def setConditionsForRule(self):
'''
Configure system for the unit test
@param self: essential if you override this definition
@return: boolean - If successful True; If failure False
@author: dwalker
'''
success = True
if self.ph.check("squid"):
if self.ph.manager == "apt-get":
self.squidfile = "/etc/squid3/squid.conf"
else:
self.squidfile = "/etc/squid/squid.conf"
self.backup = self.squidfile + ".original"
self.data1 = {"ftp_passive": "on",
"ftp_sanitycheck": "on",
"check_hostnames": "on",
"request_header_max_size": "20 KB",
"reply_header_max_size": "20 KB",
"cache_effective_user": "******",
"cache_effective_group": "squid",
"ignore_unknown_nameservers": "on",
"allow_underscore": "off",
"httpd_suppress_version_string": "on",
"forwarded_for": "off",
"log_mime_hdrs": "on",
"http_access": "deny to_localhost"}
#make sure these aren't in the file
self.denied = ["acl Safe_ports port 70",
"acl Safe_ports port 210",
"acl Safe_ports port 280",
"acl Safe_ports port 488",
"acl Safe_ports port 591",
"acl Safe_ports port 777"]
if os.path.exists(self.squidfile):
if checkPerms(self.squidfile, [0, 0, 420], self.logdispatch):
if not setPerms(self.squidfile, [0, 0, 416], self.logdispatch):
success = False
copyfile(self.squidfile, self.backup)
tempstring = ""
contents = readFile(self.squidfile, self.logdispatch)
if contents:
for line in contents:
if re.search("^ftp_passive", line.strip()):
'''Delete this line'''
continue
else:
tempstring += line
'''insert line with incorrect value'''
tempstring += "request_header_max_size 64 KB\n"
'''insert line with no value'''
tempstring += "ignore_unknown_nameservers\n"
'''insert these two lines we don't want in there'''
tempstring += "acl Safe_ports port 70\nacl Safe_ports port 210\n"
if not writeFile(self.squidfile, tempstring, self.logdispatch):
success = False
return success
def setConditionsForRule(self):
'''
Configure system for the unit test
@param self: essential if you override this definition
@return: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.detailedresults = ""
self.path = "/private/etc/sshd_config"
self.tmppath = "/private/etc/sshd_config.tmp"
ssh = {"DenyGroups":"admin"}
self.editor = KVEditorStonix(self.statechglogger, self.logdispatch,
"conf", self.path, self.tmppath, ssh, "notpresent", "space")
self.editor.report()
self.editor.fix()
setPerms(self.path, [0, 0, 511], self.logdispatch)
success = True
return success
def setConditionsForRule(self):
'''
Configure system for the unit test
@param self: essential if you override this definition
@return: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.detailedresults = ""
self.path = "/private/etc/sshd_config"
self.tmppath = "/private/etc/sshd_config.tmp"
ssh = {"DenyGroups":"admin"}
self.editor = KVEditorStonix(self.statechglogger, self.logdispatch,
"conf", self.path, self.tmppath, ssh, "notpresent", "space")
self.editor.report()
self.editor.fix()
setPerms(self.path, [0, 0, 511], self.logdispatch)
success = True
return success
def setConditionsForRule(self):
'''
Configure system for the unit test
@param self: essential if you override this definition
@return: boolean - If successful True; If failure False
@author: Eric Ball
'''
success = True
# This is tested as working on both platforms
sudoers = "/etc/sudoers"
self.rule.ci.updatecurrvalue(True)
self.rule.iditerator = 0
myid = iterate(self.rule.iditerator, self.rule.rulenumber)
setPerms(sudoers, [99, 99, 0770], self.logdispatch,
self.statechglogger, myid)
contents = readFile(sudoers, self.logdispatch)
for line in contents:
if re.search("^Defaults\s+timestamp_timeout", line.strip()):
contents.remove(line)
break
return success
def setConditionsForRule(self):
'''Configure system for the unit test
:param self: essential if you override this definition
:returns: boolean - If successful True; If failure False
@author: Eric Ball
'''
success = True
# This is tested as working on both platforms
sudoers = "/etc/sudoers"
self.rule.ci.updatecurrvalue(True)
self.rule.iditerator = 0
myid = iterate(self.rule.iditerator, self.rule.rulenumber)
setPerms(sudoers, [99, 99, 0o770], self.logdispatch,
self.statechglogger, myid)
contents = readFile(sudoers, self.logdispatch)
for line in contents:
if re.search("^Defaults\s+timestamp_timeout", line.strip()):
contents.remove(line)
break
return success
def setLinuxConditions(self):
success = True
path1 = "/etc/security/limits.conf"
if os.path.exists(path1):
lookfor1 = "(^\*)\s+hard\s+core\s+0?"
