def apply(self, option=None):
"""
Corrects the permissions
"""
change_record = {}
# Only run FS scan if it hasn't been run this scan
if tcs_utils.fs_scan_is_needed():
sb_utils.filesystem.scan.perform()
if not os.path.isfile(self.__target_file):
msg = "Unable to find %s" % self.__target_file
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
# let others know we ran the fs scanner
tcs_utils.update_fs_scanid()
try:
in_obj = open(self.__target_file, 'r')
except (OSError, IOError), err:
msg = "Unable to open %s: %s" % (self.__target_file, err)
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def scan(self, optionDict=None):
"""
Initiating File System Scan to find world-writable devices
"""
specialDevices = {}
messages = []
retval = True
retmsg = ''
self.validate_input(optionDict)
# Only run FS scan if it hasn't been run this scan
if tcs_utils.fs_scan_is_needed():
sb_utils.filesystem.scan.perform()
if not os.path.isfile(self.__target_file):
msg = "Unable to find %s" % self.__target_file
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
# let others know we ran the fs scanner
tcs_utils.update_fs_scanid()
secure_world_writable_devices = True
try:
in_obj = open(self.__target_file, 'r')
except IOError, err:
msg = "Unable to file %s: %s" % (self.__target_file, err)
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def scan(self, option=None):
"""
Initiating File System Scan to find unowned files
"""
messages = {}
messages['messages'] = []
# Only run FS scan if it hasn't been run this scan
if tcs_utils.fs_scan_is_needed():
sb_utils.filesystem.scan.perform()
if not os.path.isfile(self.__target_file):
msg = "Unable to find %s" % self.__target_file
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
# let others know we ran the fs scanner
tcs_utils.update_fs_scanid()
all_files_owned = True
try:
in_obj = open(self.__target_file, 'r')
lines = in_obj.readlines()
for line in lines:
fields = line.rstrip('\n').split('|')
if len(fields) != 6:
continue
if fields[1][0] == 'X':
all_files_owned = False
msg = "(CCE 4223-4) %s is unowned." % fields[-1]
self.logger.notice(self.module_name, 'Scan Failed: ' + msg)
if len(messages['messages']) < 10:
messages['messages'].append("Fail: %s" % msg)
else:
if len(messages['messages']) > 10:
continue
messages['messages'].append(
"See log for full list of failures...")
if fields[1][1] == 'X':
all_files_owned = False
msg = "(CCE 3573-3) %s has no group assigned." % fields[-1]
self.logger.notice(self.module_name, 'Scan Failed: ' + msg)
if len(messages['messages']) < 10:
messages['messages'].append("Fail: %s" % msg)
else:
if len(messages['messages']) > 10:
continue
messages['messages'].append(
"See log for full list of failures...")
del fields
except IOError, err:
msg = "Unable to open file %s: %s" % (self.__target_file, err)
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def scan(self, option=None):
"""
Initiating File System Scan to find .netrc Files
"""
# Only run FS scan if it hasn't been run this scan
if tcs_utils.fs_scan_is_needed():
sb_utils.filesystem.scan.perform()
if not os.path.isfile(self.__target_file):
msg = "Unable to find %s" % self.__target_file
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
# let others know we ran the fs scanner
tcs_utils.update_fs_scanid()
secure_netrc_files = True
netrc_pattern = re.compile(".*/.netrc$")
try:
in_obj = open(self.__target_file, 'r')
except IOError:
msg = "Unable to open file %s." % self.__target_file
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
lines = in_obj.readlines()
for line in lines:
if line.startswith('d|'):
continue
if netrc_pattern.search(line):
fields = line.rstrip('\n').split('|')
if len(fields) != 6:
continue
msg = "%s exists" % fields[5]
self.logger.warn(self.module_name, msg)
if fields[4] not in ['0700', '0600', '0400']:
msg = "%s exists with insecure permissions %s " % \
(fields[5], fields[4])
self.logger.notice(self.module_name, "Scan Failed: " + msg)
secure_netrc_files = False
if secure_netrc_files == True:
return 'Pass', ''
msg = 'Insecure .netrc files exist'
self.logger.info(self.module_name, 'Scan Failed: ' + msg)
return 'Fail', msg
def apply(self, option=None):
"""Remove world-writable status"""
# Only run FS scan if it hasn't been run this scan
if tcs_utils.fs_scan_is_needed():
sb_utils.filesystem.scan.perform()
if not os.path.isfile(self.__target_file):
msg = "Unable to find %s" % self.__target_file
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
# let others know we ran the fs scanner
tcs_utils.update_fs_scanid()
secure_world_writable_files = True
try:
in_obj = open(self.__target_file, 'r')
except IOError, err:
msg = "Unable to open %s: %s" % (self.__target_file, err)
