def updated(self):
'''This method checks to see if the system is fully patched or if there
are updates that need to be done. Returns True if the system
is patched or the check doesn't apply. If there are updates that need
to be applied then it returns False.
:returns: updated
:rtype: bool
@author: dkennel
@change: Breen Malmberg - 4/26/2017 - added method call checkUpdate()
added code to use package helper instead of dynamically looking
up the package manager and command to use
'''
updated = False
osEnvBkup = os.environ
if PROXY is not None:
os.environ["http_proxy"] = PROXY
os.environ["https_proxy"] = PROXY
self.ph = Pkghelper(self.logger, self.environ)
try:
if not self.ph.checkUpdate():
updated = True
except Exception:
raise
os.environ = osEnvBkup
return updated
def __init__(self, config, enviro, logger, statechglogger):
Rule.__init__(self, config, enviro, logger, statechglogger)
self.logger = logger
self.rulenumber = 244
self.rulename = "RemoveSUIDGames"
self.formatDetailedResults("initialize")
self.mandatory = True
self.sethelptext()
self.applicable = {'type': 'white', 'family': 'linux'}
# Configuration item instantiation
datatype = "bool"
key = "REMOVESUIDGAMES"
instructions = "To disable this rule, set the value of " + \
"REMOVESUIDGAMES to false."
default = True
self.ci = self.initCi(datatype, key, instructions, default)
self.guidance = ["LANL 15.7"]
self.iditerator = 0
self.ph = Pkghelper(self.logger, self.environ)
self.gamelist = [
'atlantik', 'bomber', 'bovo', 'gnuchess', 'kapman', 'kasteroids',
'katomic', 'kbackgammon', 'kbattleship', 'kblackbox', 'kblocks',
'kbounce', 'kbreakout', 'kdiamond', 'kenolaba', 'kfouleggs',
'kfourinline', 'kgoldrunner', 'killbots', 'kiriki', 'kjumpingcube',
'klickety', 'klines', 'kmahjongg', 'kmines', 'knetwalk', 'kolf',
'kollision', 'konquest', 'kpat', 'kpoker', 'kreversi', 'ksame',
'kshisen', 'ksirk', 'ksirkskineditor', 'ksirtet', 'ksmiletris',
'ksnake', 'kspaceduel', 'ksquares', 'ksudoku', 'ktron',
'ktuberling', 'kubrick', 'kwin4', 'kwin4proc', 'lskat',
'lskatproc', 'gnome-games', 'kdegames', 'gnome-taquin'
]
def localize(self):
"""
set paths based on what versions of which utilities exist on the system
:return: void
"""
self.gsettings = "/usr/bin/gsettings"
self.gconf = "/usr/bin/gconftool-2"
self.dconf = "/usr/bin/dconf"
self.getcmd = ""
self.setcmd = ""
self.updatecmd = ""
packages = ["gnome", "gdm", "gdm3", "gnome3"]
self.lockfile = "/etc/dconf/db/local.d/locks/stonix-thumbnailers"
self.lockthumbnails = {"/org/gnome/desktop/thumbnailers/disable-all":""}
if os.path.exists(self.gsettings):
self.getcmd = self.gsettings + " get org.gnome.desktop.thumbnailers disable-all"
self.setcmd = self.gsettings + " set org.gnome.desktop.thummailerss disable-all true"
elif os.path.exists(self.gconf):
self.getcmd = self.gconf + " --get /schemas/org/gnome/desktop/thumbnailers/disable_all"
self.setcmd = self.gconf + " --type bool --set /schemass/org/gnome/desktop/thumbnailers/disable_all true"
if os.path.exists(self.dconf):
self.updatecmd = self.dconf + " update"
self.ch = CommandHelper(self.logger)
self.ph = Pkghelper(self.logger, self.environ)
self.gnome_installed = False
if self.environ.getosname() != "Mac OS":
if [self.ph.check(p) for p in packages]:
self.gnome_installed = True
def report(self):
"""
:return: self.compliant
:rtype: bool
"""
try:
self.detailedresults = ""
compliant = True
self.ph = Pkghelper(self.logger, self.environ)
if self.ph.manager == "apt-get":
pkg = "tftpd-hpa"
if self.ph.check(pkg):
self.tftpFile = "/etc/default/tftpd-hpa"
if os.path.exists(self.tftpFile):
compliant = self.reportDebianSys()
else:
pkg = "tftp-server"
if self.ph.check(pkg):
self.tftpFile = "/etc/xinetd.d/tftp"
if os.path.exists(self.tftpFile):
compliant = self.reportOtherSys()
self.compliant = compliant
except (KeyboardInterrupt, SystemExit):
raise
except Exception:
self.compliant = False
self.detailedresults += "\n" + traceback.format_exc()
self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
self.formatDetailedResults("report", self.compliant,
self.detailedresults)
self.logdispatch.log(LogPriority.INFO, self.detailedresults)
return self.compliant
def reportUbuntu(self):
'''if debian, check for unity-lens-shopping and unity-webapps-common
cloud service packages
'''
# defaults
self.compliant = True
self.detailedresults = ""
try:
self.ph = Pkghelper(self.logdispatch, self.environ)
for package in self.debianpkglist:
if self.ph.check(package):
self.compliant = False
except (KeyboardInterrupt, SystemExit):
raise
except Exception as err:
self.rulesuccess = False
self.detailedresults = self.detailedresults + "\n" + str(err) + \
" - " + str(traceback.format_exc())
self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
self.formatDetailedResults("report", self.compliant,
self.detailedresults)
self.logdispatch.log(LogPriority.INFO, self.detailedresults)
return self.compliant
def __init__(self, config, environ, logger, statechglogger):
"""
Constructor
"""
Rule.__init__(self, config, environ, logger, statechglogger)
self.logger = logger
self.rulenumber = 9
self.rulename = 'SystemAccounting'
self.formatDetailedResults("initialize")
self.mandatory = False
self.rootrequired = True
self.sethelptext()
self.guidance = ['CIS 2.4', 'cce-3992-5']
self.applicable = {
'type': 'white',
'family': 'linux',
'os': {
'Mac OS X': ['10.15', 'r', '10.15.10']
}
}
# set up configuration item for this rule
datatype = 'bool'
key = 'SYSTEMACCOUNTING'
instructions = "This is an optional rule and is disabled by default, due to the significant load it can place on the system when enabled. To enable system accounting, set the value of SYSTEMACCOUNTING to True."