contents = readFile(path1, self.logger)
if contents:
tempstring = ""
for line in contents:
if not re.search(lookfor1, line.strip()):
tempstring += line
if not writeFile(path1, tempstring, self.logger):
debug = "unable to write incorrect contents to " + path1 + "\n"
self.logger.log(LogPriority.DEBUG, debug)
success = False
if checkPerms(path1, [0, 0, 0o644], self.logger):
if not setPerms(path1, [0, 0, 0o777], self.logger):
debug = "Unable to set incorrect permissions on " + path1 + "\n"
self.logger.log(LogPriority.DEBUG, debug)
success = False
else:
debug = "successfully set incorrect permissions on " + path1 + "\n"
self.logger.log(LogPriority.DEBUG, debug)
self.ch.executeCommand("/sbin/sysctl fs.suid_dumpable")
retcode = self.ch.getReturnCode()
if retcode != 0:
self.detailedresults += "Failed to get value of core dumps configuration with sysctl command\n"
errmsg = self.ch.getErrorString()
self.logger.log(LogPriority.DEBUG, errmsg)
success = False
else:
output = self.ch.getOutputString()
if output.strip() != "fs.suid_dumpable = 1":
if not self.ch.executeCommand("/sbin/sysctl -w fs.suid_dumpable=1"):
debug = "Unable to set incorrect value for fs.suid_dumpable"
self.logger.log(LogPriority.DEBUG, debug)
success = False
elif not self.ch.executeCommand("/sbin/sysctl -p"):
debug = "Unable to set incorrect value for fs.suid_dumpable"
self.logger.log(LogPriority.DEBUG, debug)
success = False
return success
def setCommonConditions(self, sshfile, directives):
'''Common system pre condition setting
:param self: essential if you override this definition
:param sshfile: ssh file to be fuzzed
:param directives: intentionally incorrect directives to fuzz file with
:returns: boolean - If successful True; If failure False
@author: dwalker
'''
# In this method, unlike the methods inside the rule, we don't
# need a portion for Ubuntu to make sure directives aren't present
# because we can put those directives in the file(s) to fuzz them
success = True
directives = dict(directives)
tpath = sshfile + ".tmp"
if not os.path.exists(sshfile):
if not createFile(sshfile, self.logger):
success = False
debug = "Unable to create " + sshfile + " for setting " + \
"pre-conditions"
self.logger.log(LogPriority.DEBUG, debug)
return False
editor = KVEditorStonix(self.statechglogger, self.logger, "conf",
sshfile, tpath, directives, "present", "space")
if not editor.report():
if not editor.fix():
success = False
debug = "Kveditor fix for file " + sshfile + " not successful"
self.logger.log(LogPriority.DEBUG, debug)
elif not editor.commit():
success = False
debug = "Kveditor commit for file " + sshfile + " not successful"
self.logger.log(LogPriority.DEBUG, debug)
if checkPerms(sshfile, [0, 0, 0o755], self.logger):
if not setPerms(sshfile, [0, 0, 0o755], self.logger):
success = False
debug = "Unable to set incorrect permissions on " + \
sshfile + " for setting pre-conditions"
self.logger.log(LogPriority.DEBUG, debug)
return success
def setConditionsForRule(self):
'''
Configure system for the unit test
@param self: essential if you override this definition
@return: boolean - If successful True; If failure False
@author: Eric Ball
'''
success = True
# Run report() to populate self.rule.path
self.rule.report()
if success:
badoptionstring = '''option domain-name example.com;
option domain-name-servers servers.example.com;
option nis-domain example.com;
option nis-servers servers.example.com;
option ntp-servers\tntp.example.com;
