def scan(self, option=None): zonename = sb_utils.os.solaris.zonename() if zonename != 'global': msg = "module not applicable in non-global Solaris zones" self.logger.notice(self.module_name, 'Not Applicable: ' + msg) raise tcs_utils.ZoneNotApplicable('%s %s' % (self.module_name, msg)) results = sb_utils.os.software.is_installed(pkgname=self.__pkgname) if results == None: msg = "Unable to determine if %s installed." % self.__pkgname self.logger.error(self.module_name, 'Scan Error: ' + msg) if results == False: msg = "%s (%s) is not installed on the system" % \ (self.__svcdesc, self.__pkgname) self.logger.warn(self.module_name, 'Not Applicable: ' + msg) raise tcs_utils.ScanNotApplicable('%s %s' % (self.module_name, msg)) results = sb_utils.os.service.is_enabled(svcname=self.__svcname) if results == True: msg = "svcprop reports %s is on" % self.__svcdesc self.logger.info(self.module_name, 'Scan Failed: ' + msg) return 'Fail', msg return 'Pass', ''
def apply(self, option=None): result, msg, messages = self.scan(option) if result == True: msg = "dtspcd port tcp/6112 is already marked as privileged" return False, '', msg messages = {'messages': []} zonename = sb_utils.os.solaris.zonename() if zonename != 'global': msg = "Unable to perform module apply or undo action to a "\ "non-global Solaris zone (%s)" % zonename self.logger.notice(self.module_name, 'Apply Failed: ' + msg) raise tcs_utils.ZoneNotApplicable('%s %s' % (self.module_name, msg)) action_record = [] try: out_obj = open(self.__ndd_file, 'a') out_obj.write("tcp_extra_priv_ports_add=6112\n") out_obj.close() action_record.append('applied') msg = "Appended 'tcp_extra_priv_ports_add=6112' to %s" % self.__ndd_file self.logger.notice(self.module_name, 'Apply Performed: ' + msg) messages['messages'].append(msg) except IOError, err: msg = "Unable to append 'tcp_extra_priv_ports_add=6112' to %s" % self.__ndd_file self.logger.error(self.module_name, 'Error: ' + msg) messages['messages'].append("Error: %s" % msg)
def scan(self, option=None): zonename = sb_utils.os.solaris.zonename() if zonename != 'global': msg = "Non-global Solaris zone (%s): Unable to set %s" % ( zonename, self.__param) self.logger.notice(self.module_name, 'Scan: ' + msg) raise tcs_utils.ZoneNotApplicable('%s %s' % (self.module_name, msg)) paramlist = sb_utils.os.config.get_list(configfile=self.__target_file, delim='=') if paramlist == None: msg = 'Unable to determine parameter setting' self.logger.error(self.module_name, 'Scan Error: ' + msg) raise tcs_utils.ScanError('%s %s' % (self.module_name, msg)) if not paramlist.has_key(self.__param): reason = "%s option is NOT set in %s" % (self.__param, self.__target_file) self.logger.info(self.module_name, 'Scan Failed: ' + reason) return 'Fail', reason value = paramlist[self.__param] if int(value) != 2: reason = "%s is set to '%s' instead of 2 in %s" % ( self.__param, value, self.__target_file) self.logger.info(self.module_name, 'Scan Failed: ' + reason) return 'Fail', reason else: return 'Pass', ''
def scan(self, option=None): zonename = sb_utils.os.solaris.zonename() if zonename != 'global': msg = "Non-global Solaris zone (%s): SVM services unavailable" % ( zonename) self.logger.notice(self.module_name, 'Scan: ' + msg) raise tcs_utils.ZoneNotApplicable('%s %s' % (self.module_name, msg)) if sb_utils.os.software.is_installed(pkgname=self.__pkgname) != True: msg = "%s (%s) package is not installed" % (self.__svcdesc, self.__pkgname) self.logger.notice(self.module_name, 'Not Applicable: ' + msg) raise tcs_utils.ScanNotApplicable('%s %s' % (self.module_name, msg)) self.do_metastat() fail_flag = False for chksvc in self.__svcname: results = sb_utils.os.service.is_enabled(svcname=chksvc) if results == True: msg = "svcprop reports %s is on" % chksvc self.logger.notice(self.module_name, 'Scan Failed: ' + msg) fail_flag = True if fail_flag == True: return 'Fail', msg return 'Pass', ''
