m tftp exec="%s" """ % args
results = tcs_utils.tcs_run_cmd(cmd, True)
if results[0] != 0:
msg = "Unable to execute: %s (%s)" % (cmd, results[2])
self.logger.notice(self.module_name,
'Apply Failed: ' + msg)
return 0, ''
else:
change_record = '|' + prop
msg = "Successfully executed: %s" % cmd
self.logger.notice(self.module_name,
'Apply Performed: ' + msg)
return 1, change_record
change_record = ''
newfile = '/etc/inet/inetd.conf.new'
oldfile = '/etc/inet/inetd.conf'
tcs_utils.protect_file(oldfile)
try:
outfile = open(newfile, 'w')
infile = open(oldfile, 'r')
except IOError, err:
msg = str(err)
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def apply(self, option=None):
"""Enable account locking after 3 unsuccessful login attempts."""
msg = None
self._init_fields(option)
messages = {'messages': []}
# Protect file
changeDict = {}
retval = False
for fileName in self.__target_files:
tcs_utils.protect_file(fileName)
ret_dict = self.parse_system_auth(fileName, option)
if ret_dict['fixes'] == []:
continue
else:
for msg in ret_dict['fixes']:
self.logger.notice(self.module_name, msg)
messages['messages'].extend(ret_dict['fixes'])
try:
out_obj = open(fileName + '.new', 'w')
except Exception, err:
msg = "Unable to create temporary file (%s)" % str(err)
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
for line in ret_dict['lines']:
out_obj.write(line)
out_obj.close()
try:
shutil.copymode(fileName, fileName + '.new')
shutil.copy2(fileName + '.new', fileName)
sb_utils.SELinux.restoreSecurityContext(fileName)
os.unlink(fileName + '.new')
changeDict[fileName] = ret_dict['changes']
except OSError:
msg = "Unable to replace %s with new version." % fileName
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
msg = 'Added %s to authentication service' % self.__pam_service
self.logger.notice(self.module_name, 'Apply Performed: ' + msg)
def apply(self, option=None):
action_record = []
#
# PART 1: Update /etc/rmmount.conf
#
#pattern = re.compile('^mount\s\*\shsfs\sudfs\sufs\s-o\snosuid')
pattern = re.compile('^mount\s*\*\s*hsfs\s*udfs\s*ufs\s*-o\s*nosuid')
tcs_utils.protect_file('/etc/rmmount.conf')
try:
infile = open('/etc/rmmount.conf', 'r')
outfile = open('/etc/rmmount.conf.new', 'w')
except IOError, err:
msg = str(err)
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def apply(self, option=None):
""" Disable the ctrl-alt-del key combination."""
result, reason = self.scan()
if result == 'Pass':
return 0, reason
# Protect file
tcs_utils.protect_file(self.__target_file)
search_pattern = re.compile(self.__pattern)
try:
in_obj = open(self.__target_file, 'r')
except IOError, err:
msg = "Unable to open file %s (%s)" % (self.__target_file,
str(err))
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def apply(self, option=None):
""" Disable the ctrl-alt-del key combination."""
# Run scan first to see if we need to make the change
result, reason = self.scan()
if result == 'Pass':
return 0, ''
# Protect file
tcs_utils.protect_file(self.__target_file)
try:
in_obj = open(self.__target_file, 'r')
except Exception, err:
msg = "Unable to open file %s (%s)" % (self.__target_file,
str(err))
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def apply(self, optionDict=None):
"""Enable password reuse limits."""
result, reason = self.scan(optionDict)
if result == 'Pass':
return 0, ''
option = optionDict['passwordReuse']
# Protect file
tcs_utils.protect_file(self.__target_file)
try:
in_obj = open(self.__target_file, 'r')
except IOError, err:
msg = "Unable to open file %s: %s." % (self.__target_file,
str(err))
self.logger.info(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def apply(self, option=None):
"""Enable password requirement for single user mode."""
result, reason = self.scan()
if result == 'Pass':
return 0, ''
# Protect file
tcs_utils.protect_file(self.__target_file)
try:
in_obj = open(self.__target_file, 'r')
except Exception, err:
msg = "Unable to open file %s (%s)." % (self.__target_file,
str(err))
self.logger.info(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def apply(self, optionDict=None):
result, reason = self.scan(optionDict)
if result == 'Pass':
return 0, ''
option = optionDict['passwordMinLength']
# Protect files
tcs_utils.protect_file(self.__target_file)
action_record = []
#---------------------------------------------------------------------
try:
in_obj = open(self.__target_file, 'r')
except Exception, err:
msg = "Unable to open file %s (%s)." % (self.__target_file, str(err))
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def undo(self, action_record=None):
"""Undo the previous action."""
if action_record != "added":
msg = "Skipping Undo: No change record to indicate an undo is required."
