def reportSSHFile(self, sshfile, directives): """ Report configuration options of config files :param: sshfile - filepath string :param: directives - dictionary of desired directives :return: compliant :rtype: bool """ compliant = True debug = "" directives = dict(directives) tpath = sshfile + ".tmp" if os.path.exists(sshfile): if re.search("Ubuntu", self.environ.getostype()): if sshfile == "/etc/ssh/sshd_config": del (directives["GSSAPIAuthentication"]) del (directives["KerberosAuthentication"]) elif sshfile == "/etc/ssh/ssh_config": del (directives["GSSAPIAuthentication"]) elif self.environ.getostype() == "Mac OS X" and self.mac_piv_auth_CI.getcurrvalue(): if sshfile == "/private/etc/ssh/sshd_config": directives["PasswordAuthentication"] = "no" self.server = directives editor = KVEditorStonix(self.statechglogger, self.logger, "conf", sshfile, tpath, directives, "present", "space") if not editor.report(): self.detailedresults += "Did not find the correct " + \ "contents in sshd_config\n" compliant = False # for ubuntu systems we want to make sure the following two # directives don't exist in the server file if re.search("Ubuntu", self.environ.getostype()): if sshfile == "/etc/ssh/sshd_config": directives = {"GSSAPIAuthentication": "", "KerberosAuthentication": ""} elif sshfile == "/etc/ssh/ssh_config": directives = {"GSSAPIAuthentication": ""} editor.setIntent("notpresent") editor.setData(directives) if not editor.report(): self.detailedresults += "didn't find the correct" + \ " contents in sshd_config\n" self.logger.log(LogPriority.DEBUG, debug) compliant = False if not checkPerms(sshfile, [0, 0, 0o644], self.logger): self.detailedresults += "Incorrect permissions for " + \ "file " + self.serverfile + "\n" compliant = False else: self.detailedresults += sshfile + " does not exist\n" compliant = False return compliant
def fixSSHFile(self, sshfile, directives): """ apply configuration options to config files :param: sshfile - filepath string :param: directives - dictionary of desired directives :return: compliant :rtype: bool """ success = True debug = "" directives = dict(directives) tpath = sshfile + ".tmp" created = False if not os.path.exists(sshfile): createFile(sshfile, self.logger) created = True self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "creation", "filepath": sshfile} self.statechglogger.recordchgevent(myid, event) if os.path.exists(sshfile): if re.search("Ubuntu", self.environ.getostype()): if sshfile == "/etc/ssh/sshd_config": del (directives["GSSAPIAuthentication"]) del (directives["KerberosAuthentication"]) elif sshfile == "/etc/ssh/ssh_config": del (directives["GSSAPIAuthentication"]) elif self.environ.getostype() == "Mac OS X" and self.mac_piv_auth_CI.getcurrvalue(): if sshfile == "/private/etc/ssh/sshd_config": directives["ChallengeResponseAuthentication"] = "no" directives["PasswordAuthentication"] = "no" editor = KVEditorStonix(self.statechglogger, self.logger, "conf", sshfile, tpath, directives, "present", "space") editor.report() if re.search("Ubuntu", self.environ.getostype()): if sshfile == "/etc/ssh/sshd_config": directives = {"GSSAPIAuthentication": "", "KerberosAuthentication": ""} elif sshfile == "/etc/ssh/ssh_config": directives = {"GSSAPIAuthentication": ""} editor.setIntent("notpresent") editor.setData(directives) editor.report() if not checkPerms(sshfile, [0, 0, 0o644], self.logger): if not created: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) if not setPerms(sshfile, [0, 0, 0o644], self.logger, self.statechglogger, myid): success = False else: if not setPerms(sshfile, [0, 0, 0o644], self.logger): success = False if editor.fixables or editor.removeables: if not created: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) editor.setEventID(myid) if editor.fix(): if editor.commit(): os.chown(sshfile, 0, 0) os.chmod(sshfile, 0o644) resetsecon(sshfile) else: self.detailedresults += "Unable to correct contents " + \ "in " + sshfile + "\n" debug = "kveditor1 commit did not run successfully" self.logger.log(LogPriority.DEBUG, debug) success = False else: self.detailedresults += "Unable to correct contents " + \ "in " + sshfile + "\n" debug = "kveditor1 fix did not run successfully" self.logger.log(LogPriority.DEBUG, debug) success = False return success