def apply(self, optionDict=None): result, msg, messages = self.scan(optionDict) if result == True: msg = "%s is already set correctly" % (self.__desc) return False, '', msg option = optionDict['arpCleanupInterval'] messages = {'messages': []} zonename = sb_utils.os.solaris.zonename() if zonename != 'global': msg = "Unable to perform module apply or undo action to a "\ "non-global Solaris zone (%s)" % zonename self.logger.notice(self.module_name, 'Apply Failed: ' + msg) raise tcs_utils.ZoneNotApplicable('%s %s' % (self.module_name, msg)) action_record = [] for xparam in self.__param.keys(): results = sb_utils.os.config.setparam( \ configfile=self.__ndd_file, \ param=xparam, value=str(self.__param[xparam]), delim='=') if results == False: msg = "Unable to set %s in %s" % (xparam, self.__ndd_file) self.logger.error(self.module_name, 'Apply Error: ' + msg) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg)) else: action_record.append(xparam + '=' + results + '\n') msg = "%s set to '%d' in %s" % (xparam, self.__param[xparam], self.__ndd_file) self.logger.notice(self.module_name, "Apply Performed: %s" % msg) messages['messages'].append(msg) # Set in memory settings ... if xparam.startswith('ip'): thedrvr = 'ip' if xparam.startswith('icmp'): thedrvr = 'icmp' if xparam.startswith('tcp'): thedrvr = 'tcp' if xparam.startswith('udp'): thedrvr = 'udp' if xparam.startswith('arp'): thedrvr = 'arp' results = sb_utils.os.solaris.ndd_set(param=xparam, paramValue=str(self.__param[xparam]), driver=thedrvr) if results == False: msg = "Unable to set %s to %s in current running kernel" % (xparam, str(self.__param[xparam])) self.logger.error(self.module_name, 'Apply Error: ' + msg) messages['messages'].append("Error: %s" % msg) else: msg = "Set %s to %s in current running kernel" % (xparam, str(self.__param[xparam])) messages['messages'].append(msg) return True, ''.join(action_record), messages
def apply(self, option=None): result, reason, messages = self.scan() if result == True: return False, '', {} action_record = [] zonename = sb_utils.os.solaris.zonename() if zonename != 'global': msg = "Non-global Solaris zone (%s): Unable to use the pmadm command" % ( zonename) self.logger.notice(self.module_name, 'Scan: ' + msg) raise tcs_utils.ZoneNotApplicable('%s %s' % (self.module_name, msg)) if not os.path.isfile('/usr/sbin/pmadm'): msg = "Unable to find /usr/sbin/pmadm command" self.logger.error(self.module_name, 'Apply Error: ' + msg) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg)) failure_flag = False cmd = "/usr/sbin/pmadm -L -p zsmon" results = tcs_utils.tcs_run_cmd(cmd, True) if results[0] != 0: msg = "Unable to execute: %s (%s)" % (cmd, results[2]) self.logger.notice(self.module_name, 'Apply Failed: ' + msg) return False, '', {} for line in results[1].split('\n'): fields = line.split(':') if len(fields) == 1: continue if len(fields) < 4: msg = "Ignoring malformed line: %s" % line self.logger.debug(self.module_name, msg) continue test = fields[3].find('x') if test < 0: cmd = "/usr/sbin/pmadm -d -p zsmon -s %s" % str(fields[2]) results = tcs_utils.tcs_run_cmd(cmd, True) if results[0] != 0: msg = "Unable to disable %s: %s" % ( fields[2], str(results[2]).rstrip()) self.logger.notice(self.module_name, "Apply Failed: " + msg) else: msg = "Disabled %s" % (fields[2]) self.logger.notice(self.module_name, "Apply Performed: " + msg) action_record.append(fields[2]) return True, ' '.join(action_record), {}