self.logger.notice(self.module_name, msg)
return 1
# Protect file
tcs_utils.protect_file(self.__target_file)
msg = 'Opening %s' % self.__target_file
self.logger.info(self.module_name, msg)
try:
in_obj = open(self.__target_file, 'r')
except Exception, err:
msg = "Unable to open %s: %s" % (self.__target_file, str(err))
self.logger.info(self.module_name, 'Undo Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def apply(self, option=None):
"""Enable account locking after 3 unsuccessful login attempts."""
action_record = ''
(result, reason, messages) = self.scan()
if result == True:
return False, reason, {}
messages = {'messages': []}
# Protect file
tcs_utils.protect_file(self.__target_file)
try:
in_obj = open(self.__target_file, 'r')
except Exception, err:
msg = "Unable to open file %s (%s)." % (self.__target_file,
str(err))
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def apply(self, optionDict=None):
"""Create and replace the audit rules configuration."""
action_record = []
result, reason = self.scan(optionDict)
if result == 'Pass':
return 0, action_record
option = xml.sax.saxutils.unescape(optionDict['auditRules'])
if option[-1] != '\n':
option = option + '\n'
if os.path.exists(self.__target_file):
# Protect file
tcs_utils.protect_file(self.__target_file)
try:
out_obj = open(self.__target_file + '.new', 'w')
except IOError, err:
msg = "Unable to create temporary file (%s)." % str(err)
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
out_obj.write(option)
out_obj.close()
action_record.append(
tcs_utils.generate_diff_record(self.__target_file + '.new',
self.__target_file))
try:
shutil.copymode(self.__target_file,
self.__target_file + '.new')
shutil.copy2(self.__target_file + '.new', self.__target_file)
sb_utils.SELinux.restoreSecurityContext(self.__target_file)
os.unlink(self.__target_file + '.new')
except (IOError, OSError), err:
msg = "Unable to replace %s with new version: %s" % (
self.__target_file, err)
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def apply(self, option=None):
"""
Set CONSOLE to /dev/console in /etc/default/login
"""
result, reason = self.scan()
if result == 'Pass':
return 0, ''
# Protect file
tcs_utils.protect_file(self.__target_file)
try:
origfile = open(self.__target_file, 'r')
workfile = open(self.__tmp_file, 'w')
except IOError, err:
msg = 'Apply Failed: %s' % err
self.logger.error(self.module_name, msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def apply(self, option=None):
"""
Set daemon umask to 027
"""
result, reason = self.scan()
if result == 'Pass':
return 0, ''
# Protect file
tcs_utils.protect_file(self.__target_file)
try:
origfile = open(self.__target_file, 'r')
workfile = open(self.__tmp_file, 'w')
except IOError, err:
msg = 'Apply Error: %s' % err
self.logger.error(self.module_name, msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def apply(self, option=None):
"""Enable account locking after 3 unsuccessful login attempts."""
action_record = ''
result, reason = self.scan()
if result == 'Pass':
return 0, action_record
#
# /etc/default/login needs RETRIES=3 (or less)
#
# Protect file
tcs_utils.protect_file('/etc/default/login')
try:
in_obj = open('/etc/default/login', 'r')
except Exception, err:
msg = "Unable to open file /etc/default/login (%s)." % str(err)
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def apply(self, option=None):
""" Disable the ctrl-alt-del key combination."""
change_record = {}
result, reason, messages = self.scan()
if result == True:
return False, 'none', messages
messages = {'messages':[]}
retval = False
# Protect file
tcs_utils.protect_file(self.__target_file)
search_pattern = re.compile(self.__pattern)
try:
in_obj = open(self.__target_file, 'r')
except IOError, err:
msg = "Unable to open file %s (%s)" % (self.__target_file, str(err))
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def apply(self, optionDict=None):
zonename = sb_utils.os.solaris.zonename()
if zonename != 'global':
msg = "Unable to change /etc/system parameters in a non-global zone"
self.logger.notice(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ZoneNotApplicable('%s %s' %
(self.module_name, msg))
action_record = []
tcs_utils.protect_file('/etc/system')
failure_flag = False
try:
infile = open('/etc/system', 'r')
outfile = open('/etc/system.new', 'w')
except IOError, err:
msg = str(err)
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def apply(self, option=None):
action_record = []
(result, reason, messages) = self.scan()
if result == True:
return False, '', {}
messages = {}
messages['messages'] = []
tcs_utils.protect_file(self.__file)
msg = "Made backup copy of %s" % self.__file
messages['messages'].append(msg)
try:
in_obj = open(self.__file, 'r')
except (OSError, IOError), err:
msg = "Unable to read file %s: %s" % (self.__file, err)
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def _change_one_file(self, action, fileName):
# generate exclusion list *early* to avoid cluttering log
sb_utils.file.exclusion.exlist()
# Protect file
tcs_utils.protect_file(fileName)
action_record = ""
madeChange = False
mesg_found = False
actionName = action[0].upper() + action[1:]
msg = "%s: Examining '%s' " % (actionName, fileName)
self.logger.debug(self.module_name, msg)
lines = []
try:
lines = open(fileName, 'r').readlines()
except Exception, err:
msg = "Unable to open file %s (%s)." % (fileName, str(err))
self.logger.error(self.module_name,
'%s Error: %s' % (actionName, msg))
def undo(self, change_record=None):
"""Undo the previous action."""