class SecureCUPS(Rule): '''With this rule, you can: Disable the CUPS service Configure CUPS service Disable Printer Browsing Limit Printer Browsing Disable Print Server Capabilities Set the Default Auth Type Setup default set of policy blocks for CUPS ''' def __init__(self, config, environ, logger, statechglogger): ''' Constructor ''' Rule.__init__(self, config, environ, logger, statechglogger) self.config = config self.environ = environ self.logger = logger self.statechglogger = statechglogger self.rulenumber = 128 self.rulename = 'SecureCUPS' self.rulesuccess = True self.formatDetailedResults("initialize") self.mandatory = True self.sethelptext() self.rootrequired = True self.guidance = ['CCE 4420-6', 'CCE 4407-3'] self.applicable = { 'type': 'white', 'os': { 'Mac OS X': ['10.15', 'r', '10.15.10'] }, 'family': ['linux'] } # init CIs datatype1 = 'bool' key1 = 'SECURECUPS' instructions1 = 'To prevent to STONIX from securing the CUPS service, set the value of ' + \ 'SecureCUPS to False.' default1 = True self.SecureCUPS = self.initCi(datatype1, key1, instructions1, default1) datatype2 = 'bool' key2 = 'DISABLECUPS' instructions2 = 'To have STONIX completely disable the CUPS service on this system, set ' + \ 'the value of DisableCUPS to True.' default2 = False self.DisableCUPS = self.initCi(datatype2, key2, instructions2, default2) datatype3 = 'bool' key3 = 'DISABLEPRINTBROWSING' instructions3 = 'If this machine is to be used as a print server and you wish to enable automatic client discovery of ' \ 'its shared printers/print resources, then set the value of DISABLEPRINTBROWSING TO False' default3 = True self.DisablePrintBrowsing = self.initCi(datatype3, key3, instructions3, default3) datatype4 = 'string' key4 = 'PRINTBROWSESUBNET' instructions4 = 'If this machine is to be used as a print server and you wish to enable automatic client discovery of ' \ 'its shared printers/print resources, you may wish to limit that discovery to clients only on a certain subnet. ' \ 'Please customize the value of PRINTBROWSESUBNET to match your networks requirements. Ex: 192.168.0.0/16' default4 = '' self.PrintBrowseSubnet = self.initCi(datatype4, key4, instructions4, default4) datatype5 = 'bool' key5 = 'DISABLEGENERICPORT' instructions5 = 'To prevent remote users from potentially connecting ' + \ 'to and using locally configured printers by disabling the CUPS print ' + \ 'server sharing capabilities, set the value of DisableGenericPort to ' + \ 'True.' default5 = False self.DisableGenericPort = self.initCi(datatype5, key5, instructions5, default5) datatype6 = 'bool' key6 = 'SETDEFAULTAUTHTYPE' instructions6 = 'To prevent the defaultauthtype for cups from being ' + \ 'set to Digest, set the value of SetDefaultAuthType to False.' default6 = True self.SetDefaultAuthType = self.initCi(datatype6, key6, instructions6, default6) datatype7 = 'bool' key7 = 'SETUPDEFAULTPOLICYBLOCKS' instructions7 = "To prevent default policy blocks for cups from " + \ "being defined in the cups config file, set the value of " + \ "SetupDefaultPolicyBlocks to False. Note that if you choose to setup " + \ "the default set of policy blocks you can (and probably should) edit " + \ "them in the cups config file afterward to customize these policies to " + \ "your site's particular needs." default7 = False self.SetupDefaultPolicyBlocks = self.initCi(datatype7, key7, instructions7, default7) self.localize() def localize(self): '''set various settings and variables and objects based on which OS is currently running :returns: void @author: Breen Malmberg ''' self.linux = False self.darwin = False if self.environ.getosfamily() == 'darwin': self.darwin = True if self.environ.getosfamily() == 'linux': self.linux = True self.initObjs() self.setVars() def initObjs(self): '''initialize all required class objects :returns: void @author: Breen Malmberg ''' if self.linux: self.ph = Pkghelper(self.logger, self.environ) if self.darwin: pass self.sh = ServiceHelper(self.environ, self.logger) self.serviceTarget = "" self.ch = CommandHelper(self.logger) def setVars(self): '''set all class variables depending on which OS is currently running :returns: void @author: Breen Malmberg @change: Breen Malmberg - 2/8/2017 - fixed a typo with the var name of the dict for cupsd conf options; ''' try: # linux config if self.linux: self.configfileperms = '0640' errorlog = "/var/log/cups/error_log" logfileperms = '0644' self.pkgname = "cups" self.svcname = "cups" accesslog = "/var/log/cups/access_log" self.cupsfilesopts = {} self.cupsfilesconf = "" self.cupsdconf = "" self.cupsdconfremopts = {} # darwin config if self.darwin: accesslog = "/private/var/log/cups/access_log" # a value of 'strict' causes issues connecting to printers on some mac systems self.configfileperms = '0644' logfileperms = '0644' errorlog = "/private/var/log/cups/error_log" self.svclongname = "/System/Library/LaunchDaemons/org.cups.cupsd.plist" self.svcname = "org.cups.cupsd" # common config cupsdconflocs = [ '/etc/cups/cupsd.conf', '/private/etc/cups/cupsd.conf' ] for loc in cupsdconflocs: if os.path.exists(loc): self.cupsdconf = loc self.tmpcupsdconf = self.cupsdconf + ".stonixtmp" cupsfileslocs = [ '/etc/cups/cups-files.conf', '/private/etc/cups/cups-files.conf' ] for loc in cupsfileslocs: if os.path.exists(loc): self.cupsfilesconf = loc self.tmpcupsfilesconf = self.cupsfilesconf + ".stonixtmp" # options for cups-files.conf self.cupsfilesopts["ConfigFilePerm"] = self.configfileperms self.cupsfilesopts["ErrorLog"] = errorlog self.cupsfilesopts["LogFilePerm"] = logfileperms # cupsd conf default configuration options loglevel = "warn" self.cupsdconfopts = {"LogLevel": loglevel} self.cupsdconfopts["AccessLog"] = accesslog self.cupsdconfopts["AccessLogLevel"] = "config" # cupsd conf remove these options if self.DisableGenericPort.getcurrvalue(): self.cupsdconfremopts = {"Port": "631"} # this line added to prevent kvaconf trying to load files # it can't access during __init__, if the program is being # run in user mode if self.environ.geteuid() == 0: ## create kveditor objects if os.path.exists(self.cupsfilesconf): kvtype1 = "conf" path1 = self.cupsfilesconf tmpPath1 = path1 + ".stonixtmp" data1 = self.cupsfilesopts intent1 = "present" configType1 = "space" self.KVcupsfiles = KVEditorStonix(self.statechglogger, self.logger, kvtype1, path1, tmpPath1, data1, intent1, configType1) if os.path.exists(self.cupsdconf): kvtype2 = "conf" path2 = self.cupsdconf tmpPath2 = path2 + ".stonixtmp" data2 = self.cupsdconfopts intent2 = "present" configType2 = "space" self.KVcupsd = KVEditorStonix(self.statechglogger, self.logger, kvtype2, path2, tmpPath2, data2, intent2, configType2) # policy blocks self.serveraccess = """# Restrict access to the server... <Location /> Encryption Required Order allow,deny </Location>""" self.adminpagesaccess = """# Restrict access to the admin pages... <Location /admin> Encryption Required Order allow,deny </Location>""" self.configfilesaccess = """# Restrict access to configuration files... <Location /admin/conf> AuthType Default Encryption IfRequested Require user @SYSTEM Order allow,deny </Location>""" self.logfileaccess = """# Restrict access to log files... <Location /admin/log> AuthType Default Encryption IfRequested Require user @SYSTEM Order allow,deny </Location>""" self.defaultprinterpolicies = """# Set the default printer/job policies... <Policy default> # Job-related operations must be done by the owner or an administrator... <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job> Require user @OWNER @SYSTEM Order deny,allow </Limit> # All administration operations require an administrator to authenticate... <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default> AuthType Default Require user @SYSTEM Order deny,allow </Limit> # All printer operations require a printer operator to