def undo(self, change_record=None): """Undo the previous action.""" zonename = sb_utils.os.solaris.zonename() if zonename != 'global': msg = "module not applicable in non-global Solaris zones" self.logger.notice(self.module_name, 'Not Applicable: ' + msg) raise tcs_utils.ZoneNotApplicable('%s %s' % (self.module_name, msg)) if not change_record: msg = "Unable to perform undo operation without change record." self.logger.error(self.module_name, 'Undo Error: ' + msg) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg)) failure_flag = False for xparam in change_record.split('\n'): if not xparam: continue if '=' not in xparam: msg = 'Malformed change record: %s' % (xparam) self.logger.error(self.module_name, 'Undo Error: ' + msg) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg)) param_key = xparam.split('=')[0] param_val = xparam.split('=')[1] if not param_val: results = sb_utils.os.config.unsetparam( param=param_key, configfile=self.__target_file) msg = 'Removing %s from %s' % (param_key, self.__target_file) self.logger.notice(self.module_name, 'Undo Performed: ' + msg) else: results = sb_utils.os.config.setparam( param=param_key, delim='=', value=param_val, configfile=self.__target_file) msg = 'Resetting %s to %s from %s' % \ (param_key, param_val, self.__target_file) self.logger.notice(self.module_name, 'Undo Performed: ' + msg) if results == False: msg = "Unable to restore settings in %s" % (self.__target_file) self.logger.error(self.module_name, 'Undo Failed: ' + msg) failure_flag = True if failure_flag == True: return 0 else: return 1
def scan(self, option=None): paramlist = sb_utils.os.config.get_list(configfile=self.__target_file, delim='=') zonename = sb_utils.os.solaris.zonename() if zonename != 'global' and not os.path.islink('/dev/ip'): msg = "Non-global Solaris zone (%s): /dev/ip is unavailable" % ( zonename) self.logger.notice(self.module_name, 'Scan: ' + msg) raise tcs_utils.ZoneNotApplicable('%s %s' % (self.module_name, msg)) failure_flag = False if paramlist == None: msg = 'Unable to determine parameter setting' self.logger.error(self.module_name, 'Scan Error: ' + msg) raise tcs_utils.ScanError('%s %s' % (self.module_name, msg)) for param in self.__param: curvalue = sb_utils.os.solaris.ndd_get(param=param, driver='ip') if int(curvalue) != 1: reason = "%s is set to '%s' instead of 1" % (param, curvalue) self.logger.notice(self.module_name, 'Scan Failed: ' + reason) failure_flag = True continue if not paramlist.has_key(param): reason = "%s option is NOT set in %s" % (param, self.__target_file) self.logger.notice(self.module_name, 'Scan Failed: ' + reason) failure_flag = True continue value = paramlist[param] if int(value) != 1: reason = "%s is set to '%s' instead of 1" % (param, value) self.logger.notice(self.module_name, 'Scan Failed: ' + reason) failure_flag = True else: msg = "%s is set to 1 in %s" % (param, self.__target_file) self.logger.info(self.module_name, msg) if failure_flag == True: msg = "%s not disabled" % (self.__desc) self.logger.notice(self.module_name, msg) return 'Fail', msg else: return 'Pass', ''
def apply(self, option=None): result, reason = self.scan() if result == 'Pass': return 0, '' zonename = sb_utils.os.solaris.zonename() if zonename != 'global': msg = "Unable to perform module apply or undo action to a "\ "non-global Solaris zone (%s)" % zonename self.logger.notice(self.module_name, 'Apply Failed: ' + msg) raise tcs_utils.ZoneNotApplicable('%s %s' % (self.module_name, msg)) action_record = [] for xparam in self.__param.keys(): results = sb_utils.os.config.setparam( \ configfile=self.__target_file, \ param=xparam, value=str(self.__param[xparam]), delim='=') if results == False: msg = "Unable to set %s in %s" % (xparam, self.__target_file) self.logger.error(self.module_name, 'Apply Error: ' + msg) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg)) else: action_record.append(xparam + '=' + results + '\n') msg = "Apply Performed: %s set to '%d' in %s" % \ (xparam, self.__param[xparam], self.__target_file) self.logger.notice(self.module_name, msg) # Set in memory settings ... if xparam.startswith('ip'): thedrvr = 'ip' if xparam.startswith('icmp'): thedrvr = 'icmp' if xparam.startswith('tcp'): thedrvr = 'tcp' if xparam.startswith('udp'): thedrvr = 'udp' #curvalue = sb_utils.os.solaris.ndd_get(param=xparam, driver=thedriver) results = sb_utils.os.solaris.ndd_set(param=xparam, paramValue=str(self.__param[xparam]), driver=thedrvr) if results == False: msg = "Unable to set %s to %s in current running kernel" % (xparam, str(self.__param[xparam])) self.logger.error(self.module_name, 'Apply Error: ' + msg) return 1, ''.join(action_record)