default = False
self.ci = self.initCi(datatype, key, instructions, default)
self.ostype = self.environ.getostype()
self.ph = Pkghelper(self.logger, self.environ)
self.ch = CommandHelper(self.logger)
self._set_paths()
def init_objs(self):
"""
"""
self.ph = Pkghelper(self.logger, self.environ)
self.ch = CommandHelper(self.logger)
def __init__(self, config, environ, logger, statechglogger):
"""
@param config:
@param environ:
@param logger:
@param statechglogger:
"""
Rule.__init__(self, config, environ, logger, statechglogger)
self.logger = logger
self.rulenumber = 97
self.rulename = "ConfigureProcessAccounting"
self.formatDetailedResults("initialize")
self.mandatory = True
self.sethelptext()
self.guidance = ["CCE-RHEL7-CCE-TBD 3.2.15"]
self.applicable = {"type": "white", "family": ["linux"]}
# Configuration item instantiation
datatype = "bool"
key = "CONFIGUREPROCESSACCOUNTING"
instructions = "To disable this rule, set the value of " + \
"CONFIGUREPROCESSACCOUNTING to False."
default = True
self.ci = self.initCi(datatype, key, instructions, default)
self.ph = Pkghelper(self.logger, self.environ)
self.sh = ServiceHelper(self.environ, self.logger)
def __init__(self, config, environ, logger, statechglogger):
Rule.__init__(self, config, environ, logger, statechglogger)
self.logger = logger
self.rootrequired = True
self.rulenumber = 127
self.rulename = 'SSHTimeout'
self.formatDetailedResults("initialize")
self.mandatory = True
self.sethelptext()
self.boolCi = self.initCi(
"bool", "SSHTIMEOUTON",
"To disable this rule set the value " + "of SSHTIMEOUTON to False",
True)
self.intCi = self.initCi(
"int", "SSHTIMEOUT", "Set your preferred timeout value here, " +
"in seconds. Default is 900 (15 minutes).", 900)
self.guidance = ['NSA 3.5.2.3']
self.iditerator = 0
self.editor = ""
self.applicable = {
'type': 'white',
'family': ['linux', 'solaris', 'freebsd'],
'os': {
'Mac OS X': ['10.15', 'r', '10.15.10']
}
}
self.ph = Pkghelper(self.logger, self.environ)
def report(self):
"""
report whether any of the packages listed in the self.pkgci ci are installed
return False if any are installed
return True if none of them are installed
:returns: self.compliant
:rtype: bool
"""
self.detailedresults = ""
self.compliant = True
self.ph = Pkghelper(self.logger, self.environ)
packages = self.pkgci.getcurrvalue()
self.remove_packages = []
try:
if packages:
for pkg in packages:
if self.ph.check(pkg):
self.remove_packages.append(pkg)
self.detailedresults += pkg + " is installed\n"
self.compliant = False
except Exception:
self.compliant = False
self.detailedresults += traceback.format_exc()
self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
self.formatDetailedResults("report", self.compliant,
self.detailedresults)
self.logdispatch.log(LogPriority.INFO, self.detailedresults)
return self.compliant
def initobjs(self):
'''initialize objects needed/used by other methods within this class
:returns: void
@author: Breen Malmberg
'''
try:
# if you add class variables here, be sure to also add
# checks for them, in the checkinitobjs() method
self.pkgh = Pkghelper(self.logger, self.environ)
self.svch = ServiceHelper(self.environ, self.logger)
self.cmdh = CommandHelper(self.logger)
self.debian = False
self.suse = False
self.redhat = False
self.pkgdict = {}
self.confpathdict = {}
self.servicename = ''
self.osdetected = False
except Exception:
raise
def initobjs(self):
'''initialize helper objects
@author: Breen Malmberg
'''
self.ch = CommandHelper(self.logger)
self.pkg = Pkghelper(self.logger, self.environ)
def __init__(self, config, environ, logger, statechglogger):
Rule.__init__(self, config, environ, logger, statechglogger)
self.logger = logger
self.rulenumber = 105
self.rulename = "DisableGUILogon"
self.formatDetailedResults("initialize")
self.mandatory = False
self.applicable = {'type': 'white',
'family': ['linux']}
# Configuration item instantiation
datatype = "bool"
key = "DISABLEX"
instructions = "To enable this item, set the value of DISABLEX " + \
"to True. When enabled, this rule will disable the automatic " + \
"GUI login, and the system will instead boot to the console " + \
"(runlevel 3). This will not remove any GUI components, and the " + \
"GUI can still be started using the \"startx\" command."