option routers 127.0.0.1;
option time-offset -18000;
'''
open(self.rule.path, "a").write(badoptionstring)
# Rule wants 644 perms, set to 770
success = setPerms(self.rule.path, [0, 0, 0770], self.logdispatch)
return success
def setConditionsForRule(self):
'''Configure system for the unit test
:param self: essential if you override this definition
:returns: boolean - If successful True; If failure False
@author: Eric Ball
'''
success = True
# Run report() to get variables
self.rule.report()
ssh = {"ClientAliveInterval": "0", "ClientAliveCountMax": "900"}
if os.path.exists(self.rule.path):
kvtype = "conf"
intent = "present"
self.editor = KVEditorStonix(self.statechglogger, self.logdispatch,
kvtype, self.rule.path,
self.rule.tpath, ssh, intent, "space")
if not self.editor.report():
if self.editor.fixables:
if self.editor.fix():
if not self.editor.commit():
success = False
debug = "KVEditor commit did not succeed"
self.logdispatch.log(LogPriority.DEBUG, debug)
else:
success = False
debug = "KVEditor fix() did not succeed"
self.logdispatch.log(LogPriority.DEBUG, debug)
self.rule.iditerator = 0
myid = iterate(self.rule.iditerator, self.rule.rulenumber)
if not setPerms(self.rule.path, [99, 99, 0o770], self.logdispatch,
self.statechglogger, myid):
success = False
debug = "Could not set permissions"
self.logdispatch.log(LogPriority.DEBUG, debug)
return success
def setConditionsForRule(self):
'''Configure system for the unit test
:param self: essential if you override this definition
:returns: boolean - If successful True; If failure False
@author: Eric Ball
'''
success = True
# Run report() to populate self.rule.path
self.rule.report()
if success:
badoptionstring = '''option domain-name example.com;
option domain-name-servers servers.example.com;
option nis-domain example.com;
option nis-servers servers.example.com;
option ntp-servers\tntp.example.com;
option routers 127.0.0.1;
option time-offset -18000;
'''
open(self.rule.path, "a").write(badoptionstring)
# Rule wants 644 perms, set to 770
success = setPerms(self.rule.path, [0, 0, 0o770], self.logdispatch)
return success
def setConditionsForRule(self):
'''
Configure system for the unit test
@param self: essential if you override this definition
@return: boolean - If successful True; If failure False
@author: Eric Ball
'''
success = True
# Run report() to get variables
self.rule.report()
ssh = {"ClientAliveInterval": "0",
"ClientAliveCountMax": "900"}
if os.path.exists(self.rule.path):
kvtype = "conf"
intent = "present"
self.editor = KVEditorStonix(self.statechglogger, self.logdispatch,
kvtype, self.rule.path,
self.rule.tpath, ssh, intent, "space")
if not self.editor.report():
if self.editor.fixables:
if self.editor.fix():
if not self.editor.commit():
success = False
debug = "KVEditor commit did not succeed"
self.logdispatch.log(LogPriority.DEBUG, debug)
else:
success = False
debug = "KVEditor fix() did not succeed"
self.logdispatch.log(LogPriority.DEBUG, debug)
self.rule.iditerator = 0
myid = iterate(self.rule.iditerator, self.rule.rulenumber)
if not setPerms(self.rule.path, [99, 99, 0770], self.logdispatch,
self.statechglogger, myid):
success = False
debug = "Could not set permissions"
self.logdispatch.log(LogPriority.DEBUG, debug)
def setConditionsForRule(self):
'''
Configure system for the unit test
@param self: essential if you override this definition
@return: boolean - If successful True; If failure False
@author: dwalker
'''
success = True