def scan(self, option=None): zonename = sb_utils.os.solaris.zonename() if zonename != 'global': msg = "Non-global Solaris zone (%s): Unable to use pmadm command" % ( zonename) self.logger.notice(self.module_name, 'Scan: ' + msg) raise tcs_utils.ZoneNotApplicable('%s %s' % (self.module_name, msg)) if not os.path.isfile('/usr/sbin/pmadm'): msg = "Unable to find /usr/sbin/pmadm command" self.logger.error(self.module_name, 'Scan Error: ' + msg) raise tcs_utils.ScanError('%s %s' % (self.module_name, msg)) failure_flag = False cmd = "/usr/sbin/pmadm -L -p zsmon" results = tcs_utils.tcs_run_cmd(cmd, True) if results[0] != 0: msg = "Unable to execute: %s (%s)" % (cmd, results[2]) self.logger.notice(self.module_name, 'Scan Failed: ' + msg) return False, '', {'messages': [msg]} for line in results[1].split('\n'): fields = line.split(':') if len(fields) == 1: continue if len(fields) < 4: msg = "Ignoring malformed line: %s" % line self.logger.debug(self.module_name, msg) continue test = fields[3].find('x') if test < 0: msg = "%s is NOT disabled through port monitor %s" % ( fields[2], fields[0]) self.logger.notice(self.module_name, "Scan Failed: " + msg) failure_flag = True else: msg = "%s is disabled through port monitor %s" % (fields[2], fields[0]) self.logger.info(self.module_name, msg) if failure_flag == True: return False, 'Some services are not disabled through the zsmon port monitor', { 'messages': [msg] } else: return True, '', {}
def undo(self, change_record=None): messages = {'messages': []} zonename = sb_utils.os.solaris.zonename() if zonename != 'global': msg = "Unable to perform module undo or apply action to a "\ "non-global Solaris zone (%s)" % zonename self.logger.notice(self.module_name, 'Apply Failed: ' + msg) raise tcs_utils.ZoneNotApplicable('%s %s' % (self.module_name, msg)) if change_record != 'applied': msg = "Unable to perform undo operation without change record." self.logger.error(self.module_name, 'Undo Error: ' + msg) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg)) ########################## ## Current running Kernel curvalues = sb_utils.os.solaris.ndd_get(param='tcp_extra_priv_ports', driver='tcp').split('\n') port_list = [] for port in curvalues: port_list.append(int(port)) if 6112 in port_list: results = sb_utils.os.solaris.ndd_set( param='tcp_extra_priv_ports_del', paramValue='6112', driver='tcp') if results == False: msg = "Unable to 'tcp_extra_priv_ports_del' 6112 in running kernel" self.logger.error(self.module_name, 'Undo Error: ' + msg) messages['messages'].append("Error: %s" % msg) else: msg = "Executed 'tcp_extra_priv_ports_del' 6112 in running kernel" self.logger.notice(self.module_name, 'Undo Performed: ' + msg) messages['messages'].append(msg) ########################## ## Edit /etc/default/ndd try: in_obj = open(self.__ndd_file, 'r') lines = in_obj.readlines() in_obj.close() except IOError, err: msg = "Unable to read %s" % self.__ndd_file self.logger.error(self.module_name, 'Error: ' + msg) messages['messages'].append("Error: %s" % msg) return False, '', messages
