def test_config_applies_to_daemon_except(): list1 = DaemonList(value=['all', 'except', 'sendmail']) list2 = DaemonList(value=['postfix']) facts = TcpWrappersFacts(daemon_lists=[list1, list2]) assert lib.config_applies_to_daemon(facts, 'vsftpd') is True assert lib.config_applies_to_daemon(facts, 'sendmail') is False assert lib.config_applies_to_daemon(facts, 'postfix') is True assert lib.config_applies_to_daemon(facts, 'foo') is True list1 = DaemonList(value=['all', 'except', 'b*', 'EXCEPT', 'bar']) facts = TcpWrappersFacts(daemon_lists=[list1]) assert lib.config_applies_to_daemon(facts, 'foo') is True assert lib.config_applies_to_daemon(facts, 'bar') is True assert lib.config_applies_to_daemon(facts, 'baar') is False list1 = DaemonList(value=['all', 'except', 'vsftpd']) facts = TcpWrappersFacts(daemon_lists=[list1]) assert lib.config_applies_to_daemon(facts, 'vsftpd') is False list1 = DaemonList(value=['all', 'except', 'all', 'except', 'vsftpd']) facts = TcpWrappersFacts(daemon_lists=[list1]) assert lib.config_applies_to_daemon(facts, 'vsftpd') is True list1 = DaemonList( value=['all', 'except', 'all', 'except', 'all', 'except', 'vsftpd']) facts = TcpWrappersFacts(daemon_lists=[list1]) assert lib.config_applies_to_daemon(facts, 'vsftpd') is False
def test_config_applies_to_daemon_simple(): daemon_list = DaemonList(value=['vsftpd']) facts = TcpWrappersFacts(daemon_lists=[daemon_list]) assert lib.config_applies_to_daemon(facts, 'vsftpd') is True assert lib.config_applies_to_daemon(facts, 'VsfTpd') is True assert lib.config_applies_to_daemon(facts, 'ftp') is False assert lib.config_applies_to_daemon(facts, 'foo') is False
def test_config_applies_to_daemon_empty(): daemon_list = DaemonList(value=['']) facts = TcpWrappersFacts(daemon_lists=[daemon_list]) assert lib.config_applies_to_daemon(facts, 'vsftpd') is False daemon_list = DaemonList(value=[]) facts = TcpWrappersFacts(daemon_lists=[daemon_list]) assert lib.config_applies_to_daemon(facts, 'vsftpd') is False
def test_config_applies_to_daemon_with_host(): list1 = DaemonList(value=['vsftpd@localhost', 'sendmail']) list2 = DaemonList(value=['postfix']) facts = TcpWrappersFacts(daemon_lists=[list1, list2]) assert lib.config_applies_to_daemon(facts, 'vsftpd') is True assert lib.config_applies_to_daemon(facts, 'sendmail') is True assert lib.config_applies_to_daemon(facts, 'postfix') is True assert lib.config_applies_to_daemon(facts, 'foo') is False
def test_config_applies_to_daemon_question_mark_wildcard(): daemon_list = DaemonList(value=['vs?tpd']) facts = TcpWrappersFacts(daemon_lists=[daemon_list]) assert lib.config_applies_to_daemon(facts, 'vsftpd') is True daemon_list = DaemonList(value=['vsf?tpd']) facts = TcpWrappersFacts(daemon_lists=[daemon_list]) assert lib.config_applies_to_daemon(facts, 'vsftpd') is False daemon_list = DaemonList(value=['?']) facts = TcpWrappersFacts(daemon_lists=[daemon_list]) assert lib.config_applies_to_daemon(facts, 'vsftpd') is False daemon_list = DaemonList(value=['??????']) facts = TcpWrappersFacts(daemon_lists=[daemon_list]) assert lib.config_applies_to_daemon(facts, 'vsftpd') is True
def test_config_applies_to_daemon_asterisk_wildcard(): daemon_list = DaemonList(value=['*ftp*']) facts = TcpWrappersFacts(daemon_lists=[daemon_list]) assert lib.config_applies_to_daemon(facts, 'vsftpd') is True daemon_list = DaemonList(value=['************']) facts = TcpWrappersFacts(daemon_lists=[daemon_list]) assert lib.config_applies_to_daemon(facts, 'vsftpd') is True daemon_list = DaemonList(value=['*']) facts = TcpWrappersFacts(daemon_lists=[daemon_list]) assert lib.config_applies_to_daemon(facts, 'vsftpd') is True daemon_list = DaemonList(value=['*foo*']) facts = TcpWrappersFacts(daemon_lists=[daemon_list]) assert lib.config_applies_to_daemon(facts, 'vsftpd') is False