if not self.environ.getostype() == "Mac OS X":
self.ph = Pkghelper(self.logger, self.environ)
if self.ph.manager == "apt-get":
self.tftpfile = "/etc/default/tftpd-hpa"
tmpfile = self.tftpfile + ".tmp"
if os.path.exists(self.tftpfile):
contents = readFile(self.tftpfile, self.logger)
tempstring = ""
for line in contents:
'''Take TFTP_OPTIONS line out of file'''
if re.search("TFTP_OPTIONS", line.strip()):
continue
elif re.search("TFTP_DIRECTORY", line.strip()):
tempstring += 'TFTP_DIRECTORY="/var/lib/tftpbad"'
continue
else:
tempstring += line
if not writeFile(tmpfile, tempstring, self.logger):
success = False
else:
os.rename(tmpfile, self.tftpfile)
os.chown(self.tftpfile, 0, 0)
os.chmod(self.tftpfile, 400)
else:
#if server_args line found, remove to make non-compliant
self.tftpfile = "/etc/xinetd.d/tftp"
tftpoptions, contents2 = [], []
if os.path.exists(self.tftpfile):
i = 0
contents = readFile(self.tftpfile, self.logger)
if checkPerms(self.tftpfile, [0, 0, 420], self.logger):
setPerms(self.tftpfile, [0, 0, 400], self.logger)
try:
for line in contents:
if re.search("service tftp", line.strip()):
contents2 = contents[i+1:]
else:
i += 1
except IndexError:
pass
if contents2:
if contents2[0].strip() == "{":
del(contents2[0])
if contents2:
i = 0
while i <= len(contents2) and contents2[i].strip() != "}" and contents2[i].strip() != "{":
tftpoptions.append(contents2[i])
i += 1
if tftpoptions:
for line in tftpoptions:
if re.search("server_args", line):
contents.remove(line)
return success
def setLinuxConditions(self):
success = True
debug = ""
path1 = "/etc/security/limits.conf"
if os.path.exists(path1):
lookfor1 = "(^\*)\s+hard\s+core\s+0?"
contents = readFile(path1, self.logger)
if contents:
tempstring = ""
for line in contents:
if not re.search(lookfor1, line.strip()):
tempstring += line
if not writeFile(path1, tempstring, self.logger):
debug = "unable to write incorrect contents to " + path1
self.logger.log(LogPriority.DEBUG, debug)
success = False
if not checkPerms(path1, [0, 0, 0o777], self.logger):
if not setPerms(path1, [0, 0, 0o777], self.logger):
debug = "Unable to set incorrect permissions on " + path1
self.logger.log(LogPriority.DEBUG, debug)
success = False
else:
debug = "successfully set incorrect permissions on " + path1
self.logger.log(LogPriority.DEBUG, debug)
sysctl = "/etc/sysctl.conf"
tmpfile = sysctl + ".tmp"
editor = KVEditorStonix(self.statechglogger, self.logger, "conf",
sysctl, tmpfile, {"fs.suid_dumpable": "1"},
"present", "openeq")
if not checkPerms(sysctl, [0, 0, 0o777], self.logger):
if not setPerms(sysctl, [0, 0, 0o777], self.logger):
debug = "Unable to set incorrect permissions on " + path1
self.logger.log(LogPriority.DEBUG, debug)
success = False
else:
debug = "successfully set incorrect permissions on " + path1
self.logger.log(LogPriority.DEBUG, debug)
if not editor.report():
if not editor.fix():
success = False
debug = "Unable to set conditions for /etc/sysctl.conf file"
self.logger.log(LogPriority.DEBUG, debug)
elif not editor.commit():
success = False
debug = "Unable to set conditions for /etc/sysctl.conf file"
self.logger.log(LogPriority.DEBUG, debug)
self.ch.executeCommand("/sbin/sysctl fs.suid_dumpable")
retcode = self.ch.getReturnCode()
if retcode != 0:
debug = "Failed to get value of core dumps configuration with sysctl command"
debug += self.ch.getErrorString()
self.logger.log(LogPriority.DEBUG, debug)
success = False
else:
output = self.ch.getOutputString()
