def eval_rules(self, ksdata, storage, report_only=False):
""":see: RuleHandler.eval_rules"""
if self._minlen == 0:
# no password restrictions, nothing to be done here
return []
if not ksdata.rootpw.password and self._removed_password is None:
# root password was not set
# password length enforcement is not suported in the Anaconda yet
msg = _("make sure to create password with minimal length of %d "
"characters" % self._minlen)
return [RuleMessage(common.MESSAGE_TYPE_WARNING, msg)]
else:
# root password set
if ksdata.rootpw.isCrypted:
msg = _(
"cannot check root password length (password is crypted)")
return [RuleMessage(common.MESSAGE_TYPE_WARNING, msg)]
elif len(ksdata.rootpw.password) < self._minlen or \
self._removed_password is not None:
# too short or already removed
msg = _("root password was too short, a longer one with at "
"least %d characters will be required" % self._minlen)
if not report_only and self._removed_password is None:
# remove the password and reset the seen flag no to confuse Anaconda
self._removed_password = ksdata.rootpw.password
ksdata.rootpw.password = ""
ksdata.rootpw.seen = False
return [RuleMessage(common.MESSAGE_TYPE_WARNING, msg)]
else:
return []
def eval_rules(self, ksdata, storage, report_only=False):
""":see: RuleHandler.eval_rules"""
if self._minlen == 0:
# no password restrictions, nothing to be done here
return []
ret = []
users_proxy = USERS.get_proxy()
if not users_proxy.IsRootPasswordSet:
# root password was not set
msg = _("make sure to create password with minimal length of %d "
"characters") % self._minlen
ret = [
RuleMessage(self.__class__, common.MESSAGE_TYPE_WARNING, msg)
]
else:
# root password set
if users_proxy.IsRootPasswordCrypted:
msg = _(
"cannot check root password length (password is crypted)")
log.warning(
"cannot check root password length (password is crypted)")
return [
RuleMessage(self.__class__, common.MESSAGE_TYPE_WARNING,
msg)
]
elif len(users_proxy.RootPassword) < self._minlen:
# too short
msg = _("root password is too short, a longer one with at "
"least %d characters is required") % self._minlen
ret = [
RuleMessage(self.__class__, common.MESSAGE_TYPE_FATAL, msg)
]
else:
ret = []
if report_only:
return ret
# set the policy in any case (so that a weaker password is not entered)
pw_policy = ksdata.anaconda.pwpolicy.get_policy("root")
if pw_policy is None:
pw_policy = F22_PwPolicyData()
log.info("OSCAP addon: setting password policy %s" % pw_policy)
ksdata.anaconda.pwpolicy.policyList.append(pw_policy)
log.info("OSCAP addon: password policy list: %s" %
ksdata.anaconda.pwpolicy.policyList)
self._created_policy = True
self._orig_minlen = pw_policy.minlen
self._orig_strict = pw_policy.strict
pw_policy.minlen = self._minlen
pw_policy.strict = True
return ret
def eval_rules(self, ksdata, storage, report_only=False):
""":see: RuleHandler.eval_rules"""
device_tree = STORAGE.get_proxy(DEVICE_TREE)
mount_points = device_tree.GetMountPoints()
messages = []
if self._mount_point not in mount_points:
msg = _("{0} must be on a separate partition or logical "
"volume and has to be created in the "
"partitioning layout before installation can occur "
"with a security profile").format(self._mount_point)
messages.append(
RuleMessage(self.__class__, common.MESSAGE_TYPE_FATAL, msg))
# mount point doesn't exist, nothing more can be found here
return messages
# template for the message
msg_tmpl = _("mount option '%(mount_option)s' added for "
"the mount point %(mount_point)s")
# add message for every option already added
for opt in self._added_mount_options:
msg = msg_tmpl % {
"mount_option": opt,
"mount_point": self._mount_point
}
messages.append(
RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg))
# mount point to be created during installation
target_name = mount_points[self._mount_point]
mount_options = device_tree.GetDeviceMountOptions(target_name)
# generator for the new options that should be added
new_opts = (opt for opt in self._mount_options
if opt not in mount_options.split(","))
# add message for every mount option added
for opt in new_opts:
msg = msg_tmpl % {
"mount_option": opt,
"mount_point": self._mount_point
}
# add message for the mount option in any case
messages.append(
RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg))
# add new options to the target mount point if not reporting only
if not report_only:
mount_options += ",%s" % opt
self._added_mount_options.append(opt)
if new_opts and not report_only:
device_tree.SetDeviceMountOptions(target_name, mount_options)
return messages
def eval_rules(self, ksdata, storage, report_only=False):
""":see: RuleHandler.eval_rules"""
if self._minlen == 0:
# no password restrictions, nothing to be done here
return []
ret = []
users_proxy = USERS.get_proxy()
if not users_proxy.IsRootPasswordSet:
# root password was not set
msg = _("make sure to create password with minimal length of %d "
"characters") % self._minlen
ret = [
RuleMessage(self.__class__, common.MESSAGE_TYPE_WARNING, msg)
]
else:
# root password set
if users_proxy.IsRootPasswordCrypted:
msg = _(
"cannot check root password length (password is crypted)")
log.warning(
"OSCAP Addon: cannot check root password length (password is crypted)"
)
return [
RuleMessage(self.__class__, common.MESSAGE_TYPE_WARNING,
msg)
]
elif len(users_proxy.RootPassword) < self._minlen:
# too short
msg = _("root password is too short, a longer one with at "
"least %d characters is required") % self._minlen
ret = [
RuleMessage(self.__class__, common.MESSAGE_TYPE_FATAL, msg)
]
else:
ret = []
if report_only:
return ret
# set the policy in any case (so that a weaker password is not entered)
policies = self._get_password_policies()
policy = policies[PASSWORD_POLICY_ROOT]
self._orig_minlen = policy.min_length
self._orig_strict = policy.is_strict
policy.min_length = self._minlen
policy.is_strict = True
self._set_password_policies(policies)
return ret
def eval_rules(self, ksdata, storage, report_only=False):
""":see: RuleHandler.eval_rules"""
messages = []
# add messages for the already added packages
for pkg in self._added_pkgs:
msg = _(
"package '%s' has been added to the list of to be installed "
"packages" % pkg)
messages.append(
RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg))
# packages, that should be added
packages_to_add = (pkg for pkg in self._add_pkgs
if pkg not in ksdata.packages.packageList)
for pkg in packages_to_add:
# add the package unless already added
if not report_only:
self._added_pkgs.add(pkg)
ksdata.packages.packageList.append(pkg)
msg = _(
"package '%s' has been added to the list of to be installed "
"packages" % pkg)
messages.append(
RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg))
# now do the same for the packages that should be excluded
# add messages for the already excluded packages
for pkg in self._removed_pkgs:
msg = _("package '%s' has been added to the list of excluded "
"packages" % pkg)
messages.append(
RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg))
# packages, that should be added
packages_to_remove = (pkg for pkg in self._remove_pkgs
if pkg not in ksdata.packages.excludedList)
for pkg in packages_to_remove:
# exclude the package unless already excluded
if not report_only:
self._removed_pkgs.add(pkg)
ksdata.packages.excludedList.append(pkg)
msg = _("package '%s' has been added to the list of excluded "
"packages" % pkg)
