def eval_rules(self, ksdata, storage, report_only=False): """:see: RuleHandler.eval_rules""" if self._minlen == 0: # no password restrictions, nothing to be done here return [] if not ksdata.rootpw.password and self._removed_password is None: # root password was not set # password length enforcement is not suported in the Anaconda yet msg = _("make sure to create password with minimal length of %d " "characters" % self._minlen) return [RuleMessage(common.MESSAGE_TYPE_WARNING, msg)] else: # root password set if ksdata.rootpw.isCrypted: msg = _( "cannot check root password length (password is crypted)") return [RuleMessage(common.MESSAGE_TYPE_WARNING, msg)] elif len(ksdata.rootpw.password) < self._minlen or \ self._removed_password is not None: # too short or already removed msg = _("root password was too short, a longer one with at " "least %d characters will be required" % self._minlen) if not report_only and self._removed_password is None: # remove the password and reset the seen flag no to confuse Anaconda self._removed_password = ksdata.rootpw.password ksdata.rootpw.password = "" ksdata.rootpw.seen = False return [RuleMessage(common.MESSAGE_TYPE_WARNING, msg)] else: return []
def eval_rules(self, ksdata, storage, report_only=False): """:see: RuleHandler.eval_rules""" if self._minlen == 0: # no password restrictions, nothing to be done here return [] ret = [] users_proxy = USERS.get_proxy() if not users_proxy.IsRootPasswordSet: # root password was not set msg = _("make sure to create password with minimal length of %d " "characters") % self._minlen ret = [ RuleMessage(self.__class__, common.MESSAGE_TYPE_WARNING, msg) ] else: # root password set if users_proxy.IsRootPasswordCrypted: msg = _( "cannot check root password length (password is crypted)") log.warning( "cannot check root password length (password is crypted)") return [ RuleMessage(self.__class__, common.MESSAGE_TYPE_WARNING, msg) ] elif len(users_proxy.RootPassword) < self._minlen: # too short msg = _("root password is too short, a longer one with at " "least %d characters is required") % self._minlen ret = [ RuleMessage(self.__class__, common.MESSAGE_TYPE_FATAL, msg) ] else: ret = [] if report_only: return ret # set the policy in any case (so that a weaker password is not entered) pw_policy = ksdata.anaconda.pwpolicy.get_policy("root") if pw_policy is None: pw_policy = F22_PwPolicyData() log.info("OSCAP addon: setting password policy %s" % pw_policy) ksdata.anaconda.pwpolicy.policyList.append(pw_policy) log.info("OSCAP addon: password policy list: %s" % ksdata.anaconda.pwpolicy.policyList) self._created_policy = True self._orig_minlen = pw_policy.minlen self._orig_strict = pw_policy.strict pw_policy.minlen = self._minlen pw_policy.strict = True return ret
def eval_rules(self, ksdata, storage, report_only=False): """:see: RuleHandler.eval_rules""" device_tree = STORAGE.get_proxy(DEVICE_TREE) mount_points = device_tree.GetMountPoints() messages = [] if self._mount_point not in mount_points: msg = _("{0} must be on a separate partition or logical " "volume and has to be created in the " "partitioning layout before installation can occur " "with a security profile").format(self._mount_point) messages.append( RuleMessage(self.__class__, common.MESSAGE_TYPE_FATAL, msg)) # mount point doesn't exist, nothing more can be found here return messages # template for the message msg_tmpl = _("mount option '%(mount_option)s' added for " "the mount point %(mount_point)s") # add message for every option already added for opt in self._added_mount_options: msg = msg_tmpl % { "mount_option": opt, "mount_point": self._mount_point } messages.append( RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg)) # mount point to be created during installation target_name = mount_points[self._mount_point] mount_options = device_tree.GetDeviceMountOptions(target_name) # generator for the new options that should be added new_opts = (opt for opt in self._mount_options if opt not in mount_options.split(",")) # add message for every mount option added for opt in new_opts: msg = msg_tmpl % { "mount_option": opt, "mount_point": self._mount_point } # add message for the mount option in any case messages.append( RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg)) # add new options to the target mount point if not reporting only if not report_only: mount_options += ",%s" % opt self._added_mount_options.append(opt) if new_opts and not report_only: device_tree.SetDeviceMountOptions(target_name, mount_options) return messages
def eval_rules(self, ksdata, storage, report_only=False): """:see: RuleHandler.eval_rules""" if self._minlen == 0: # no password restrictions, nothing to be done here return [] ret = [] users_proxy = USERS.get_proxy() if not users_proxy.IsRootPasswordSet: # root password was not set msg = _("make sure to create password with minimal length of %d " "characters") % self._minlen ret = [ RuleMessage(self.__class__, common.MESSAGE_TYPE_WARNING, msg) ] else: # root password set if users_proxy.IsRootPasswordCrypted: msg = _( "cannot check root password length (password is crypted)") log.warning( "OSCAP Addon: cannot check root password length (password is crypted)" ) return [ RuleMessage(self.__class__, common.MESSAGE_TYPE_WARNING, msg) ] elif len(users_proxy.RootPassword) < self._minlen: # too short msg = _("root password is too short, a longer one with at " "least %d characters is required") % self._minlen ret = [ RuleMessage(self.__class__, common.MESSAGE_TYPE_FATAL, msg) ] else: ret = [] if report_only: return ret # set the policy in any case (so that a weaker password is not entered) policies = self._get_password_policies() policy = policies[PASSWORD_POLICY_ROOT] self._orig_minlen = policy.min_length self._orig_strict = policy.is_strict policy.min_length = self._minlen policy.is_strict = True self._set_password_policies(policies) return ret