default = False
self.ci1 = self.initCi(datatype, key, instructions, default)
datatype = "bool"
key = "LOCKDOWNX"
instructions = "To enable this item, set the value of LOCKDOWNX " + \
"to True. When enabled, this item will help secure X Windows by " + \
"disabling the X Font Server (xfs) service and disabling X " + \
"Window System Listening. This item should be enabled if X " + \
"Windows is disabled but will be occasionally started via " + \
"startx, unless there is a mission-critical need for xfs or " + \
"a remote display."
default = False
self.ci2 = self.initCi(datatype, key, instructions, default)
datatype = "bool"
key = "REMOVEX"
instructions = "To enable this item, set the value of REMOVEX " + \
"to True. When enabled, this item will COMPLETELY remove X " + \
"Windows from the system, and on most platforms will disable " + \
"any currently running display manager. It is therefore " + \
"recommended that this rule be run from a console session " + \
"rather than from the GUI.\nREMOVEX cannot be undone."
default = False
self.ci3 = self.initCi(datatype, key, instructions, default)
self.guidance = ["NSA 3.6.1.1", "NSA 3.6.1.2", "NSA 3.6.1.3",
"CCE 4462-8", "CCE 4422-2", "CCE 4448-7",
"CCE 4074-1"]
self.iditerator = 0
self.ph = Pkghelper(self.logger, self.environ)
self.ch = CommandHelper(self.logger)
self.sh = ServiceHelper(self.environ, self.logger)
self.myos = self.environ.getostype().lower()
self.sethelptext()
def report(self):
"""determine whether the fix() method of this rule has run successfully
yet or not
:return: self.compliant
:rtype: bool
"""
self.detailedresults = ""
# UPDATE THIS SECTION IF THE CONSTANTS BEING USED IN THIS CLASS CHANGE
self.constlist = [NTPSERVERSEXTERNAL, NTPSERVERSINTERNAL]
if not any(self.constlist):
self.compliant = False
self.detailedresults += "\nThis rule requires that at least one of the following constants, in localize.py, be defined and not None: NTPSERVERSEXTERNAL, NTPSERVERSINTERNAL"
self.formatDetailedResults("report", self.compliant,
self.detailedresults)
return self.compliant
self.ph = Pkghelper(self.logger, self.environ)
self.ch = CommandHelper(self.logger)
if self._test_connection(NTPSERVERSINTERNAL):
self.time_servers = NTPSERVERSINTERNAL
else:
self.time_servers = NTPSERVERSEXTERNAL
self.compliant = True
try:
if self.environ.getosfamily() == "darwin":
self.ss = "/usr/sbin/systemsetup"
if not self._report_darwin():
self.compliant = False
else:
if not self._report_linux():
self.compliant = False
except (KeyboardInterrupt, SystemExit):
raise
except:
self.compliant = False
self.detailedresults += "\n" + traceback.format_exc()
self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
self.formatDetailedResults("report", self.compliant,
self.detailedresults)
self.logdispatch.log(LogPriority.INFO, self.detailedresults)
return self.compliant
def report(self):
'''Determine which report method(s) to run and run them
:returns: bool
@author bemalmbe
'''
# defaults
self.detailedresults = ""
try:
if self.environ.getostype() == 'Mac OS X':
self.compliant = self.reportmac()
self.formatDetailedResults("report", self.compliant,
self.detailedresults)
self.logdispatch.log(LogPriority.INFO, self.detailedresults)
return self.compliant
compliant = True
self.svchelper = ServiceHelper(self.environ, self.logger)
self.pkghelper = Pkghelper(self.logger, self.environ)
if self.disablesnmp.getcurrvalue():
if not self.reportDisableSNMP():
compliant = False
if self.configuresnmp.getcurrvalue():
if not self.reportConfigureSNMP():
compliant = False
self.compliant = compliant
except AttributeError:
self.detailedresults = traceback.format_exc()
self.logger.log(LogPriority.DEBUG, self.detailedresults)
except (KeyboardInterrupt, SystemExit):
raise
except Exception as err:
self.rulesuccess = False
self.detailedresults = self.detailedresults + "\n" + str(err) + \
" - " + str(traceback.format_exc())
self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
self.formatDetailedResults("report", self.compliant,
self.detailedresults)
self.logdispatch.log(LogPriority.INFO, self.detailedresults)
return self.compliant
def __init__(self, config, environ, logger, statechglogger):
'''
@param config:
@param environ:
@param logger:
@param statechglogger:
'''
Rule.__init__(self, config, environ, logger, statechglogger)
self.logger = logger
self.rulenumber = 29
self.rulename = 'DisableRemoveableStorage'
self.mandatory = False
self.formatDetailedResults("initialize")
self.guidance = ['NSA 2.2.2.2, CIS, NSA(2.2.2.2), cce-4006-3,4173-1']
self.applicable = {
'type': 'white',
'family': ['linux', 'solaris', 'freebsd'],
'os': {
'Mac OS X': ['10.15', 'r', '10.15.10']
},
'fisma': 'high'
}
# configuration item instantiation
datatype = "bool"
key = "DISABLEREMOVEABLESTORAGE"
instructions = "To disable removeable storage devices on this system, set the value of DISABLEREMOVEABLESTORAGE to True"
default = False
self.storageci = self.initCi(datatype, key, instructions, default)
#global variables
self.grubfiles = [
"/boot/grub2/grub.cfg", "/boot/grub/grub.cfg",
"/boot/grub/grub.conf"
]
self.pcmcialist = ['pcmcia-cs', 'kernel-pcmcia-cs', 'pcmciautils']
self.pkgremovedlist = []
self.iditerator = 0
self.created = False
self.daemonpath = os.path.abspath(
os.path.join(os.path.dirname(
sys.argv[0]))) + "/stonix_resources/disablestorage.py"
self.sethelptext()
self.grubperms = ""
self.ph = Pkghelper(self.logger, self.environ)
self.ch = CommandHelper(self.logger)
def initObjs(self):
'''initialize all required class objects
:returns: void
@author: Breen Malmberg
'''
if self.linux:
self.ph = Pkghelper(self.logger, self.environ)
if self.darwin:
pass
self.sh = ServiceHelper(self.environ, self.logger)
self.serviceTarget = ""
self.ch = CommandHelper(self.logger)
def report(self):
'''The report method examines the current configuration and determines
whether or not it is correct. If the config is correct then the
self.compliant, self.detailedresults and self.currstate properties are
updated to reflect the system status. self.rulesuccess will be updated
if the rule does not succeed.
Perform a check to see if PROMPT has been set to 'no' or not
:returns: bool
@author bemalmbe
@change: dwalker
'''
try:
self.detailedresults = ""
compliant = True
self.perms = [0, 0, 420]
self.helper = Pkghelper(self.logger, self.environ)
if self.helper.manager == "portage":
self.filepath = "/etc/conf.d/rc"
keyval = {"RC_INTERACTIVE": "no"}
elif self.helper.manager == "zypper":
self.filepath = "/etc/sysconfig/boot"
keyval = {"PROMPT_FOR_CONFIRM": "no"}
elif self.helper.manager == "apt-get":
self.filepath = "/etc/default/grub"
keyval = {"GRUB_DISABLE_RECOVERY": '"true"'}
self.restart = "/usr/sbin/update-grub"
elif self.helper.manager == "yum" or self.helper.manager == "dnf":
self.filepath = "/etc/sysconfig/init"
keyval = {"PROMPT": "no"}
tmpPath = self.filepath + ".tmp"
if not os.path.exists(self.filepath):
if createFile(self.filepath, self.logger):
self.created = True
if not checkPerms(self.filepath, self.perms, self.logger):
compliant = False
self.detailedresults += "Permissions are not correct on " + \
self.filepath + "\n"
self.editor = KVEditorStonix(self.statechglogger, self.logger,
"conf", self.filepath, tmpPath,
keyval, "present", "closedeq")
if os.path.exists(self.filepath):
if not self.editor.report():
self.detailedresults += "Configuration for " + \
self.filepath + " is incorrect via kveditor report\n"
compliant = False
self.compliant = compliant
except (KeyboardInterrupt, SystemExit):
raise
except Exception:
self.rulesuccess = False
self.detailedresults += "\n" + traceback.format_exc()
self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
self.formatDetailedResults("report", self.compliant,
self.detailedresults)
self.logdispatch.log(LogPriority.INFO, self.detailedresults)
return self.compliant
def report(self):
try:
self.detailedresults = ""
self.ch = CommandHelper(self.logger)
self.lockedpwds = '^\*LK\*|^!|^\*|^x$'
if self.environ.getosfamily() == "linux":
self.ph = Pkghelper(self.logger, self.environ)
self.specs = {"PASS_MAX_DAYS": "180",
"PASS_MIN_DAYS": "1",
"PASS_MIN_LEN": "8",
"PASS_WARN_AGE": "28"}
if self.ph.manager in ("apt-get", "zypper"):
# apt-get systems do not set min length in the same file
# as other systems(login.defs)
del self.specs["PASS_MIN_LEN"]
self.shadowfile = "/etc/shadow"
self.logdeffile = "/etc/login.defs"
self.useraddfile = "/etc/default/useradd"