if output.strip() != "fs.suid_dumpable = 1":
if not self.ch.executeCommand(
"/sbin/sysctl -w fs.suid_dumpable=1"):
debug = "Unable to set incorrect value for fs.suid_dumpable"
self.logger.log(LogPriority.DEBUG, debug)
success = False
elif not self.ch.executeCommand("/sbin/sysctl -q -e -p"):
debug = "Unable to set incorrect value for fs.suid_dumpable"
self.logger.log(LogPriority.DEBUG, debug)
success = False
return success
def setConditionsForLinux(self):
'''Method to configure mac non compliant for unit test
@author: dwalker
:returns: boolean
'''
success = True
self.ph = Pkghelper(self.logger, self.environ)
# check compliance of grub file(s) if files exist
if re.search("Red Hat", self.environ.getostype()) and \
re.search("^6", self.environ.getosver()):
self.grubperms = [0, 0, 0o600]
elif self.ph.manager is "apt-get":
self.grubperms = [0, 0, 0o400]
else:
self.grubperms = [0, 0, 0o644]
grubfiles = ["/boot/grub2/grub.cfg",
"/boot/grub/grub.cfg"
"/boot/grub/grub.conf"]
for grub in grubfiles:
if os.path.exists(grub):
if self.grubperms:
if checkPerms(grub, self.grubperms, self.logger):
if not setPerms(grub, [0, 0, 0o777], self.logger):
success = False
contents = readFile(grub, self.logger)
if contents:
for line in contents:
if re.search("^kernel", line.strip()) or re.search("^linux", line.strip()) \
or re.search("^linux16", line.strip()):
if re.search("\s+nousb\s*", line):
if not re.sub("nousb", "", line):
success = False
if re.search("\s+usbcore\.authorized_default=0\s*", line):
if not re.sub("usbcore\.authorized_default=0", "", line):
success = False
pcmcialist = ['pcmcia-cs', 'kernel-pcmcia-cs', 'pcmciautils']
# check for existence of certain usb packages, non-compliant
# if any exist
for item in pcmcialist:
if not self.ph.check(item):
self.ph.install(item)
removeables = []
found1 = True
blacklist = {"blacklist usb_storage": False,
"install usbcore /bin/true": False,
"install usb-storage /bin/true": False,
"blacklist uas": False,
"blacklist firewire-ohci": False,
"blacklist firewire-sbp2": False}
if os.path.exists("/etc/modprobe.d"):
dirs = glob.glob("/etc/modprobe.d/*")
for directory in dirs:
if os.path.isdir(directory):
continue
tempstring = ""
contents = readFile(directory, self.logger)
for line in contents:
if line.strip() in blacklist:
continue
else:
tempstring += line
if not writeFile(directory, tempstring, self.logger):
success = False
if os.path.exists("/etc/modprobe.conf"):
contents = readFile("/etc/modprobe.conf", self.logger)
tempstring = ""
for line in contents:
if line.strip() in blacklist:
continue
else:
tempstring += line
if not writeFile("/etc/modprobe.conf", tempstring, self.logger):
success = False
udevfile = "/etc/udev/rules.d/10-local.rules"
if os.path.exists(udevfile):
if checkPerms(udevfile, [0, 0, 0o644], self.logger):
if not setPerms(udevfile, [0 ,0, 0o777], self.logger):
success = False
contents = readFile(udevfile, self.logger)
tempstring = ""
for line in contents:
if re.search("ACTION\=\=\"add\"\, SUBSYSTEMS\=\=\"usb\"\, RUN\+\=\"/bin/sh \-c \'for host in /sys/bus/usb/devices/usb\*\; do echo 0 \> \$host/authorized\_default\; done\'\"",
line.strip()):
continue
else:
tempstring += line
if not writeFile(udevfile, tempstring, self.logger):
success = False
return success
def setConditionsForRule(self):
"""Configure system for the unit test
:param self: essential if you override this definition
:returns: boolean - If successful True; If failure False
@author: Derek Walker