# Is TFTP server package installed?
if sb_utils.os.software.is_installed(pkgname='SUNWtftp') != True:
msg = "TFTP Server (SUNWtftp) package is not installed"
self.logger.notice(self.module_name, 'Not Applicable: ' + msg)
return 0, ''
if not change_record:
msg = "Unable to perform undo operation without change record."
self.logger.error(self.module_name, 'Undo Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
if change_record[0] == '|':
cmd = """/usr/sbin/inetadm -m tftp exec="%s" """ % change_record[1:]
results = tcs_utils.tcs_run_cmd(cmd, True)
if results[0] != 0:
msg = "Unable to execute: %s (%s)" % (cmd, results[2])
self.logger.notice(self.module_name, 'Undo Failed: ' + msg)
return 0
else:
msg = "Successfully executed: %s" % cmd
self.logger.notice(self.module_name, 'Apply Performed: ' + msg)
return 1
newfile = '/etc/inet/inetd.conf.new'
oldfile = '/etc/inet/inetd.conf'
tcs_utils.protect_file(oldfile)
try:
outfile = open(newfile, 'w')
infile = open(oldfile, 'r')
except IOError, err:
msg = str(err)
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def apply(self, optionDict):
"""
Modify warning days parameter to user value.
"""
result, reason = self.scan(optionDict)
if result == 'Pass':
return 0, ''
option = optionDict['passwordExpireWarning']
# Protect file
tcs_utils.protect_file(self.__target_file)
# The line we're looking for is
search_pattern = re.compile("^PASS_WARN_AGE\s*\d+")
msg = 'Opening %s' % self.__target_file
self.logger.info(self.module_name, msg)
try:
in_obj = open(self.__target_file, 'r')
except Exception, err:
msg = "Unable to open file %s (%s)." % (self.__target_file,
str(err))
self.logger.info(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def apply(self, optionDict):
"""
Modify minimum password delay parameter to user value greater
than 1.
"""
result, reason = self.scan(optionDict)
if result == 'Pass':
return 0, ''
option = optionDict['passwordMaxdays']
# Protect file
tcs_utils.protect_file(self.__target_file)
# The line we're looking for is
search_pattern = re.compile("#*\s*PASS_MAX_DAYS\s*\d")
try:
in_obj = open(self.__target_file, 'r')
except Exception, err:
msg = "Unable to open file %s (%s)." % (self.__target_file,
str(err))
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
# Create logrotate audit file if missing
action_record = "empty"
try:
out_obj = open(self.__target_file, 'w')
out_obj.write(new_lines)
out_obj.close()
except Exception, err:
msg = "Unable to create temporary file (%s)." % str(err)
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
else:
# If file exists, create a temporary one and then generate a
# diff record to be used to restore it during an undo
tcs_utils.protect_file(self.__target_file)
newfile = self.__target_file + '.new'
oldfile = self.__target_file
try:
out_obj = open(newfile, 'w')
out_obj.write(new_lines)
out_obj.close()
except IOError, err:
msg = "Unable to create temporary file: %s" % str(err)
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
action_record = tcs_utils.generate_diff_record(newfile, oldfile)
shutil.copymode('/etc/default/login', '/tmp/.default_login.new')
shutil.copy2('/tmp/.default_login.new', '/etc/default/login')
os.unlink('/tmp/.default_login.new')
except OSError:
msg = "Unable to replace /etc/default/login with new version."
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
msg = 'RETRIES=3 set in /etc/default/login'
self.logger.notice(self.module_name, 'Apply Performed: ' + msg)
#
# /etc/security/policy.conf needs LOCK_AFTER_RETRIES=YES
#
# Protect file
tcs_utils.protect_file('/etc/security/policy.conf')
try:
in_obj = open('/etc/security/policy.conf', 'r')
except Exception, err:
msg = "Unable to open file /etc/security/policy.conf (%s)." % str(
err)
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
try:
out_obj = open('/tmp/.policy.new', 'w')
except Exception, err:
msg = "Unable to create temporary file (%s)" % str(err)
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
msg = "Updated /etc/rmmount.conf"
self.logger.info(self.module_name, 'Apply Performed: ' + msg)
else:
try:
os.unlink('/etc/rmmount.conf.new')
except OSError, err:
msg = 'Unable to remove temporary workfile /etc/rmmount.conf.new'
self.logger.error(self.module_name, 'Apply Error: ' + msg)
#
# PART 2: Check /etc/vfstab
#
tcs_utils.protect_file('/etc/vfstab')
try:
infile = open('/etc/vfstab', 'r')
outfile = open('/etc/vfstab.new', 'w')
except IOError, err:
msg = str(err)
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
line_nr = 0
made_changes = False
for line in infile.readlines():
line_nr += 1
line = line.strip()
fields = line.split()
try:
