def test_config_applies_to_daemon_except():
list1 = DaemonList(value=['all', 'except', 'sendmail'])
list2 = DaemonList(value=['postfix'])
facts = TcpWrappersFacts(daemon_lists=[list1, list2])
assert lib.config_applies_to_daemon(facts, 'vsftpd') is True
assert lib.config_applies_to_daemon(facts, 'sendmail') is False
assert lib.config_applies_to_daemon(facts, 'postfix') is True
assert lib.config_applies_to_daemon(facts, 'foo') is True
list1 = DaemonList(value=['all', 'except', 'b*', 'EXCEPT', 'bar'])
facts = TcpWrappersFacts(daemon_lists=[list1])
assert lib.config_applies_to_daemon(facts, 'foo') is True
assert lib.config_applies_to_daemon(facts, 'bar') is True
assert lib.config_applies_to_daemon(facts, 'baar') is False
list1 = DaemonList(value=['all', 'except', 'vsftpd'])
facts = TcpWrappersFacts(daemon_lists=[list1])
assert lib.config_applies_to_daemon(facts, 'vsftpd') is False
list1 = DaemonList(value=['all', 'except', 'all', 'except', 'vsftpd'])
facts = TcpWrappersFacts(daemon_lists=[list1])
assert lib.config_applies_to_daemon(facts, 'vsftpd') is True
list1 = DaemonList(
value=['all', 'except', 'all', 'except', 'all', 'except', 'vsftpd'])
facts = TcpWrappersFacts(daemon_lists=[list1])
assert lib.config_applies_to_daemon(facts, 'vsftpd') is False
def test_config_applies_to_daemon_simple():
daemon_list = DaemonList(value=['vsftpd'])
facts = TcpWrappersFacts(daemon_lists=[daemon_list])
assert lib.config_applies_to_daemon(facts, 'vsftpd') is True
assert lib.config_applies_to_daemon(facts, 'VsfTpd') is True
assert lib.config_applies_to_daemon(facts, 'ftp') is False
assert lib.config_applies_to_daemon(facts, 'foo') is False
def test_config_applies_to_daemon_empty():
daemon_list = DaemonList(value=[''])
facts = TcpWrappersFacts(daemon_lists=[daemon_list])
assert lib.config_applies_to_daemon(facts, 'vsftpd') is False
daemon_list = DaemonList(value=[])
facts = TcpWrappersFacts(daemon_lists=[daemon_list])
assert lib.config_applies_to_daemon(facts, 'vsftpd') is False
def test_config_applies_to_daemon_with_host():
list1 = DaemonList(value=['vsftpd@localhost', 'sendmail'])
list2 = DaemonList(value=['postfix'])
facts = TcpWrappersFacts(daemon_lists=[list1, list2])
assert lib.config_applies_to_daemon(facts, 'vsftpd') is True
assert lib.config_applies_to_daemon(facts, 'sendmail') is True
assert lib.config_applies_to_daemon(facts, 'postfix') is True
assert lib.config_applies_to_daemon(facts, 'foo') is False
def test_config_applies_to_daemon_question_mark_wildcard():
daemon_list = DaemonList(value=['vs?tpd'])
facts = TcpWrappersFacts(daemon_lists=[daemon_list])
assert lib.config_applies_to_daemon(facts, 'vsftpd') is True
daemon_list = DaemonList(value=['vsf?tpd'])
facts = TcpWrappersFacts(daemon_lists=[daemon_list])
assert lib.config_applies_to_daemon(facts, 'vsftpd') is False
daemon_list = DaemonList(value=['?'])
facts = TcpWrappersFacts(daemon_lists=[daemon_list])
assert lib.config_applies_to_daemon(facts, 'vsftpd') is False
daemon_list = DaemonList(value=['??????'])
facts = TcpWrappersFacts(daemon_lists=[daemon_list])
assert lib.config_applies_to_daemon(facts, 'vsftpd') is True
def test_config_applies_to_daemon_asterisk_wildcard():
daemon_list = DaemonList(value=['*ftp*'])
facts = TcpWrappersFacts(daemon_lists=[daemon_list])
assert lib.config_applies_to_daemon(facts, 'vsftpd') is True
daemon_list = DaemonList(value=['************'])
facts = TcpWrappersFacts(daemon_lists=[daemon_list])
assert lib.config_applies_to_daemon(facts, 'vsftpd') is True
daemon_list = DaemonList(value=['*'])
facts = TcpWrappersFacts(daemon_lists=[daemon_list])
assert lib.config_applies_to_daemon(facts, 'vsftpd') is True
daemon_list = DaemonList(value=['*foo*'])
facts = TcpWrappersFacts(daemon_lists=[daemon_list])
assert lib.config_applies_to_daemon(facts, 'vsftpd') is False
def config_affects_daemons(tcp_wrappers_facts, packages_list, daemons):
"""
Check whether some of the daemons is installed and affected by existing
configuration of tcp_wrappers based on the.