self.libuserfile = "/etc/libuser.conf"
self.compliant = self.reportLinux()
elif self.environ.getosfamily() == "solaris":
self.specs = {"PASSLENGTH": "8",
"MINWEEKS": "1",
"MAXWEEKS": "26",
"WARNWEEKS": "4"}
self.shadowfile = "/etc/shadow"
self.logdeffile = "/etc/default/passwd"
self.compliant = self.reportSolaris()
elif self.environ.getosfamily() == "freebsd":
self.specs = {"warnpassword": "******",
"minpasswordlen": "8",
"passwordtime": "180d"}
self.shadowfile = "/etc/master.passwd"
self.loginfile = "/etc/login.conf"
self.compliant = self.reportFreebsd()
except (KeyboardInterrupt, SystemExit):
# User initiated exit
raise
except Exception:
self.rulesuccess = False
self.detailedresults += "\n" + traceback.format_exc()
self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
self.formatDetailedResults("report", self.compliant,
self.detailedresults)
self.logdispatch.log(LogPriority.INFO, self.detailedresults)
return self.compliant
def initobjs(self):
''' '''
try:
self.ph = Pkghelper(self.logger, self.environ)
self.ch = CommandHelper(self.logger)
self.linux = False
self.mac = False
self.gnome2 = False
self.gnome3 = False
self.kde = False
self.lightdm = False
self.badline = False
except Exception:
raise
def report(self):
try:
self.detailedresults = ""
self.ph = Pkghelper(self.logger, self.environ)
self.data1 = {
"ddns-update-style": "none;",
"deny": ["declines;", "bootp;"]
}
self.data2 = [
"domain-name", "domain-name-servers", "nis-domain",
"nis-servers", "ntp-servers", "routers", "time-offset"
]
if self.ph.manager == "zypper":
self.path = "/etc/dhcpd.conf"
elif self.ph.manager == "yum" or self.ph.manager == "dnf":
self.path = "/etc/dhcp/dhcpd.conf"
elif self.ph.manager == "apt-get":
self.path = "/etc/dhcp/dhcpd.conf"
self.tmppath = self.path + ".tmp"
compliant = True
if os.path.exists(self.path):
if not checkPerms(self.path, [0, 0, 0o644], self.logger):
self.detailedresults += "The permissions on " + \
self.path + " are incorrect\n"
compliant = False
self.editor = KVEditorStonix(self.statechglogger, self.logger,
"conf", self.path, self.tmppath,
self.data1, "present", "space")
if not self.editor.report():
self.detailedresults += self.path + " doesn't contain " + \
"the correct contents\n"
compliant = False
contents = readFile(self.path, self.logger)
for line in contents:
if re.match('^#', line) or re.match(r'^\s*$', line):
continue
if re.search("^option", line):
linesplit = line.split()
if len(linesplit) >= 2:
for item in self.data2:
if re.search(item, linesplit[1]):
compliant = False
self.detailedresults += "Unwanted " + \
"option found in " + self.path + \
": " + line
self.compliant = compliant
except (KeyboardInterrupt, SystemExit):
raise
except Exception:
self.rulesuccess = False
self.detailedresults += "\n" + traceback.format_exc()
self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
self.formatDetailedResults("report", self.compliant,
self.detailedresults)
self.logdispatch.log(LogPriority.INFO, self.detailedresults)
return self.compliant
def __init__(self, config, environ, logger, statechglogger):
"""
private method to initialize the module
:param config: configuration object instance
:param environ: environment object instance
:param logger: logdispatcher object instance
:param statechglogger: statechglogger object instance
"""
Rule.__init__(self, config, environ, logger, statechglogger)
self.logger = logger
self.rulenumber = 84
self.rulename = "AuditFirefoxUsage"
self.mandatory = True
self.rootrequired = True
self.sethelptext()
self.formatDetailedResults("initialize")
self.guidance = []
self.applicable = {'type': 'white', 'family': ['linux']}
# Configuration item instantiation
datatype = 'list'
key = 'APPROVEDDOMAINS'
instructions = """This is a list of domains which the root user is \
approved to browse."""
default = LOCALDOMAINS
if default == None:
default = ["localhost"]
elif not default:
default = ["localhost"]
self.approvedDomainsCi = self.initCi(datatype, key, instructions,
default)
datatype = 'bool'
key = 'DISABLEPROXY'
instructions = """To disable Firefox's proxy settings, ensuring that \
browsing is limited to local domains in a proxied environment, set \
DISABLEPROXY to True."""