def eval_rules(self, ksdata, storage, report_only=False): """:see: RuleHandler.eval_rules""" messages = [] # add messages for the already added packages for pkg in self._added_pkgs: msg = _( "package '%s' has been added to the list of to be installed " "packages" % pkg) messages.append( RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg)) # packages, that should be added packages_to_add = (pkg for pkg in self._add_pkgs if pkg not in ksdata.packages.packageList) for pkg in packages_to_add: # add the package unless already added if not report_only: self._added_pkgs.add(pkg) ksdata.packages.packageList.append(pkg) msg = _( "package '%s' has been added to the list of to be installed " "packages" % pkg) messages.append( RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg)) # now do the same for the packages that should be excluded # add messages for the already excluded packages for pkg in self._removed_pkgs: msg = _("package '%s' has been added to the list of excluded " "packages" % pkg) messages.append( RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg)) # packages, that should be added packages_to_remove = (pkg for pkg in self._remove_pkgs if pkg not in ksdata.packages.excludedList) for pkg in packages_to_remove: # exclude the package unless already excluded if not report_only: self._removed_pkgs.add(pkg) ksdata.packages.excludedList.append(pkg) msg = _("package '%s' has been added to the list of excluded " "packages" % pkg) messages.append( RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg)) return messages
def eval_rules(self, ksdata, storage, report_only=False): """:see: RuleHandler.eval_rules""" messages = [] if self._mount_point not in storage.mountpoints: msg = _("%s must be on a separate partition or logical " "volume" % self._mount_point) messages.append( RuleMessage(self.__class__, common.MESSAGE_TYPE_FATAL, msg)) # mount point doesn't exist, nothing more can be found here return messages # template for the message msg_tmpl = _("mount option '%(mount_option)s' added for " "the mount point %(mount_point)s") # add message for every option already added for opt in self._added_mount_options: msg = msg_tmpl % { "mount_option": opt, "mount_point": self._mount_point } messages.append( RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg)) # mount point to be created during installation target_mount_point = storage.mountpoints[self._mount_point] # generator for the new options that should be added new_opts = (opt for opt in self._mount_options if opt not in target_mount_point.format.options.split(",")) # add message for every mount option added for opt in new_opts: msg = msg_tmpl % { "mount_option": opt, "mount_point": self._mount_point } # add message for the mount option in any case messages.append( RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg)) # add new options to the target mount point if not reporting only if not report_only: target_mount_point.format.options += ",%s" % opt self._added_mount_options.append(opt) return messages
def eval_rules(self, ksdata, storage, report_only=False): """:see: RuleHandler.eval_rules""" messages = [] if self._kdump_enabled is None: return [] elif self._kdump_enabled is False: msg = _("Kdump will be disabled on startup") elif self._kdump_enabled is True: msg = _("Kdump will be enabled on startup") messages.append( RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg)) if not report_only: try: if self._kdump_default_enabled is None: # Kdump addon default startup setting self._kdump_default_enabled = ksdata.addons.com_redhat_kdump.enabled ksdata.addons.com_redhat_kdump.enabled = self._kdump_enabled except AttributeError: log.warning("com_redhat_kdump is not installed. " "Skipping kdump configuration") return messages
def eval_rules(self, ksdata, storage, report_only=False): """:see: RuleHandler.eval_rules""" messages = [] if self._kdump_enabled is None: return [] elif self._kdump_enabled is False: msg = _("Kdump will be disabled on startup") elif self._kdump_enabled is True: msg = _("Kdump will be enabled on startup") messages.append( RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg)) if not report_only: if is_module_available(KDUMP): kdump_proxy = KDUMP.get_proxy() if self._kdump_default_enabled is None: # Kdump addon default startup setting self._kdump_default_enabled = kdump_proxy.KdumpEnabled kdump_proxy.KdumpEnabled = self._kdump_enabled else: log.warning("OSCAP Addon: com_redhat_kdump is not installed. " "Skipping kdump configuration") return messages