def scan(self, option=None): if option != None: option = None zonename = sb_utils.os.solaris.zonename() if zonename != 'global': msg = "module not applicable in non-global Solaris zones" self.logger.notice(self.module_name, 'Not Applicable: ' + msg) raise tcs_utils.ZoneNotApplicable('%s %s' % (self.module_name, msg)) try: in_obj = open('/etc/system') except IOError, err: msg = 'Unable to read /etc/system (%s)' % err self.logger.error(self.module_name, 'Scan Error: ' + msg) raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def scan(self, optionDict=None): zonename = sb_utils.os.solaris.zonename() if zonename != 'global': msg = "Unable to check /etc/system parameters in a non-global zone" self.logger.notice(self.module_name, 'Not Applicable: ' + msg) raise tcs_utils.ZoneNotApplicable('%s %s' % (self.module_name, msg)) msg = "Checking /etc/system for directives to exclude scsa2usb and pcmcia" self.logger.info(self.module_name, msg) try: infile = open('/etc/system', 'r') except IOError, err: msg = "Unable to read /etc/system: %s" % str(err) self.logger.error(self.module_name, 'Scan Error: ' + msg) raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def apply(self, option=None): zonename = sb_utils.os.solaris.zonename() if zonename != 'global': msg = "module not applicable in non-global Solaris zones" self.logger.notice(self.module_name, 'Not Applicable: ' + msg) raise tcs_utils.ZoneNotApplicable('%s %s' % (self.module_name, msg)) try: result, reason = self.scan() if result == 'Pass': return 0, '' except tcs_utils.ScanNotApplicable, err: msg = "module is not applicable for this system" self.logger.error(self.module_name, 'Apply Error: ' + msg) return 0, ''
def apply(self, option=None): results, reason = self.scan(option) if results == 'Pass': return 0, '' zonename = sb_utils.os.solaris.zonename() if zonename != 'global': msg = "Non-global Solaris zone (%s): SVM services unavailable" % ( zonename) self.logger.notice(self.module_name, 'Scan: ' + msg) raise tcs_utils.ZoneNotApplicable('%s %s' % (self.module_name, msg)) action_record = [] if sb_utils.os.software.is_installed(pkgname=self.__pkgname) != True: msg = "%s (%s) package is not installed" % (self.__svcdesc, self.__pkgname) self.logger.notice(self.module_name, 'Not Applicable: ' + msg) return 0, '' if self.using_metadevice() == True: msg = "There are mounted filesystems on SVM metadevices; this " \ "module will NOT perform an apply." self.logger.error(self.module_name, 'Apply Error: ' + msg) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg)) for chksvc in self.__svcname: results = sb_utils.os.service.is_enabled(svcname=chksvc) if results == True: action_record.append("on|%s\n" % chksvc) results = sb_utils.os.service.disable(svcname=chksvc) if results != True: msg = 'Failed to disable %s' % chksvc self.logger.error(self.module_name, 'Apply Error: ' + msg) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg)) else: msg = '%s (%s) disabled' % (self.__svcdesc, chksvc) self.logger.notice(self.module_name, 'Apply Performed: ' + msg) return 1, ''.join(action_record)
def undo(self, change_record=None): """Undo the previous action.""" zonename = sb_utils.os.solaris.zonename() if zonename != 'global': msg = "module not applicable in non-global Solaris zones" self.logger.notice(self.module_name, 'Not Applicable: ' + msg) raise tcs_utils.ZoneNotApplicable('%s %s' % (self.module_name, msg)) results = sb_utils.os.software.is_installed(pkgname=self.__pkgname) if results != True: msg = "%s is not installed on the system" % self.__svcname self.logger.notice(self.module_name, 'Skipping undo: ' + msg) return 0 if not change_record: msg = "Skipping Undo: No change record in state file." self.logger.notice(self.module_name, 'Skipping undo: ' + msg) return 0 if change_record not in ['off', 'on']: msg = "Skipping Undo: Uknown change record in state file: '%s'" % change_record self.logger.notice(self.module_name, 'Skipping undo: ' + msg) return 0 if change_record == 'on': results = sb_utils.os.service.enable(svcname=self.__svcname) if change_record == 'off': results = sb_utils.os.service.disable(svcname=self.__svcname) if results != True: msg = "Unable to set %s (%s) service to '%s' " % ( self.__svcdesc, self.__svcname, change_record) self.logger.error(self.module_name, 'Undo Error: ' + msg) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg)) msg = "%s (%s) service set to '%s' " % (self.__svcdesc, self.__svcname, change_record) self.logger.notice(self.module_name, 'Undo Performed: ' + msg) return 1