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def apply(self, option=None):
"""Change access to mode 0600 on .netrc files"""
# Only run FS scan if it hasn't been run this scan
if tcs_utils.fs_scan_is_needed():
sb_utils.filesystem.scan.perform()
if not os.path.isfile(self.__target_file):
msg = "Unable to find %s" % self.__target_file
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
# let others know we ran the fs scanner
tcs_utils.update_fs_scanid()
file_list = []
secure_netrc_files = True
netrc_pattern = re.compile(".*/.netrc$")
try:
in_obj = open(self.__target_file, 'r')
except IOError, err:
msg = "Unable to open %s: %s" % (self.__target_file, err)
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def scan(self, option=None):
"""
Initiating File System Scan to find world writable directories
"""
# Only run FS scan if it hasn't been run this scan
if tcs_utils.fs_scan_is_needed():
sb_utils.filesystem.scan.perform()
if not os.path.isfile(self.__target_file):
msg = "Unable to find %s" % self.__target_file
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
# let others know we ran the fs scanner
tcs_utils.update_fs_scanid()
secure_world_writable_dirs = True
try:
in_obj = open(self.__target_file, 'r')
except IOError, err:
msg = "Unable to open file %s: %s" % (self.__target_file, err)
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def apply(self, option=None):
"""Change user/group of unowned files to nobody"""
messages = {}
messages['messages'] = []
# Only run FS scan if it hasn't been run this scan
if tcs_utils.fs_scan_is_needed():
sb_utils.filesystem.scan.perform()
if not os.path.isfile(self.__target_file):
msg = "Unable to find %s" % self.__target_file
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
# let others know we ran the fs scanner
tcs_utils.update_fs_scanid()
all_files_owned = True
file_list = []
try:
in_obj = open(self.__target_file, 'r')
lines = in_obj.readlines()
for line in lines:
fields = line.rstrip('\n').split('|')
if len(fields) != 6:
continue
if fields[1][0] == 'X' or fields[1][1] == 'X':
file_list.append(fields[-1])
del fields
except IOError, err:
msg = "Unable to open file %s: %s" % (self.__target_file, err)
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
#
# Open file for writing results to
#
try:
results = open(SCAN_RESULT, 'w')
except IOError, err:
msg = "Unable to write to %s: %s" % (SCAN_RESULT, err)
logger.error(MODULE_NAME, msg)
raise
except Exception:
raise
msg = "Writing to %s" % SCAN_RESULT
logger.debug(MODULE_NAME, msg)
tcs_utils.update_fs_scanid()
############ Directory Starting Points ###############
start_dirs = []
for fullpath in os.listdir('/'):
testdir = os.path.join('/', fullpath)
if not os.path.isdir(testdir):
continue
is_excluded, why_excluded = sb_utils.file.exclusion.file_is_excluded(
testdir)
if not is_excluded:
start_dirs.append(testdir)
msg = "Starting directory points: %s" % str(start_dirs)
logger.info(MODULE_NAME, msg)
def scan(self, optionDict=None):
"""
Initiating File System Scan to find unowned files
"""
self.validate_input(optionDict)
messages = {}
messages['messages'] = []
all_files_labeled = True
msg = ""
retval = True
# Only run FS scan if it hasn't been run this scan *AND* SELinux is enabled.
#
if not sb_utils.SELinux.isSELinuxSupportedOnBox() :
msg = "SELinux is unsupported on this box - context checking not performed"
elif not sb_utils.SELinux.isSELinuxEnabled():
msg = "SELinux is disabled on this box - context checking not performed"
else:
if tcs_utils.fs_scan_is_needed():
sb_utils.filesystem.scan.perform()
if not os.path.isfile(self.__target_file):
msg = "Unable to find %s" % self.__target_file
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
# let others know we ran the fs scanner
tcs_utils.update_fs_scanid()
try:
in_obj = open(self.__target_file, 'r')
lines = in_obj.readlines()
for line in lines:
fields = line.rstrip('\n').split('|')
if len(fields) != 6:
continue
# Unless we're checking all files, restrict checks to those entries starting with '/dev/'
if self.__checkAllFiles == False and not fields[-1].startswith('/dev/'):
continue
if fields[1][8] == 'X':
all_files_labeled = False
msg = "%s has the unlabeled_t SELinux context." % fields[-1]
self.logger.notice(self.module_name, 'Scan Failed: ' + msg)
if len(messages['messages']) < 10:
messages['messages'].append("Fail: %s" % msg)
else:
if len(messages['messages']) > 10:
continue
messages['messages'].append("See log for full list of failures...")
del fields
in_obj.close()
except IOError, err:
msg = "Unable to open file %s: %s" % (self.__target_file, err)
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
if not all_files_labeled:
msg = "One or more files have the unlabeled_t SELinux context."