default = True
self.ci = self.initCi(datatype, key, instructions, default)
self.ph = Pkghelper(self.logger, self.environ)
self.auditonly = True
def report(self):
try:
self.detailedresults = ""
if self.environ.getosfamily() == "linux":
self.ph = Pkghelper(self.logger, self.environ)
self.compliant = self.reportLinux()
elif self.environ.getosfamily() == "freebsd":
self.compliant = self.reportFree()
elif self.environ.getostype() == "Mac OS X":
self.compliant = self.reportMac()
except (KeyboardInterrupt, SystemExit):
raise
except Exception:
self.rulesuccess = False
self.detailedresults += "\n" + traceback.format_exc()
self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
self.formatDetailedResults("report", self.compliant,
self.detailedresults)
self.logdispatch.log(LogPriority.INFO, self.detailedresults)
return self.compliant
def __init__(self, config, environ, logger, statechglogger):
'''
Constructor
'''
Rule.__init__(self, config, environ, logger, statechglogger)
self.logger = logger
self.statechglogger = statechglogger
self.rulenumber = 7
self.rulename = 'SoftwarePatching'
self.formatDetailedResults("initialize")
self.mandatory = True
self.sethelptext()
self.rootrequired = True
self.environ = environ
self.applicable = {
'type': 'black',
'family': ['darwin', 'solaris', 'suse']
}
data = "bool"
key = "SCHEDULEUPDATE"
instructions = "To disable creation of a scheduled " + \
"update job set the value of this " + \
"setting to no or false. Doing so " + \
"puts a larger burden for keeping " + \
"this system up to date on the system " + \
"administrators. This setting doesn't " + \
"apply to some systems whose updates " + \
"cannot be installed automatically " + \
"for various reasons. "
default = True
self.ci = self.initCi(data, key, instructions, default)
self.guidance = [
'CCE 14813-0', 'CCE 14914-6', 'CCE 4218-4', 'CCE 14440-2'
]
self.caveats = ''
self.ch = CommandHelper(self.logger)
self.ph = Pkghelper(self.logger, self.environ)
self.constlist = [PROXY, UPDATESERVERS]
def report(self):
'''Check for the existence of any of a number of data-collection
and reporting utilities on the system
report compliance status as not compliant if any exist
report compliance status as compliant if none exist
:returns: self.compliant
:rtype: bool
@author: Breen Malmberg
'''
self.detailedresults = ""
self.ph = Pkghelper(self.logger, self.environ)
self.compliant = True
self.pkgslist = ["popularity-contest", "apport", "ubuntu-report"]
self.removepkgs = []
try:
for pkg in self.pkgslist:
if self.ph.check(pkg):
self.compliant = False
self.detailedresults += "\nData collection utility: " + str(
pkg) + " is still installed"
self.removepkgs.append(pkg)
except (KeyboardInterrupt, SystemExit):
raise
except Exception:
self.compliant = False
self.detailedresults += "\n" + traceback.format_exc()
self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
self.formatDetailedResults("report", self.compliant,
self.detailedresults)
self.logdispatch.log(LogPriority.INFO, self.detailedresults)
return self.compliant
def report(self):
"""check the gdm/gnome setting for thumbnailers to determine
if it is off or on. report compliant if it is off,
non-compliant if it is on.
:return: self.compliant
:rtype: bool
"""
self.compliant = True
self.ch = CommandHelper(self.logger)
self.ph = Pkghelper(self.logger, self.environ)
self.detailedresults = ""
try:
self.localize()
if self.gnome_installed:
# This portion of the code is relevant to user context
if self.environ.geteuid() != 0:
self.ch.executeCommand(self.getcmd)
if not self.ch.findInOutput("true"):
self.compliant = False
self.detailedresults += "\nGnome thumbnailers are enabled"
# This portion of the code is relevant to root context
else:
if not self.checkLockFile():
self.compliant = False
else:
self.logger.log(LogPriority.DEBUG, "Gnome is not installed. Nothing to check.")
except (KeyboardInterrupt, SystemExit):
raise
except Exception:
self.compliant = False
self.detailedresults += "\n" + traceback.format_exc()
self.logger.log(LogPriority.ERROR, self.detailedresults)
self.formatDetailedResults("report", self.compliant, self.detailedresults)
self.logger.log(LogPriority.INFO, self.detailedresults)
return self.compliant
def report(self):
'''Perform a check to see if package is already installed.