:param tcp_wrappers_facts: Facts provided by the TcpWrappersFacts
:param packages_list: List of packages provided by InstalledRedHatSignedRPM
:param deamons: List of packages and keywords affecting daemons in this format:
[{"package-name", ["daemon1", "daemon2", ...], ...}]
"""
found_packages = set()
for (package, keywords) in daemons:
# We do not care for particular deamon if the providing package is not installed
if package not in packages_list:
continue
# Every package can have several deamons or deamons reacting to several keywords
for daemon in keywords:
# Is this daemon/keyword affected by the current configuration?
if not config_applies_to_daemon(tcp_wrappers_facts, daemon):
continue
# We do not report particular daemons, but just the high-level list of packages
found_packages.add(package)
return found_packages
def process(self):
if not has_package(InstalledRedHatSignedRPM, 'sendmail'):
return
if config_applies_to_daemon(next(self.consume(TcpWrappersFacts)),
'sendmail'):
report_with_remediation(
title='TCP wrappers support removed in the next major version',
summary=
'TCP wrappers are legacy host-based ACL (Access Control List) system '
'which has been removed in the next major version of RHEL.',
remediation=
'Please migrate from TCP wrappers to some other access control mechanism and delete '
'sendmail from the /etc/hosts.[allow|deny].',
severity='high',
flags=['inhibitor'])
return
migrate_files = library.check_files_for_compressed_ipv6()
if migrate_files:
report_generic(
title='sendmail configuration will be migrated',
summary=
'IPv6 addresses will be uncompressed, check all IPv6 addresses in all sendmail '
'configuration files for correctness.',
severity='low')
self.produce(
SendmailMigrationDecision(migrate_files=migrate_files))
else:
self.log.info(
'The sendmail configuration seems compatible - it won\'t be migrated.'
)
def test_config_applies_to_daemon_all_wildcard():
daemon_list = DaemonList(value=['all'])
facts = TcpWrappersFacts(daemon_lists=[daemon_list])
assert lib.config_applies_to_daemon(facts, 'vsftpd') is True
daemon_list = DaemonList(value=['aLl'])
facts = TcpWrappersFacts(daemon_lists=[daemon_list])
assert lib.config_applies_to_daemon(facts, 'vsftpd') is True
daemon_list = DaemonList(value=['al'])
facts = TcpWrappersFacts(daemon_lists=[daemon_list])
assert lib.config_applies_to_daemon(facts, 'vsftpd') is False
daemon_list = DaemonList(value=['ll'])
facts = TcpWrappersFacts(daemon_lists=[daemon_list])
assert lib.config_applies_to_daemon(facts, 'vsftpd') is False
daemon_list = DaemonList(value=['valld'])
facts = TcpWrappersFacts(daemon_lists=[daemon_list])
assert lib.config_applies_to_daemon(facts, 'vsftpd') is False
def check_config_supported(tcpwrap_facts, vsftpd_facts):
bad_configs = [
config.path for config in vsftpd_facts.configs if config.tcp_wrappers
]
if bad_configs and config_applies_to_daemon(tcpwrap_facts, 'vsftpd'):
list_separator_fmt = '\n - '
report_with_links(
title='Unsupported vsftpd configuration',
summary=
('tcp_wrappers support has been removed in RHEL-8. '
'Some configuration files set the tcp_wrappers option to true and '
'there is some vsftpd-related configuration in /etc/hosts.deny '
'or /etc/hosts.allow. Please migrate it manually. '
'The list of problematic configuration files:{}{}').format(
list_separator_fmt, list_separator_fmt.join(bad_configs)),
links=[{
'title': 'Replacing TCP Wrappers in RHEL 8',
'href': 'https://access.redhat.com/solutions/3906701'
}],
severity='high',
flags=['inhibitor'])
def process(self):
if not has_package(InstalledRedHatSignedRPM, 'sendmail'):
return
if config_applies_to_daemon(next(self.consume(TcpWrappersFacts)),
'sendmail'):
create_report([
reporting.Title(
'TCP wrappers support removed in the next major version'),
reporting.Summary(
'TCP wrappers are legacy host-based ACL (Access Control List) system '
'which has been removed in the next major version of RHEL.'