def config_affects_daemons(tcp_wrappers_facts, packages_list, daemons): """ Check whether some of the daemons is installed and affected by existing configuration of tcp_wrappers based on the. :param tcp_wrappers_facts: Facts provided by the TcpWrappersFacts :param packages_list: List of packages provided by InstalledRedHatSignedRPM :param deamons: List of packages and keywords affecting daemons in this format: [{"package-name", ["daemon1", "daemon2", ...], ...}] """ found_packages = set() for (package, keywords) in daemons: # We do not care for particular deamon if the providing package is not installed if package not in packages_list: continue # Every package can have several deamons or deamons reacting to several keywords for daemon in keywords: # Is this daemon/keyword affected by the current configuration? if not config_applies_to_daemon(tcp_wrappers_facts, daemon): continue # We do not report particular daemons, but just the high-level list of packages found_packages.add(package) return found_packages
def process(self): if not has_package(InstalledRedHatSignedRPM, 'sendmail'): return if config_applies_to_daemon(next(self.consume(TcpWrappersFacts)), 'sendmail'): report_with_remediation( title='TCP wrappers support removed in the next major version', summary= 'TCP wrappers are legacy host-based ACL (Access Control List) system ' 'which has been removed in the next major version of RHEL.', remediation= 'Please migrate from TCP wrappers to some other access control mechanism and delete ' 'sendmail from the /etc/hosts.[allow|deny].', severity='high', flags=['inhibitor']) return migrate_files = library.check_files_for_compressed_ipv6() if migrate_files: report_generic( title='sendmail configuration will be migrated', summary= 'IPv6 addresses will be uncompressed, check all IPv6 addresses in all sendmail ' 'configuration files for correctness.', severity='low') self.produce( SendmailMigrationDecision(migrate_files=migrate_files)) else: self.log.info( 'The sendmail configuration seems compatible - it won\'t be migrated.' )
def test_config_applies_to_daemon_all_wildcard(): daemon_list = DaemonList(value=['all']) facts = TcpWrappersFacts(daemon_lists=[daemon_list]) assert lib.config_applies_to_daemon(facts, 'vsftpd') is True daemon_list = DaemonList(value=['aLl']) facts = TcpWrappersFacts(daemon_lists=[daemon_list]) assert lib.config_applies_to_daemon(facts, 'vsftpd') is True daemon_list = DaemonList(value=['al']) facts = TcpWrappersFacts(daemon_lists=[daemon_list]) assert lib.config_applies_to_daemon(facts, 'vsftpd') is False daemon_list = DaemonList(value=['ll']) facts = TcpWrappersFacts(daemon_lists=[daemon_list]) assert lib.config_applies_to_daemon(facts, 'vsftpd') is False daemon_list = DaemonList(value=['valld']) facts = TcpWrappersFacts(daemon_lists=[daemon_list]) assert lib.config_applies_to_daemon(facts, 'vsftpd') is False
def check_config_supported(tcpwrap_facts, vsftpd_facts): bad_configs = [ config.path for config in vsftpd_facts.configs if config.tcp_wrappers ] if bad_configs and config_applies_to_daemon(tcpwrap_facts, 'vsftpd'): list_separator_fmt = '\n - ' report_with_links( title='Unsupported vsftpd configuration', summary= ('tcp_wrappers support has been removed in RHEL-8. ' 'Some configuration files set the tcp_wrappers option to true and ' 'there is some vsftpd-related configuration in /etc/hosts.deny ' 'or /etc/hosts.allow. Please migrate it manually. ' 'The list of problematic configuration files:{}{}').format( list_separator_fmt, list_separator_fmt.join(bad_configs)), links=[{ 'title': 'Replacing TCP Wrappers in RHEL 8', 'href': 'https://access.redhat.com/solutions/3906701' }], severity='high', flags=['inhibitor'])