messages.append(
RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg))
return messages
def eval_rules(self, ksdata, storage, report_only=False):
""":see: RuleHandler.eval_rules"""
messages = []
if self._mount_point not in storage.mountpoints:
msg = _("%s must be on a separate partition or logical "
"volume" % self._mount_point)
messages.append(
RuleMessage(self.__class__, common.MESSAGE_TYPE_FATAL, msg))
# mount point doesn't exist, nothing more can be found here
return messages
# template for the message
msg_tmpl = _("mount option '%(mount_option)s' added for "
"the mount point %(mount_point)s")
# add message for every option already added
for opt in self._added_mount_options:
msg = msg_tmpl % {
"mount_option": opt,
"mount_point": self._mount_point
}
messages.append(
RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg))
# mount point to be created during installation
target_mount_point = storage.mountpoints[self._mount_point]
# generator for the new options that should be added
new_opts = (opt for opt in self._mount_options
if opt not in target_mount_point.format.options.split(","))
# add message for every mount option added
for opt in new_opts:
msg = msg_tmpl % {
"mount_option": opt,
"mount_point": self._mount_point
}
# add message for the mount option in any case
messages.append(
RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg))
# add new options to the target mount point if not reporting only
if not report_only:
target_mount_point.format.options += ",%s" % opt
self._added_mount_options.append(opt)
return messages
def eval_rules(self, ksdata, storage, report_only=False):
""":see: RuleHandler.eval_rules"""
messages = []
if self._kdump_enabled is None:
return []
elif self._kdump_enabled is False:
msg = _("Kdump will be disabled on startup")
elif self._kdump_enabled is True:
msg = _("Kdump will be enabled on startup")
messages.append(
RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg))
if not report_only:
try:
if self._kdump_default_enabled is None:
# Kdump addon default startup setting
self._kdump_default_enabled = ksdata.addons.com_redhat_kdump.enabled
ksdata.addons.com_redhat_kdump.enabled = self._kdump_enabled
except AttributeError:
log.warning("com_redhat_kdump is not installed. "
"Skipping kdump configuration")
return messages
def eval_rules(self, ksdata, storage, report_only=False):
""":see: RuleHandler.eval_rules"""
messages = []
if self._kdump_enabled is None:
return []
elif self._kdump_enabled is False:
msg = _("Kdump will be disabled on startup")
elif self._kdump_enabled is True:
msg = _("Kdump will be enabled on startup")
messages.append(
RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg))
if not report_only:
if is_module_available(KDUMP):
kdump_proxy = KDUMP.get_proxy()
if self._kdump_default_enabled is None:
# Kdump addon default startup setting
self._kdump_default_enabled = kdump_proxy.KdumpEnabled
kdump_proxy.KdumpEnabled = self._kdump_enabled
else:
log.warning("OSCAP Addon: com_redhat_kdump is not installed. "
"Skipping kdump configuration")
return messages
def eval_rules(self, ksdata, storage, report_only=False):
""":see: RuleHandler.eval_rules"""
if self._require_password and not storage.bootloader.password:
# Anaconda doesn't provide a way to set bootloader password, so
# users cannot do much about that --> we shouldn't stop the
# installation, should we?
return [
RuleMessage(common.MESSAGE_TYPE_WARNING,
"boot loader password not set up")
]
else:
return []
def eval_rules(self, ksdata, storage, report_only=False):
""":see: RuleHandler.eval_rules"""
bootloader_proxy = STORAGE.get_proxy(BOOTLOADER)
if self._require_password and not bootloader_proxy.IsPasswordSet:
# TODO: Anaconda provides a way to set bootloader password:
# bootloader_proxy.SetEncryptedPassword(...)
# We don't support setting the bootloader password yet,
# but we shouldn't stop the installation, just because of that.
return [
RuleMessage(self.__class__, common.MESSAGE_TYPE_WARNING,
"boot loader password not set up")
]
else:
return []
def eval_rules(self, ksdata, storage, report_only=False):
""":see: RuleHandler.eval_rules"""
firewall_proxy = NETWORK.get_proxy(FIREWALL)
messages = []
if self._firewall_default_state is None:
# firewall default startup setting
self._firewall_default_state = firewall_proxy.FirewallMode
if self._firewall_enabled is False:
msg = _("Firewall will be disabled on startup")
messages.append(
RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg))
if not report_only:
firewall_proxy.SetFirewallMode(FIREWALL_DISABLED)
elif self._firewall_enabled is True:
msg = _("Firewall will be enabled on startup")
messages.append(
RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg))
if not report_only:
firewall_proxy.SetFirewallMode(FIREWALL_ENABLED)
# add messages for the already added services
for svc in self._added_svcs:
msg = _(
"service '%s' has been added to the list of services to be "
"added to the firewall" % svc)
messages.append(
RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg))
# add messages for the already added ports
for port in self._added_ports:
msg = _("port '%s' has been added to the list of ports to be "
"added to the firewall" % port)
messages.append(
RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg))
# add messages for the already added trusts
for trust in self._added_trusts:
msg = _("trust '%s' has been added to the list of trusts to be "
"added to the firewall" % trust)
messages.append(
RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg))
# services, that should be added
self._new_services_to_add = {
svc
for svc in self._add_svcs
if svc not in firewall_proxy.EnabledServices
}
# ports, that should be added
self._new_ports_to_add = {
ports
for ports in self._add_ports
if ports not in firewall_proxy.EnabledPorts
}
# trusts, that should be added
self._new_trusts_to_add = {
trust
for trust in self._add_trusts if trust not in firewall_proxy.Trusts
}
for svc in self._new_services_to_add:
# add the service unless already added
if not report_only:
self._added_svcs.add(svc)
msg = _(
"service '%s' has been added to the list of services to be "
"added to the firewall" % svc)
messages.append(
RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg))
if not report_only:
all_services = list(
self._add_svcs.union(set(firewall_proxy.EnabledServices)))
firewall_proxy.SetEnabledServices(all_services)
for port in self._new_ports_to_add:
# add the port unless already added
if not report_only:
self._added_ports.add(port)
msg = _("port '%s' has been added to the list of ports to be "
"added to the firewall" % port)
messages.append(
RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg))
if not report_only:
all_ports = list(
self._add_ports.union(set(firewall_proxy.EnabledPorts)))
firewall_proxy.SetEnabledPorts(all_ports)
for trust in self._new_trusts_to_add:
# add the trust unless already added
if not report_only:
self._added_trusts.add(trust)
msg = _("trust '%s' has been added to the list of trusts to be "
"added to the firewall" % trust)
messages.append(
RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg))
if not report_only:
all_trusts = list(
self._add_trusts.union(set(firewall_proxy.Trusts)))
firewall_proxy.SetTrusts(all_trusts)
# now do the same for the services that should be excluded
# add messages for the already excluded services
for svc in self._removed_svcs:
msg = _(
"service '%s' has been added to the list of services to be "
"removed from the firewall" % svc)
messages.append(
RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg))
# services, that should be excluded
self._new_services_to_remove = {
svc
for svc in self._remove_svcs
if svc not in firewall_proxy.DisabledServices
}
for svc in self._new_services_to_remove:
# exclude the service unless already excluded
if not report_only:
self._removed_svcs.add(svc)
msg = _(
"service '%s' has been added to the list of services to be "
"removed from the firewall" % svc)
messages.append(
RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg))
if not report_only:
all_services = list(
self._remove_svcs.union(set(firewall_proxy.DisabledServices)))
firewall_proxy.SetDisabledServices(all_services)
return messages
def eval_rules(self, ksdata, storage, report_only=False):
""":see: RuleHandler.eval_rules"""
messages = []
packages_data = get_packages_data()
msg_installed_template = _(
"package '%s' has been added to the list of to be installed packages"
)
# add messages for the already added packages
for pkg in self._added_pkgs:
msg = msg_installed_template % pkg
messages.append(
RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg))
# packages, that should be added
packages_to_add = (pkg for pkg in self._add_pkgs
if pkg not in packages_data.packages)
for pkg in packages_to_add:
# add the package unless already added
if not report_only:
self._added_pkgs.add(pkg)
packages_data.packages.append(pkg)
msg = msg_installed_template % pkg
messages.append(
RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg))
msg_excluded_template = _(
"package '%s' has been added to the list of excluded packages")
# now do the same for the packages that should be excluded
# add messages for the already excluded packages
for pkg in self._removed_pkgs:
if self._package_is_essential(pkg, packages_data):
msg = _(
"package '{package}' has been added to the list "
"of excluded packages, but it can't be removed "
"from the current software selection without breaking the installation."