authenticate... <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs> AuthType Default Require user @SYSTEM Order deny,allow </Limit> # Only the owner or an administrator can cancel or authenticate a job... <Limit Cancel-Job CUPS-Authenticate-Job> Require user @OWNER @SYSTEM Order deny,allow </Limit> <Limit All> Order deny,allow </Limit> </Policy>""" except Exception: raise def sanityCheck(self): '''perform sanity check on the cups configuration files :returns: sane :rtype: bool @author: Breen Malmberg ''' sane = True sanitycheck = "/usr/sbin/cupsd -t" try: self.ch.executeCommand(sanitycheck) retcode = self.ch.getReturnCode() output = self.ch.getOutput() if retcode != 0: sane = False self.detailedresults += "\nError while running command: " + str( sanitycheck) for line in output: if re.search("Bad|Missing|Incorrect|Error|Wrong", line, re.IGNORECASE): sane = False self.detailedresults += "\n" + line except Exception: raise return sane def updateOpts(self): '''update the kveditor values for the different CIs based on their current user-specified values :returns: void @author: Breen Malmberg @change: Breen Malmberg - 2/8/2017 - KVcupsdrem will now only be processed if self.DisableGenericPort CI is True ''' try: if self.DisableCUPS.getcurrvalue(): self.PrintBrowseSubnet.updatecurrvalue(False) if self.DisablePrintBrowsing.getcurrvalue(): self.cupsdconfopts["Browsing"] = "Off" self.cupsdconfopts["BrowseAllow"] = "none" self.cupsdconfopts["BrowseWebIF"] = "No" if self.PrintBrowseSubnet.getcurrvalue(): self.cupsdconfopts["Browsing"] = "On" self.cupsdconfopts["BrowseOrder"] = "allow,deny" self.cupsdconfopts["BrowseDeny"] = "all" self.cupsdconfopts[ "BrowseAllow"] = self.PrintBrowseSubnet.getcurrvalue() if self.DisableGenericPort.getcurrvalue(): self.cupsdconfremopts["Port"] = "631" if self.SetDefaultAuthType.getcurrvalue(): self.cupsdconfopts["DefaultAuthType"] = "Negotiate" # don't try to create, or update, the kv object, # if the file it's based on doesn't exist. # this would cause tracebacks in kveditor if os.path.exists(self.cupsfilesconf): kvtype1 = "conf" path1 = self.cupsfilesconf tmpPath1 = path1 + ".stonixtmp" data1 = self.cupsfilesopts intent1 = "present" configType1 = "space" self.KVcupsfiles = KVEditorStonix(self.statechglogger, self.logger, kvtype1, path1, tmpPath1, data1, intent1, configType1) else: self.logger.log( LogPriority.DEBUG, "Location of required configuration file cups-files.conf could not be determined" ) if os.path.exists(self.cupsdconf): kvtype2 = "conf" path2 = self.cupsdconf tmpPath2 = path2 + ".stonixtmp" data2 = self.cupsdconfopts intent2 = "present" configType2 = "space" self.KVcupsd = KVEditorStonix(self.statechglogger, self.logger, kvtype2, path2, tmpPath2, data2, intent2, configType2) else: self.logger.log( LogPriority.DEBUG, "Location of required configuration file cupsd.conf could not be determined" ) except Exception: raise def report(self): '''run report methods/actions appropriate for the current OS and return compliancy status :returns: self.compliant :rtype: bool @author: Breen Malmberg ''' self.logger.log(LogPriority.DEBUG, "\n\nREPORT()\n\n") # DEFAULTS self.detailedresults = "" self.compliant = True badopts = [ "^HostNameLookups\s+Double", "^Sandboxing\s+strict", "^FatalErrors\s+config" ] badoptsfiles = [self.cupsdconf, self.cupsfilesconf] try: # check for bad config options in files for f in badoptsfiles: if os.path.exists(f): fh = open(f, 'r') contentlines = fh.readlines() fh.close() for line in contentlines: for opt in badopts: if re.search(opt, line, re.IGNORECASE): self.compliant = False # if these opts exist, then we don't want to do anything else ## except just remove them if not self.compliant: self.logger.log( LogPriority.DEBUG, "Bad configuration options found in cups config files. Will now remove them." ) self.formatDetailedResults('report', self.compliant, self.detailedresults) return self.compliant if self.linux: if not self.ph.check(self.pkgname): self.detailedresults += "\nCUPS not installed on this system. Nothing to secure." self.formatDetailedResults('report', self.compliant, self.detailedresults) return self.compliant # update kv objects with any new # user-specified information self.updateOpts() if self.SecureCUPS.getcurrvalue(): # is cups secured? if not self.reportSecure(): self.compliant = False # make sure config syntax is correct if not self.sanityCheck(): self.compliant = False if self.DisableCUPS.getcurrvalue(): # is cups disabled? if not self.reportDisabled(): self.compliant = False except (KeyboardInterrupt, SystemExit): raise except Exception: self.rulesuccess = False self.detailedresults += traceback.format_exc() self.logger.log(LogPriority.ERROR, self.detailedresults) self.formatDetailedResults('report', self.compliant, self.detailedresults) return self.compliant def reportDisabled(self): '''return True if cups is disabled return False if cups is enabled :returns: retval :rtype: bool @author: Breen Malmberg ''' retval = True try: if self.linux: if self.sh.auditService(self.svcname, serviceTarget=self.serviceTarget): retval = False self.detailedresults += "\nThe " + str( self.svcname) + " service is still configured to run" elif self.darwin: if self.sh.auditService(self.svclongname, serviceTarget=self.svcname): retval = False self.detailedresults += "\nThe " + str( self.svcname) + " service is still configured to run" except Exception: raise return retval def checkPolicyBlocks(self): '''report on whether default policy blocks are currently set up in cups configuration. Note that if these already exist, we do not want to overwrite them as the local admin may have them customised to their specific environment. :returns: retval :rtype: bool @author: Breen Malmberg ''' self.logger.log(LogPriority.DEBUG, "\n\nCHECKPOLICYBLOCKS()\n\n") retval = True rootfound = False adminfound = False adminconffound = False defpolicyfound = False try: if os.path.exists(self.cupsdconf): self.logger.log( LogPriority.DEBUG, "\n\nCUPSD CONF EXISTS. OPENING FILE AND READING CONTENTS...\n\n" ) f = open(self.cupsdconf, 'r') contentlines = f.readlines() f.close() self.logger.log( LogPriority.DEBUG, "\n\nCONTENTS READ. CHECKING FOR POLICY BLOCKS...\n\n") for line in contentlines: if re.search('\<Location \/\>', line, re.IGNORECASE): rootfound = True if re.search('\<Location \/admin\>', line, re.IGNORECASE): adminfound = True if re.search('\<Location \/admin\/conf\>', line, re.IGNORECASE): adminconffound = True if re.search('\<Policy default\>', line, re.IGNORECASE): defpolicyfound = True else: self.logger.log( LogPriority.DEBUG, "\n\ncupsd.conf file does not exist. Nothing to check...\n\n" ) return retval if not rootfound: retval = False self.detailedresults += "\nCUPS Root location policy not defined" if not adminfound: retval = False self.detailedresults += "\nCUPS admin location policy not defined" if not adminconffound: retval = False self.detailedresults += "\nCUPS admin/conf location policy not defined" if not defpolicyfound: retval = False self.detailedresults += "\nCUPS Default Policy block not defined" if retval: self.logger.log(LogPriority.DEBUG, "\n\nALL POLICY BLOCKS OK\n\n") except Exception: raise return retval def reportSecure(self): '''run report actions common to all platforms :returns: retval :rtype: bool @author: Breen Malmberg @change: Breen Malmberg - 2/8/2017 - KVcupsdrem will now only be run if self.DisableGenericPort CI is True ''' self.logger.log(LogPriority.DEBUG, "\n\nREPORTSECURE()\n\n") retval = True try: if self.SecureCUPS.getcurrvalue(): if os.path.exists(self.cupsdconf): # Report on cupsd.conf change/add options self.KVcupsd.setData(self.cupsdconfopts) self.KVcupsd.setIntent("present") self.KVcupsd.report() # Report on cupsd.conf remove options self.KVcupsd.setData(self.cupsdconfremopts) self.KVcupsd.setIntent("notpresent") self.KVcupsd.report() if self.KVcupsd.fixables: retval = False self.detailedresults += "\nThe following configuration options, in " + str( self.cupsdconf) + ", are incorrect:\n" + "\n".join( self.KVcupsd.fixables) if not self.checkPolicyBlocks(): retval = False else: pass if os.path.exists(self.cupsfilesconf): self.KVcupsfiles.report() if self.KVcupsfiles.fixables: retval = False self.detailedresults += "\nThe following configuration options, in " + str( self.cupsfilesconf ) + ", are incorrect:\n" + "\n".join( self.KVcupsfiles.fixables) else: pass else: self.detailedresults += "\nNeither SecureCUPS nor DisableCUPS CI's was enabled. Nothing was done." except Exception: raise return retval def fix(self): '''run fix methods/actions appropriate for the current OS and return success status of fix :returns: success :rtype: bool @author: Breen Malmberg ''' # DEFAULTS self.detailedresults = "" success = True self.iditerator = 0 badopts = [ "^HostNameLookups\s+Double", "^Sandboxing\s+strict", "^FatalErrors\s+config" ] badoptsfiles = [self.cupsdconf, self.cupsfilesconf] foundbadopts = False try: # fix bad opts; do not record state change, ## so that a possible revert, afterward, will ## not revert back to the bad state ## this code is a one-off for a hotfix and ## should probably be discontinued in some future ## release at some point for f in badoptsfiles: contentlines = [] if os.path.exists(f): fh = open(f, 'r') contentlines = fh.readlines() fh.close() for line in contentlines: for opt in badopts: if re.search(opt, line, re.IGNORECASE): foundbadopts = True contentlines = [ c.replace(line, '\n') for c in contentlines ] # finished building new contentlines; now write them for each file fn = open(f, 'w') fn.writelines(contentlines) fn.close() os.chmod(f, 0o644) if foundbadopts: # do not continue with rest of fix because that would save state for this fix run self.logger.log( LogPriority.DEBUG, "Reloading cups service to read configuration changes...") if self.darwin: self.sh.reloadService(self.svclongname, serviceTarget=self.svcname) else: self.sh.reloadService(self.svcname, serviceTarget=self.serviceTarget) self.logger.log( LogPriority.DEBUG, "Removed bad configuration options from cups config files. Exiting..." ) self.formatDetailedResults('fix', success, self.detailedresults) return success # Are any of the CIs enabled? # If not, then exit, returning True if not self.SecureCUPS.getcurrvalue() and \ not self.DisableCUPS.getcurrvalue(): self.detailedresults += "\nNo CI was enabled, so nothing was done." self.logger.log( LogPriority.DEBUG, "SecureCUPS rule was run, but neither SecureCUPS, nor DisableCUPS CI's were enabled so nothing was done!" ) self.formatDetailedResults('fix', success, self.detailedresults) return success if self.linux and not self.ph.check("cups"): self.detailedresults += "\nCUPS is not installed. Nothing to do." self.formatDetailedResults('fix', success, self.detailedresults) return success if self.SecureCUPS.getcurrvalue(): if not self.fixSecure(): success = False if self.DisableCUPS.getcurrvalue(): if not self.disableCUPS(): success = False except (KeyboardInterrupt, SystemExit): raise except Exception: self.rulesuccess = False self.detailedresults += traceback.format_exc() self.logger.log(LogPriority.ERROR, self.detailedresults) self.formatDetailedResults('fix', success, self.detailedresults) return success def fixSecure(self): '''run fix actions common to all platforms :returns: retval :rtype: bool @author: Breen Malmberg @change: Breen Malmberg - 2/8/2017 - added inline comments; changed the way KVCupsdrem was being handled (will not be run if there are no options to remove; aka if self.DisableGenericPort CI is False) ''' retval = True pdefaultfound = False serveraccessfound = False adminaccessfound = False configaccessfound = False logfileaccessfound = False try: if os.path.exists(self.cupsdconf): # Fix cupsd.conf add/change/remove options self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) self.KVcupsd.setEventID(myid) if self.KVcupsd.fix(): if not self.KVcupsd.commit(): self.detailedresults += "\nCommit failed for cupsd.conf" self.logger.log(LogPriority.DEBUG, "Commit failed for KVcupsd") retval = False # cups-files conf add/change options if os.path.exists(self.cupsfilesconf): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) self.KVcupsfiles.setEventID(myid) if