def eval_rules(self, ksdata, storage, report_only=False): """:see: RuleHandler.eval_rules""" if self._require_password and not storage.bootloader.password: # Anaconda doesn't provide a way to set bootloader password, so # users cannot do much about that --> we shouldn't stop the # installation, should we? return [ RuleMessage(common.MESSAGE_TYPE_WARNING, "boot loader password not set up") ] else: return []
def eval_rules(self, ksdata, storage, report_only=False): """:see: RuleHandler.eval_rules""" bootloader_proxy = STORAGE.get_proxy(BOOTLOADER) if self._require_password and not bootloader_proxy.IsPasswordSet: # TODO: Anaconda provides a way to set bootloader password: # bootloader_proxy.SetEncryptedPassword(...) # We don't support setting the bootloader password yet, # but we shouldn't stop the installation, just because of that. return [ RuleMessage(self.__class__, common.MESSAGE_TYPE_WARNING, "boot loader password not set up") ] else: return []
def eval_rules(self, ksdata, storage, report_only=False): """:see: RuleHandler.eval_rules""" firewall_proxy = NETWORK.get_proxy(FIREWALL) messages = [] if self._firewall_default_state is None: # firewall default startup setting self._firewall_default_state = firewall_proxy.FirewallMode if self._firewall_enabled is False: msg = _("Firewall will be disabled on startup") messages.append( RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg)) if not report_only: firewall_proxy.SetFirewallMode(FIREWALL_DISABLED) elif self._firewall_enabled is True: msg = _("Firewall will be enabled on startup") messages.append( RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg)) if not report_only: firewall_proxy.SetFirewallMode(FIREWALL_ENABLED) # add messages for the already added services for svc in self._added_svcs: msg = _( "service '%s' has been added to the list of services to be " "added to the firewall" % svc) messages.append( RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg)) # add messages for the already added ports for port in self._added_ports: msg = _("port '%s' has been added to the list of ports to be " "added to the firewall" % port) messages.append( RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg)) # add messages for the already added trusts for trust in self._added_trusts: msg = _("trust '%s' has been added to the list of trusts to be " "added to the firewall" % trust) messages.append( RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg)) # services, that should be added self._new_services_to_add = { svc for svc in self._add_svcs if svc not in firewall_proxy.EnabledServices } # ports, that should be added self._new_ports_to_add = { ports for ports in self._add_ports if ports not in firewall_proxy.EnabledPorts } # trusts, that should be added self._new_trusts_to_add = { trust for trust in self._add_trusts if trust not in firewall_proxy.Trusts } for svc in self._new_services_to_add: # add the service unless already added if not report_only: self._added_svcs.add(svc) msg = _( "service '%s' has been added to the list of services to be " "added to the firewall" % svc) messages.append( RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg)) if not report_only: all_services = list( self._add_svcs.union(set(firewall_proxy.EnabledServices))) firewall_proxy.SetEnabledServices(all_services) for port in self._new_ports_to_add: # add the port unless already added if not report_only: self._added_ports.add(port) msg = _("port '%s' has been added to the list of ports to be " "added to the firewall" % port) messages.append( RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg)) if not report_only: all_ports = list( self._add_ports.union(set(firewall_proxy.EnabledPorts))) firewall_proxy.SetEnabledPorts(all_ports) for trust in self._new_trusts_to_add: # add the trust unless already added if not report_only: self._added_trusts.add(trust) msg = _("trust '%s' has been added to the list of trusts to be " "added to the firewall" % trust) messages.append( RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg)) if not report_only: all_trusts = list( self._add_trusts.union(set(firewall_proxy.Trusts))) firewall_proxy.SetTrusts(all_trusts) # now do the same for the services that should be excluded # add messages for the already excluded services for svc in self._removed_svcs: msg = _( "service '%s' has been added to the list of services to be " "removed from the firewall" % svc) messages.append( RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg)) # services, that should be excluded self._new_services_to_remove = { svc for svc in self._remove_svcs if svc not in firewall_proxy.DisabledServices } for svc in self._new_services_to_remove: # exclude the service unless already excluded if not report_only: self._removed_svcs.add(svc) msg = _( "service '%s' has been added to the list of services to be " "removed from the firewall" % svc) messages.append( RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg)) if not report_only: all_services = list( self._remove_svcs.union(set(firewall_proxy.DisabledServices))) firewall_proxy.SetDisabledServices(all_services) return messages