def process(self): if not has_package(InstalledRedHatSignedRPM, 'sendmail'): return if config_applies_to_daemon(next(self.consume(TcpWrappersFacts)), 'sendmail'): create_report([ reporting.Title( 'TCP wrappers support removed in the next major version'), reporting.Summary( 'TCP wrappers are legacy host-based ACL (Access Control List) system ' 'which has been removed in the next major version of RHEL.' ), reporting.Remediation( hint= 'Please migrate from TCP wrappers to some other access control mechanism and delete ' 'sendmail from the /etc/hosts.[allow|deny].'), reporting.Severity(reporting.Severity.HIGH), reporting.Tags(COMMON_REPORT_TAGS + [reporting.Tags.NETWORK]), reporting.Flags([reporting.Flags.INHIBITOR]) ] + related) return migrate_files = checksendmail.check_files_for_compressed_ipv6() if migrate_files: create_report([ reporting.Title('sendmail configuration will be migrated'), reporting.Summary( 'IPv6 addresses will be uncompressed, check all IPv6 addresses in all sendmail ' 'configuration files for correctness.'), reporting.Severity(reporting.Severity.LOW), reporting.Tags(COMMON_REPORT_TAGS) ] + related) self.produce( SendmailMigrationDecision(migrate_files=migrate_files)) else: self.log.info( 'The sendmail configuration seems compatible - it won\'t be migrated.' )
def check_config_supported(tcpwrap_facts, vsftpd_facts): bad_configs = [ config.path for config in vsftpd_facts.configs if config.tcp_wrappers ] if bad_configs and config_applies_to_daemon(tcpwrap_facts, 'vsftpd'): list_separator_fmt = '\n - ' create_report([ reporting.Title('Unsupported vsftpd configuration'), reporting.Summary( 'tcp_wrappers support has been removed in RHEL-8. ' 'Some configuration files set the tcp_wrappers option to true and ' 'there is some vsftpd-related configuration in /etc/hosts.deny ' 'or /etc/hosts.allow. Please migrate it manually. ' 'The list of problematic configuration files:{}{}'.format( list_separator_fmt, list_separator_fmt.join(bad_configs))), reporting.Severity(reporting.Severity.HIGH), reporting.Tags([reporting.Tags.SERVICES, reporting.Tags.NETWORK]), reporting.Flags([reporting.Flags.INHIBITOR]), reporting.ExternalLink( title='Replacing TCP Wrappers in RHEL 8', url='https://access.redhat.com/solutions/3906701'), reporting.RelatedResource('package', 'tcp_wrappers'), reporting.RelatedResource('package', 'vsftpd'), ] + [reporting.RelatedResource('file', str(bc)) for bc in bad_configs])
def test_config_applies_to_daemon_with_host_except(): daemon_list = DaemonList(value=['vsftpd@localhost', 'except', 'vsftpd']) facts = TcpWrappersFacts(daemon_lists=[daemon_list]) assert lib.config_applies_to_daemon(facts, 'vsftpd') is False # It works like this for simplicity. daemon_list = DaemonList( value=['vsftpd@localhost', 'except', 'vsftpd@localhost']) facts = TcpWrappersFacts(daemon_lists=[daemon_list]) assert lib.config_applies_to_daemon(facts, 'vsftpd') is True daemon_list = DaemonList(value=['vsftpd@localhost']) facts = TcpWrappersFacts(daemon_lists=[daemon_list]) assert lib.config_applies_to_daemon(facts, 'vsftpd') is True daemon_list = DaemonList(value=['all', 'except', 'vsftpd@localhost']) facts = TcpWrappersFacts(daemon_lists=[daemon_list]) assert lib.config_applies_to_daemon(facts, 'vsftpd') is True daemon_list = DaemonList( value=['all', 'except', 'all', 'except', 'vsftpd@localhost']) facts = TcpWrappersFacts(daemon_lists=[daemon_list]) assert lib.config_applies_to_daemon(facts, 'vsftpd') is True daemon_list = DaemonList(value=[ 'all', 'except', 'all', 'except', 'all', 'except' 'vsftpd@localhost' ]) facts = TcpWrappersFacts(daemon_lists=[daemon_list]) assert lib.config_applies_to_daemon(facts, 'vsftpd') is True daemon_list = DaemonList(value=[ 'all', 'except', 'all', 'except', 'all', 'except', 'all', 'except', 'vsftpd@localhost' ]) facts = TcpWrappersFacts(daemon_lists=[daemon_list]) assert lib.config_applies_to_daemon(facts, 'vsftpd') is True
def test_config_applies_to_daemon_except_empty(): daemon_list = DaemonList(value=['all', 'except']) facts = TcpWrappersFacts(daemon_lists=[daemon_list]) assert lib.config_applies_to_daemon(facts, 'vsftpd') is True
def test_config_applies_to_daemon_whole_word(): daemon_list = DaemonList(value=['ftp']) facts = TcpWrappersFacts(daemon_lists=[daemon_list]) assert lib.config_applies_to_daemon(facts, 'vsftpd') is False