"""
success = True
if self.ph.manager == "apt-get":
self.tftpfile = "/etc/default/tftpd-hpa"
tmpfile = self.tftpfile + ".tmp"
if os.path.exists(self.tftpfile):
contents = readFile(self.tftpfile, self.logger)
tempstring = ""
for line in contents:
"""Take TFTP_OPTIONS line out of file"""
if re.search("TFTP_OPTIONS", line.strip()):
continue
elif re.search("TFTP_DIRECTORY", line.strip()):
tempstring += 'TFTP_DIRECTORY="/var/lib/tftpbad"'
continue
else:
tempstring += line
if not writeFile(tmpfile, tempstring, self.logger):
success = False
else:
os.rename(tmpfile, self.tftpfile)
os.chown(self.tftpfile, 0, 0)
os.chmod(self.tftpfile, 400)
else:
#if server_args line found, remove to make non-compliant
self.tftpfile = "/etc/xinetd.d/tftp"
tftpoptions, contents2 = [], []
if os.path.exists(self.tftpfile):
i = 0
contents = readFile(self.tftpfile, self.logger)
if checkPerms(self.tftpfile, [0, 0, 420], self.logger):
setPerms(self.tftpfile, [0, 0, 400], self.logger)
try:
for line in contents:
if re.search("service tftp", line.strip()):
contents2 = contents[i + 1:]
else:
i += 1
except IndexError:
pass
if contents2:
if contents2[0].strip() == "{":
del (contents2[0])
if contents2:
i = 0
while i <= len(contents2) and contents2[i].strip(
) != "}" and contents2[i].strip() != "{":
tftpoptions.append(contents2[i])
i += 1
if tftpoptions:
for line in tftpoptions:
if re.search("server_args", line):
contents.remove(line)
return success
def setConditionsForLinux(self):
'''
Method to configure mac non compliant for unit test
@author: dwalker
@return: boolean
'''
success = True
self.ph = Pkghelper(self.logger, self.environ)
# check compliance of grub file(s) if files exist
if re.search("Red Hat", self.environ.getostype()) and \
re.search("^6", self.environ.getosver()):
self.grubperms = [0, 0, 0o600]
elif self.ph.manager is "apt-get":
self.grubperms = [0, 0, 0o400]
else:
self.grubperms = [0, 0, 0o644]
grubfiles = ["/boot/grub2/grub.cfg",
"/boot/grub/grub.cfg"
"/boot/grub/grub.conf"]
for grub in grubfiles:
if os.path.exists(grub):
if self.grubperms:
if checkPerms(grub, self.grubperms, self.logger):
if not setPerms(grub, [0, 0, 0o777], self.logger):
success = False
contents = readFile(grub, self.logger)
if contents:
for line in contents:
if re.search("^kernel", line.strip()) or re.search("^linux", line.strip()) \
or re.search("^linux16", line.strip()):
if re.search("\s+nousb\s*", line):
if not re.sub("nousb", "", line):
success = False
if re.search("\s+usbcore\.authorized_default=0\s*", line):
if not re.sub("usbcore\.authorized_default=0", "", line):
success = False
pcmcialist = ['pcmcia-cs', 'kernel-pcmcia-cs', 'pcmciautils']
# check for existence of certain usb packages, non-compliant
# if any exist
for item in pcmcialist:
if not self.ph.check(item):
self.ph.install(item)
removeables = []
found1 = True
blacklist = {"blacklist usb_storage": False,
"install usbcore /bin/true": False,
"install usb-storage /bin/true": False,
"blacklist uas": False,
"blacklist firewire-ohci": False,
"blacklist firewire-sbp2": False}
if os.path.exists("/etc/modprobe.d"):
dirs = glob.glob("/etc/modprobe.d/*")
for directory in dirs:
if os.path.isdir(directory):
continue
tempstring = ""
contents = readFile(directory, self.logger)
for line in contents:
if line.strip() in blacklist:
continue
else:
tempstring += line
if not writeFile(directory, tempstring, self.logger):
success = False
if os.path.exists("/etc/modprobe.conf"):