)
msg = msg.format(package=pkg)
messages.append(
RuleMessage(self.__class__, common.MESSAGE_TYPE_FATAL,
msg))
else:
msg = msg_excluded_template % pkg
messages.append(
RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg))
# packages, that should be added
packages_to_remove = (pkg for pkg in self._remove_pkgs
if pkg not in packages_data.excluded_packages)
for pkg in packages_to_remove:
# exclude the package unless already excluded
if not report_only:
self._removed_pkgs.add(pkg)
packages_data.excluded_packages.append(pkg)
msg = msg_excluded_template % pkg
messages.append(
RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg))
if not report_only:
set_packages_data(packages_data)
return messages
def eval_rules(self, ksdata, storage, report_only=False):
""":see: RuleHandler.eval_rules"""
messages = []
if self._firewall_default_enabled is None:
# firewall default startup setting
self._firewall_default_enabled = ksdata.firewall.enabled
if self._firewall_enabled is False:
msg = _("Firewall will be disabled on startup")
messages.append(
RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg))
if not report_only:
ksdata.firewall.enabled = self._firewall_enabled
elif self._firewall_enabled is True:
msg = _("Firewall will be enabled on startup")
messages.append(
RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg))
if not report_only:
ksdata.firewall.enabled = self._firewall_enabled
# add messages for the already added services
for svc in self._added_svcs:
msg = _(
"service '%s' has been added to the list of services to be "
"added to the firewall" % svc)
messages.append(
RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg))
# add messages for the already added ports
for port in self._added_ports:
msg = _("port '%s' has been added to the list of ports to be "
"added to the firewall" % port)
messages.append(
RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg))
# add messages for the already added trusts
for trust in self._added_trusts:
msg = _("trust '%s' has been added to the list of trusts to be "
"added to the firewall" % trust)
messages.append(
RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg))
# services, that should be added
services_to_add = (svc for svc in self._add_svcs
if svc not in ksdata.firewall.services)
# ports, that should be added
ports_to_add = (ports for ports in self._add_ports
if ports not in ksdata.firewall.ports)
# trusts, that should be added
trusts_to_add = (trust for trust in self._add_trusts
if trust not in ksdata.firewall.trusts)
for svc in services_to_add:
# add the service unless already added
if not report_only:
self._added_svcs.add(svc)
ksdata.firewall.services.append(svc)
msg = _(
"service '%s' has been added to the list of services to be "
"added to the firewall" % svc)
messages.append(
RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg))
for port in ports_to_add:
# add the port unless already added
if not report_only:
self._added_ports.add(port)
ksdata.firewall.ports.append(port)
msg = _("port '%s' has been added to the list of ports to be "
"added to the firewall" % port)
messages.append(
RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg))
for trust in trusts_to_add:
# add the trust unless already added
if not report_only:
self._added_trusts.add(trust)
ksdata.firewall.trusts.append(trust)
msg = _("trust '%s' has been added to the list of trusts to be "
"added to the firewall" % trust)
messages.append(
RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg))
# now do the same for the services that should be excluded
# add messages for the already excluded services
for svc in self._removed_svcs:
msg = _(
"service '%s' has been added to the list of services to be "
"removed from the firewall" % svc)
messages.append(
RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg))
# services, that should be added
services_to_remove = (svc for svc in self._remove_svcs
if svc not in ksdata.firewall.remove_services)
for svc in services_to_remove:
# exclude the service unless already excluded
if not report_only:
self._removed_svcs.add(svc)
ksdata.firewall.remove_services.append(svc)
msg = _(
"service '%s' has been added to the list of services to be "
"removed from the firewall" % svc)
messages.append(
RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg))
return messages