If so, there is no need to run Fix method
:returns: self.compliant
:rtype: bool
@author: Derek T Walker
'''
try:
self.detailedresults = ""
self.ph = Pkghelper(self.logger, self.environ)
self.ch = CommandHelper(self.logger)
self.compliant = True
self.set_pkg()
if not self.ph.check(self.pkg):
self.compliant = False
self.detailedresults += "\nvlock Package is NOT installed"
else:
self.detailedresults += "\nvlock Package is installed"
except (KeyboardInterrupt, SystemExit):
raise
except Exception:
self.compliant = False
self.detailedresults += "\n" + traceback.format_exc()
self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
self.formatDetailedResults("report", self.compliant,
self.detailedresults)
self.logdispatch.log(LogPriority.INFO, self.detailedresults)
return self.compliant
def report(self):
'''checks to see if a plus entry exists, returns True if a plus entry
exists and False if not
:returns: bool
@author: D.Walker
'''
try:
self.detailedresults = ""
compliant = True
self.badfiles = []
self.ph = Pkghelper(self.logger, self.environ)
if self.environ.getostype() == "Mac OS X":
filelist = ["/private/etc/master.passwd",
"/private/etc/shadow",
"/private/etc/passwd",
"/private/etc/group",
"/private/etc/grp"]
else:
filelist = ["/etc/master.passwd",
"/etc/shadow",
"/etc/passwd",
"/etc/group",
"/etc/grp"]
counter = 0
for fileItem in filelist:
if os.path.exists(fileItem):
contents = readFile(fileItem, self.logger)
for line in contents:
if re.search("^\+", line.strip()):
self.badfiles.append(fileItem)
counter += 1
compliant = False
self.detailedresults += "Found " + str(counter) + \
" plus accounts\n"
self.compliant = compliant
except (KeyboardInterrupt, SystemExit):
# User initiated exit
raise
except Exception:
self.rulesuccess = False
self.detailedresults += "\n" + traceback.format_exc()
self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
self.formatDetailedResults("report", self.compliant,
self.detailedresults)
self.logdispatch.log(LogPriority.INFO, self.detailedresults)
return self.compliant
def fix_rhel7_boot_fips(self):
"""
enable fips compliance on redhat 7 systems
https://access.redhat.com/solutions/137833
:return: success
:rtype: bool
"""
success = True
self.ph = Pkghelper(self.logdispatch, self.environ)
grubby = "/usr/sbin/grubby"
findmnt = "/usr/bin/findmnt"
try:
# configure the system to be compatible with luks and fips
self.configure_luks_compatibility()
# add fips=1 to kernel boot line (requires sytem restart to take effect)
self.ch.executeCommand(grubby + " --update-kernel=$(" + grubby +
" --default-kernel) --args=fips=1")
retcode = self.ch.getReturnCode()
if retcode != 0:
success = False
self.detailedresults += "\nFailed to enable fips compliance in kernel boot line"
# update boot partition info
uuid = ""
self.ch.executeCommand(findmnt + " -no uuid /boot")
retcode = self.ch.getReturnCode()
if retcode == 0:
uuid = self.ch.getOutputString()
else:
success = False
self.detailedresults += "\nFailed to update boot partition info"
if uuid:
self.ch.executeCommand(
"[[ -n $uuid ]] && " + grubby + " --update-kernel=$(" +
grubby + " --default-kernel) --args=boot=UUID=${uuid}")
except:
raise
return success
class RemoveSoftware(Rule):
"""This class removes any unnecessary software installed on the system"""
def __init__(self, config, environ, logger, statechglogger):
"""
Constructor
"""
Rule.__init__(self, config, environ, logger, statechglogger)
self.logger = logger
self.rulenumber = 91
self.rulename = "RemoveSoftware"
self.mandatory = True
self.formatDetailedResults("initialize")
self.sethelptext()
self.rootrequired = True
self.guidance = ["NSA 2.3.5.6"]
self.applicable = {'type': 'white', 'family': ['linux', 'freebsd']}
# Configuration item instantiation
datatype1 = "bool"
key1 = "REMOVESOFTWARE"
instructions1 = "To disable this rule set the value of REMOVESOFTWARE TO False."
default1 = False
self.ci = self.initCi(datatype1, key1, instructions1, default1)
datatype2 = "list"
key2 = "PACKAGES"
instructions2 = "Enter the package(s) that you wish to remove. By " + \
"default we already list packages that we recommend for removal."
default2 = [
"squid", "telnet-server", "rsh-server", "rsh", "rsh-client",
"talk", "talk-server", "talkd", "libpam-ccreds", "pam_ccreds",
"tftp-server", "tftp", "tftpd", "udhcpd", "dhcpd", "dhcp",
"dhcp-server", "yast2-dhcp-server", "vsftpd", "httpd", "dovecot",
"dovecot-imapd", "dovecot-pop3d", "snmpd", "net-snmpd", "net-snmp",
"ipsec-tools", "irda-utils", "slapd", "openldap-servers",
"openldap2", "bind9", "bind9.i386", "bind", "dnsutils",
"bind-utils", "redhat-access-insights", "insights-client"
]
self.pkgci = self.initCi(datatype2, key2, instructions2, default2)
def report(self):
"""
report whether any of the packages listed in the self.pkgci ci are installed
return False if any are installed
return True if none of them are installed
:returns: self.compliant
:rtype: bool
"""
self.detailedresults = ""
self.compliant = True
self.ph = Pkghelper(self.logger, self.environ)
packages = self.pkgci.getcurrvalue()
self.remove_packages = []
try:
if packages:
for pkg in packages:
if self.ph.check(pkg):
self.remove_packages.append(pkg)
self.detailedresults += pkg + " is installed\n"
self.compliant = False
except Exception:
self.compliant = False
self.detailedresults += traceback.format_exc()
self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
self.formatDetailedResults("report", self.compliant,
self.detailedresults)
self.logdispatch.log(LogPriority.INFO, self.detailedresults)
return self.compliant
def fix(self):
"""
remove all software packages listed in the self.pkgci list
:returns: self.rulesuccess
:rtype: bool
"""
self.rulesuccess = True
self.detailedresults = ""
self.iditerator = 0
enabled = self.ci.getcurrvalue()
try:
if not enabled:
self.formatDetailedResults("fix", self.rulesuccess,
self.detailedresults)
return self.rulesuccess
elif not self.remove_packages:
self.formatDetailedResults("fix", self.rulesuccess,
self.detailedresults)
return self.rulesuccess
# Clear out event history so only the latest fix is recorded
eventlist = self.statechglogger.findrulechanges(self.rulenumber)
for event in eventlist:
self.statechglogger.deleteentry(event)
for pkg in self.remove_packages:
try:
if self.ph.remove(pkg):
self.iditerator += 1
self.detailedresults += "\nRemoved package: " + str(
pkg)
myid = iterate(self.iditerator, self.rulenumber)
event = {
"eventtype": "pkghelper",
"pkgname": pkg,
"startstate": "installed",
"endstate": "removed"
}
self.statechglogger.recordchgevent(myid, event)
else:
self.rulesuccess = False
self.detailedresults += "\nFailed to remove package: " + str(
pkg)
except Exception:
continue
except (KeyboardInterrupt, SystemExit):
raise
except Exception:
self.rulesuccess = False
self.detailedresults += traceback.format_exc()
self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
self.formatDetailedResults("fix", self.rulesuccess,
self.detailedresults)
self.logdispatch.log(LogPriority.INFO, self.detailedresults)
return self.rulesuccess
def undo(self):
"""
Undo changes made by this rule. Some rules may not be undone.