def eval_rules(self, ksdata, storage, report_only=False): """:see: RuleHandler.eval_rules""" messages = [] packages_data = get_packages_data() msg_installed_template = _( "package '%s' has been added to the list of to be installed packages" ) # add messages for the already added packages for pkg in self._added_pkgs: msg = msg_installed_template % pkg messages.append( RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg)) # packages, that should be added packages_to_add = (pkg for pkg in self._add_pkgs if pkg not in packages_data.packages) for pkg in packages_to_add: # add the package unless already added if not report_only: self._added_pkgs.add(pkg) packages_data.packages.append(pkg) msg = msg_installed_template % pkg messages.append( RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg)) msg_excluded_template = _( "package '%s' has been added to the list of excluded packages") # now do the same for the packages that should be excluded # add messages for the already excluded packages for pkg in self._removed_pkgs: if self._package_is_essential(pkg, packages_data): msg = _( "package '{package}' has been added to the list " "of excluded packages, but it can't be removed " "from the current software selection without breaking the installation." ) msg = msg.format(package=pkg) messages.append( RuleMessage(self.__class__, common.MESSAGE_TYPE_FATAL, msg)) else: msg = msg_excluded_template % pkg messages.append( RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg)) # packages, that should be added packages_to_remove = (pkg for pkg in self._remove_pkgs if pkg not in packages_data.excluded_packages) for pkg in packages_to_remove: # exclude the package unless already excluded if not report_only: self._removed_pkgs.add(pkg) packages_data.excluded_packages.append(pkg) msg = msg_excluded_template % pkg messages.append( RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg)) if not report_only: set_packages_data(packages_data) return messages
def eval_rules(self, ksdata, storage, report_only=False): """:see: RuleHandler.eval_rules""" messages = [] if self._firewall_default_enabled is None: # firewall default startup setting self._firewall_default_enabled = ksdata.firewall.enabled if self._firewall_enabled is False: msg = _("Firewall will be disabled on startup") messages.append( RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg)) if not report_only: ksdata.firewall.enabled = self._firewall_enabled elif self._firewall_enabled is True: msg = _("Firewall will be enabled on startup") messages.append( RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg)) if not report_only: ksdata.firewall.enabled = self._firewall_enabled # add messages for the already added services for svc in self._added_svcs: msg = _( "service '%s' has been added to the list of services to be " "added to the firewall" % svc) messages.append( RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg)) # add messages for the already added ports for port in self._added_ports: msg = _("port '%s' has been added to the list of ports to be " "added to the firewall" % port) messages.append( RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg)) # add messages for the already added trusts for trust in self._added_trusts: msg = _("trust '%s' has been added to the list of trusts to be " "added to the firewall" % trust) messages.append( RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg)) # services, that should be added services_to_add = (svc for svc in self._add_svcs if svc not in ksdata.firewall.services) # ports, that should be added ports_to_add = (ports for ports in self._add_ports if ports not in ksdata.firewall.ports) # trusts, that should be added trusts_to_add = (trust for trust in self._add_trusts if trust not in ksdata.firewall.trusts) for svc in services_to_add: # add the service unless already added if not report_only: self._added_svcs.add(svc) ksdata.firewall.services.append(svc) msg = _( "service '%s' has been added to the list of services to be " "added to the firewall" % svc) messages.append( RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg)) for port in ports_to_add: # add the port unless already added if not report_only: self._added_ports.add(port) ksdata.firewall.ports.append(port) msg = _("port '%s' has been added to the list of ports to be " "added to the firewall" % port) messages.append( RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg)) for trust in trusts_to_add: # add the trust unless already added if not report_only: self._added_trusts.add(trust) ksdata.firewall.trusts.append(trust) msg = _("trust '%s' has been added to the list of trusts to be " "added to the firewall" % trust) messages.append( RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg)) # now do the same for the services that should be excluded # add messages for the already excluded services for svc in self._removed_svcs: msg = _( "service '%s' has been added to the list of services to be " "removed from the firewall" % svc) messages.append( RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg)) # services, that should be added services_to_remove = (svc for svc in self._remove_svcs if svc not in ksdata.firewall.remove_services) for svc in services_to_remove: # exclude the service unless already excluded if not report_only: self._removed_svcs.add(svc) ksdata.firewall.remove_services.append(svc) msg = _( "service '%s' has been added to the list of services to be " "removed from the firewall" % svc) messages.append( RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg)) return messages