),
reporting.Remediation(
hint=
'Please migrate from TCP wrappers to some other access control mechanism and delete '
'sendmail from the /etc/hosts.[allow|deny].'),
reporting.Severity(reporting.Severity.HIGH),
reporting.Tags(COMMON_REPORT_TAGS + [reporting.Tags.NETWORK]),
reporting.Flags([reporting.Flags.INHIBITOR])
] + related)
return
migrate_files = checksendmail.check_files_for_compressed_ipv6()
if migrate_files:
create_report([
reporting.Title('sendmail configuration will be migrated'),
reporting.Summary(
'IPv6 addresses will be uncompressed, check all IPv6 addresses in all sendmail '
'configuration files for correctness.'),
reporting.Severity(reporting.Severity.LOW),
reporting.Tags(COMMON_REPORT_TAGS)
] + related)
self.produce(
SendmailMigrationDecision(migrate_files=migrate_files))
else:
self.log.info(
'The sendmail configuration seems compatible - it won\'t be migrated.'
)
def check_config_supported(tcpwrap_facts, vsftpd_facts):
bad_configs = [
config.path for config in vsftpd_facts.configs if config.tcp_wrappers
]
if bad_configs and config_applies_to_daemon(tcpwrap_facts, 'vsftpd'):
list_separator_fmt = '\n - '
create_report([
reporting.Title('Unsupported vsftpd configuration'),
reporting.Summary(
'tcp_wrappers support has been removed in RHEL-8. '
'Some configuration files set the tcp_wrappers option to true and '
'there is some vsftpd-related configuration in /etc/hosts.deny '
'or /etc/hosts.allow. Please migrate it manually. '
'The list of problematic configuration files:{}{}'.format(
list_separator_fmt, list_separator_fmt.join(bad_configs))),
reporting.Severity(reporting.Severity.HIGH),
reporting.Tags([reporting.Tags.SERVICES, reporting.Tags.NETWORK]),
reporting.Flags([reporting.Flags.INHIBITOR]),
reporting.ExternalLink(
title='Replacing TCP Wrappers in RHEL 8',
url='https://access.redhat.com/solutions/3906701'),
reporting.RelatedResource('package', 'tcp_wrappers'),
reporting.RelatedResource('package', 'vsftpd'),
] + [reporting.RelatedResource('file', str(bc)) for bc in bad_configs])
def test_config_applies_to_daemon_with_host_except():
daemon_list = DaemonList(value=['vsftpd@localhost', 'except', 'vsftpd'])
facts = TcpWrappersFacts(daemon_lists=[daemon_list])
assert lib.config_applies_to_daemon(facts, 'vsftpd') is False
# It works like this for simplicity.
daemon_list = DaemonList(
value=['vsftpd@localhost', 'except', 'vsftpd@localhost'])
facts = TcpWrappersFacts(daemon_lists=[daemon_list])
assert lib.config_applies_to_daemon(facts, 'vsftpd') is True
daemon_list = DaemonList(value=['vsftpd@localhost'])
facts = TcpWrappersFacts(daemon_lists=[daemon_list])
assert lib.config_applies_to_daemon(facts, 'vsftpd') is True
daemon_list = DaemonList(value=['all', 'except', 'vsftpd@localhost'])
facts = TcpWrappersFacts(daemon_lists=[daemon_list])
assert lib.config_applies_to_daemon(facts, 'vsftpd') is True
daemon_list = DaemonList(
value=['all', 'except', 'all', 'except', 'vsftpd@localhost'])
facts = TcpWrappersFacts(daemon_lists=[daemon_list])
assert lib.config_applies_to_daemon(facts, 'vsftpd') is True
daemon_list = DaemonList(value=[
'all', 'except', 'all', 'except', 'all', 'except'
'vsftpd@localhost'
])
facts = TcpWrappersFacts(daemon_lists=[daemon_list])
assert lib.config_applies_to_daemon(facts, 'vsftpd') is True
daemon_list = DaemonList(value=[
'all', 'except', 'all', 'except', 'all', 'except', 'all', 'except',
'vsftpd@localhost'
])
facts = TcpWrappersFacts(daemon_lists=[daemon_list])
assert lib.config_applies_to_daemon(facts, 'vsftpd') is True
def test_config_applies_to_daemon_except_empty():
daemon_list = DaemonList(value=['all', 'except'])
facts = TcpWrappersFacts(daemon_lists=[daemon_list])
assert lib.config_applies_to_daemon(facts, 'vsftpd') is True
def test_config_applies_to_daemon_whole_word():
daemon_list = DaemonList(value=['ftp'])
facts = TcpWrappersFacts(daemon_lists=[daemon_list])
assert lib.config_applies_to_daemon(facts, 'vsftpd') is False