self.rulesuccess will be updated if the rule does not succeed.
@author D. Kennel & D. Walker
"""
# pass
if not self.environ.geteuid() == 0:
self.detailedresults = "Root access required to revert changes."
self.formatDetailedResults("undo", None, self.detailedresults)
try:
# This must be implemented later once the parameter option or observable
# pattern for taking control of self.detailedresults refresh is implemented
# see artf30937 : self.detailedresults through application flow for details
self.detailedresults = ""
undosuccessful = True
eventlist = self.statechglogger.findrulechanges(self.rulenumber)
if not eventlist:
self.formatDetailedResults("undo", None, self.detailedresults)
self.logdispatch.log(LogPriority.INFO, self.detailedresults)
return undosuccessful
#eventlist.reverse()
for entry in eventlist:
try:
event = self.statechglogger.getchgevent(entry)
if event["eventtype"] == "perm":
perms = event["startstate"]
os.chmod(event["filepath"], perms[2])
os.chown(event["filepath"], perms[0], perms[1])
elif event["eventtype"] == "conf":
self.statechglogger.revertfilechanges(event["filepath"],
entry)
elif event["eventtype"] == "comm" or \
event["eventtype"] == "commandstring":
ch = CommandHelper(self.logdispatch)
command = event["command"]
ch.executeCommand(command)
if ch.getReturnCode() != 0:
self.detailedresults = "Couldn't run the " + \
"command to undo\n"
self.logdispatch.log(LogPriority.DEBUG,
self.detailedresults)
elif event["eventtype"] == "creation":
try:
os.remove(event["filepath"])
except OSError as oser:
if oser.errno == 21:
try:
os.rmdir(event["filepath"])
except OSError as oserr:
if oserr.errno == 39:
self.logdispatch.log(LogPriority.DEBUG, "Cannot remove file path: " + str(event["filepath"]) + " because it is a non-empty directory.")
elif oser.errno == 2:
self.logdispatch.log(LogPriority.DEBUG, "Cannot remove file path: " + str(event["filepath"]) + " because it does not exist.")
elif event["eventtype"] == "deletion":
self.statechglogger.revertfiledelete(event["filepath"])
elif event["eventtype"] == "pkghelper":
ph = Pkghelper(self.logdispatch, self.environ)
if event["startstate"] == "installed":
ph.install(event["pkgname"])
elif event["startstate"] == "removed":
ph.remove(event["pkgname"])
else:
self.detailedresults = 'Invalid startstate for ' \
+ 'eventtype "pkghelper". startstate should ' \
+ 'either be "installed" or "removed"\n'
self.logdispatch.log(LogPriority.ERROR,
self.detailedresults)
elif event["eventtype"] == "servicehelper":
sh = ServiceHelper(self.environ, self.logdispatch)
if event["startstate"] == "enabled":
sh.enableservice(event["servicename"])
elif event["startstate"] == "disabled":
sh.disableservice(event["servicename"])
else:
self.detailedresults = 'Invalid startstate for ' \
+ 'eventtype "servicehelper". startstate ' + \
'should either be "enabled" or "disabled"\n'
self.logdispatch.log(LogPriority.ERROR,
self.detailedresults)
except(IndexError, KeyError):
self.detailedresults = "EventID " + entry + " not found"
self.logdispatch.log(LogPriority.DEBUG,
self.detailedresults)
except(KeyboardInterrupt, SystemExit):
raise
except Exception:
undosuccessful = False
self.detailedresults = traceback.format_exc()
self.logdispatch.log(LogPriority.ERROR, [self.rulename + ".undo",
self.detailedresults])
self.formatDetailedResults("undo", undosuccessful,
self.detailedresults)
self.logdispatch.log(LogPriority.INFO, self.detailedresults)
return undosuccessful