contents = readFile("/etc/modprobe.conf", self.logger)
tempstring = ""
for line in contents:
if line.strip() in blacklist:
continue
else:
tempstring += line
if not writeFile("/etc/modprobe.conf", tempstring, self.logger):
success = False
udevfile = "/etc/udev/rules.d/10-local.rules"
if os.path.exists(udevfile):
if checkPerms(udevfile, [0, 0, 0o644], self.logger):
if not setPerms(udevfile, [0 ,0, 0o777], self.logger):
success = False
contents = readFile(udevfile, self.logger)
tempstring = ""
for line in contents:
if re.search("ACTION\=\=\"add\"\, SUBSYSTEMS\=\=\"usb\"\, RUN\+\=\"/bin/sh \-c \'for host in /sys/bus/usb/devices/usb\*\; do echo 0 \> \$host/authorized\_default\; done\'\"",
line.strip()):
continue
else:
tempstring += line
if not writeFile(udevfile, tempstring, self.logger):
success = False
return success
def setkde(self):
'''Method to setup kde desktop to not be compliant
@author: dwalker
@return: bool
'''
self.kdeprops = {"ScreenSaver": {"Enabled": "true",
"Lock": "true",
"LockGrace": "60000",
"Timeout": "840"}}
self.kderuin = []
debug = "Inside setkde method"
success = True
bindir = glob("/usr/bin/kde*")
kdefound = False
for kdefile in bindir:
if re.search("^/usr/bin/kde\d$", str(kdefile)):
kdefound = True
if kdefound and self.environ.geteuid() == 0:
contents = readFile("/etc/passwd", self.logger)
if not contents:
debug += "You have some serious issues, /etc/passwd is blank\n"
self.logger.log(LogPriority.ERROR, debug)
return False
for line in contents:
temp = line.split(":")
try:
if int(temp[2]) >= 500:
if temp[5] and re.search('/', temp[5]):
homebase = temp[5]
if not re.search("^/home/", homebase):
continue
kfile = homebase + "/.kde/share/config/kscreensaverrc"
if os.path.exists(kfile):
uid = getpwnam(temp[0])[2]
gid = getpwnam(temp[0])[3]
if checkPerms(kfile, [uid, gid, 0o600],
self.logger):
if not setPerms(kfile, [0, 0, 0o644],
self.logger):
success = False
debug += "Unable to set incorrect perms " + \
"on " + kfile + " for testing\n"
if not self.wreckFile(kfile):
debug += "Was not able to mess " + \
"up file for testing\n"
success = False
else:
debug += "placeholder 6 in /etc/passwd is not a \
directory, invalid form of /etc/passwd"
self.logger.log(LogPriority.ERROR, debug)
return False
except IndexError:
success = False
debug += traceback.format_exc() + "\n"
debug += "Index out of range\n"
self.logger.log(LogPriority.ERROR, debug)
break
except Exception:
break
elif kdefound:
who = "/usr/bin/whoami"
message = Popen(who, stdout=PIPE, shell=False)
info = message.stdout.read().strip()
contents = readFile('/etc/passwd', self.logger)
if not contents:
debug += "You have some serious issues, /etc/passwd is blank\n"
self.logger.log(LogPriority.ERROR, debug)
return False
compliant = True
for line in contents:
temp = line.split(':')
try:
if temp[0] == info:
if temp[5] and re.search('/', temp[5]):
homebase = temp[5]
if not re.search("^/home/", homebase):
continue
kfile = homebase + "/.kde/share/config/kscreensaverrc"
if os.path.exists(kfile):
uid = getpwnam(temp[0])[2]
gid = getpwnam(temp[0])[3]
if checkPerms(kfile, [uid, gid, 0o600],
self.logger):
if not setPerms(kfile, [0, 0, 0o644],
self.logger):
success = False
debug += "Unable to set incorrect perms " + \
"on " + kfile + " for testing\n"
if not self.wreckFile(kfile):
debug += "Was not able to mess " + \
"up file for testing\n"
success = False
else:
debug += "placeholder 6 in /etc/passwd is not a \
directory, invalid form of /etc/passwd"