self.KVcupsfiles.fix(): if not self.KVcupsfiles.commit(): self.detailedresults += "\nCommit failed for cups-files.conf" self.logger.log(LogPriority.DEBUG, "Commit failed for KVcupsfiles") retval = False # cupsdconf default policy blocks # this portion cannot be handled by kveditor because of its # xml style formatting if os.path.exists(self.cupsdconf): if self.SetupDefaultPolicyBlocks.getcurrvalue(): f = open(self.cupsdconf, 'r') contentlines = f.readlines() f.close() for line in contentlines: if re.search("\<Location \/\>", line, re.IGNORECASE): serveraccessfound = True for line in contentlines: if re.search("\<Location \/admin\>", line, re.IGNORECASE): adminaccessfound = True for line in contentlines: if re.search("\<Location \/admin\/conf\>", line, re.IGNORECASE): configaccessfound = True for line in contentlines: if re.search("\<Location \/admin\/log\>", line, re.IGNORECASE): logfileaccessfound = True for line in contentlines: if re.search("\<Policy default\>", line, re.IGNORECASE): pdefaultfound = True if not serveraccessfound: contentlines.append("\n" + self.serveraccess + "\n") self.logger.log( LogPriority.DEBUG, "\n\nroot access policy block not found. adding it...\n\n" ) if not adminaccessfound: contentlines.append("\n" + self.adminpagesaccess + "\n") self.logger.log( LogPriority.DEBUG, "\n\nadmin access policy block not found. adding it...\n\n" ) if not configaccessfound: contentlines.append("\n" + self.configfilesaccess + "\n") self.logger.log( LogPriority.DEBUG, "\n\nconfig access policy block not found. adding it...\n\n" ) if not logfileaccessfound: contentlines.append("\n" + self.logfileaccess + "\n") self.logger.log( LogPriority.DEBUG, "\n\nlog file access policy block not found. adding it...\n\n" ) if not pdefaultfound: contentlines.append("\n" + self.defaultprinterpolicies + "\n") self.logger.log( LogPriority.DEBUG, "\n\ndefault policy block not found. adding it...\n\n" ) tf = open(self.tmpcupsdconf, 'w') tf.writelines(contentlines) tf.close() self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "conf", "filename": self.cupsdconf} self.statechglogger.recordfilechange( self.cupsdconf, self.tmpcupsdconf, myid) self.statechglogger.recordchgevent(myid, event) self.logger.log( LogPriority.DEBUG, "\n\nwriting changes to " + str(self.cupsdconf) + " file...\n\n") os.rename(self.tmpcupsdconf, self.cupsdconf) self.logger.log( LogPriority.DEBUG, "\n\nsetting permissions and ownership for " + str(self.cupsdconf) + " file...\n\n") os.chown(self.cupsdconf, 0, 0) if self.linux: os.chmod(self.cupsdconf, 0o640) elif self.darwin: os.chmod(self.cupsdconf, 0o644) if not self.reloadCUPS(): retval = False except Exception: raise return retval def reloadCUPS(self): '''reload the cups service to read the new configurations :returns: retval :rtype: bool @author: Breen Malmberg ''' retval = True try: # do not attempt to reload the service # if the rule is set to disable it if self.DisableCUPS.getcurrvalue(): return retval if self.linux: if not self.sh.reloadService(self.svcname, serviceTarget=self.serviceTarget): retval = False self.detailedresults += "|nThere was a problem reloading the " + str( self.svcname) + " service" elif self.darwin: if not self.sh.reloadService(self.svclongname, serviceTarget=self.svcname): retval = False self.detailedresults += "|nThere was a problem reloading the " + str( self.svcname) + " service" except Exception: raise return retval def disableCUPS(self): '''disable the cups service :returns: retval :rtype: bool @author: Breen Malmberg ''' retval = True try: if self.linux: if not self.sh.disableService( self.svcname, serviceTarget=self.serviceTarget): retval = False self.detailedresults += "\nThere was a problem disabling the " + str( self.svcname) + " service" elif self.darwin: if not self.sh.disableService(self.svclongname, serviceTarget=self.svcname): retval = False self.detailedresults += "\nThere was a problem disabling the " + str( self.svcname) + " service" except Exception: raise return retval