self.logger.log(LogPriority.ERROR, debug)
return False
break
except IndexError:
success = False
debug += traceback.format_exc() + "\n"
debug += "Index out of range\n"
self.logger.log(LogPriority.ERROR, debug)
self.detailedresults += "Unexpected formatting in " + \
"/etc/passwd"
break
except Exception:
debug += traceback.format_exc() + "\n"
self.logger.log(LogPriority.ERROR, debug)
break
return success
def setkde(self):
'''Method to setup kde desktop to not be compliant
@author: dwalker
:returns: bool
'''
self.kdeprops = {"ScreenSaver": {"Enabled": "true",
"Lock": "true",
"LockGrace": "60000",
"Timeout": "840"}}
self.kderuin = []
debug = "Inside setkde method"
success = True
bindir = glob("/usr/bin/kde*")
kdefound = False
for kdefile in bindir:
if re.search("^/usr/bin/kde\d$", str(kdefile)):
kdefound = True
if kdefound and self.environ.geteuid() == 0:
contents = readFile("/etc/passwd", self.logger)
if not contents:
debug += "You have some serious issues, /etc/passwd is blank\n"
self.logger.log(LogPriority.ERROR, debug)
return False
for line in contents:
temp = line.split(":")
try:
if int(temp[2]) >= 500:
if temp[5] and re.search('/', temp[5]):
homebase = temp[5]
if not re.search("^/home/", homebase):
continue
kfile = homebase + "/.kde/share/config/kscreensaverrc"
if os.path.exists(kfile):
uid = getpwnam(temp[0])[2]
gid = getpwnam(temp[0])[3]
if checkPerms(kfile, [uid, gid, 0o600],
self.logger):
if not setPerms(kfile, [0, 0, 0o644],
self.logger):
success = False
debug += "Unable to set incorrect perms " + \
"on " + kfile + " for testing\n"
if not self.wreckFile(kfile):
debug += "Was not able to mess " + \
"up file for testing\n"
success = False
else:
debug += "placeholder 6 in /etc/passwd is not a \
directory, invalid form of /etc/passwd"
self.logger.log(LogPriority.ERROR, debug)
return False
except IndexError:
success = False
debug += traceback.format_exc() + "\n"
debug += "Index out of range\n"
self.logger.log(LogPriority.ERROR, debug)
break
except Exception:
break
elif kdefound:
who = "/usr/bin/whoami"
message = Popen(who, stdout=PIPE, shell=False)
info = message.stdout.read().strip()
contents = readFile('/etc/passwd', self.logger)
if not contents:
debug += "You have some serious issues, /etc/passwd is blank\n"
self.logger.log(LogPriority.ERROR, debug)
return False
compliant = True
for line in contents:
temp = line.split(':')
try:
if temp[0] == info:
if temp[5] and re.search('/', temp[5]):
homebase = temp[5]
if not re.search("^/home/", homebase):
continue
kfile = homebase + "/.kde/share/config/kscreensaverrc"
if os.path.exists(kfile):
uid = getpwnam(temp[0])[2]
gid = getpwnam(temp[0])[3]
if checkPerms(kfile, [uid, gid, 0o600],
self.logger):
if not setPerms(kfile, [0, 0, 0o644],
self.logger):
success = False
debug += "Unable to set incorrect perms " + \
"on " + kfile + " for testing\n"
if not self.wreckFile(kfile):
debug += "Was not able to mess " + \
"up file for testing\n"
success = False
else:
debug += "placeholder 6 in /etc/passwd is not a \
directory, invalid form of /etc/passwd"
self.logger.log(LogPriority.ERROR, debug)
return False
break
except IndexError:
success = False
debug += traceback.format_exc() + "\n"
debug += "Index out of range\n"
self.logger.log(LogPriority.ERROR, debug)
self.detailedresults += "Unexpected formatting in " + \
"/etc/passwd"
break
except Exception:
debug += traceback.format_exc() + "\n"
self.logger.log(LogPriority.ERROR, debug)
break
return success