def undo(self, change_record=None): """Undo the previous action.""" if sb_utils.os.software.is_installed(pkgname=self.__pkgname) != True: msg = "%s (%s) package is not installed" % (self.__svcdesc, self.__pkgname) self.logger.notice(self.module_name, 'Not Applicable: ' + msg) return 0 zonename = sb_utils.os.solaris.zonename() if zonename != 'global': msg = "Non-global Solaris zone (%s): SVM services unavailable" % ( zonename) self.logger.notice(self.module_name, 'Scan: ' + msg) raise tcs_utils.ZoneNotApplicable('%s %s' % (self.module_name, msg)) if change_record == None: msg = 'No change record provided; unable to perform undo.' self.logger.error(self.module_name, 'Undo Error: ' + msg) return 0 for chksvc in change_record.split('\n'): if chksvc == "": continue fields = chksvc.split('|') if len(fields) != 2: msg = "Malformed change record: \"%s\"" % chksvc self.logger.error(self.module_name, 'Undo Error: ' + msg) continue if fields[0] == 'on': results = sb_utils.os.service.enable(svcname=fields[1]) if results != True: msg = 'Failed to enable %s' % fields[1] self.logger.error(self.module_name, 'Undo Error: ' + msg) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg)) else: msg = '%s (%s) enabled' % (self.__svcdesc, fields[1]) self.logger.notice(self.module_name, 'Undo Performed: ' + msg) return 1
def apply(self, optionDict=None): zonename = sb_utils.os.solaris.zonename() if zonename != 'global': msg = "Unable to change /etc/system parameters in a non-global zone" self.logger.notice(self.module_name, 'Not Applicable: ' + msg) raise tcs_utils.ZoneNotApplicable('%s %s' % (self.module_name, msg)) action_record = [] tcs_utils.protect_file('/etc/system') failure_flag = False try: infile = open('/etc/system', 'r') outfile = open('/etc/system.new', 'w') except IOError, err: msg = str(err) self.logger.error(self.module_name, 'Apply Error: ' + msg) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def undo(self, change_record=None): """Undo the previous action.""" zonename = sb_utils.os.solaris.zonename() if zonename != 'global': msg = "module not applicable in non-global Solaris zones" self.logger.notice(self.module_name, 'Not Applicable: ' + msg) raise tcs_utils.ZoneNotApplicable('%s %s' % (self.module_name, msg)) if not change_record or change_record != 'enabled': msg = "unable to undo without valid change record" self.logger.error(self.module_name, 'Undo Error: ' + msg) return 0 try: result, reason = self.scan() if result == 'Fail': return 0 except tcs_utils.ScanNotApplicable, err: msg = 'module is not applicable for this system.' self.logger.error(self.module_name, 'Undo Error: ' + msg) return 0
def undo(self, change_record=None): """Undo the previous action.""" zonename = sb_utils.os.solaris.zonename() if zonename != 'global': msg = "Unable to change /etc/system parameters in a non-global zone" self.logger.notice(self.module_name, 'Not Applicable: ' + msg) raise tcs_utils.ZoneNotApplicable('%s %s' % (self.module_name, msg)) if not change_record: msg = "Unable to perform undo operation without change record." self.logger.error(self.module_name, 'Undo Error: ' + msg) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg)) try: infile = open('/etc/system', 'r') lines = infile.readlines() infile.close() except IOError, err: msg = str(err) self.logger.error(self.module_name, 'Undo Error: ' + msg) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
def undo(self, change_record=None): zonename = sb_utils.os.solaris.zonename() if zonename != 'global': msg = "Unable to perform module undo or apply action to a "\ "non-global Solaris zone (%s)" % zonename self.logger.notice(self.module_name, 'Apply Failed: ' + msg) raise tcs_utils.ZoneNotApplicable('%s %s' % (self.module_name, msg)) if not change_record: msg = "Unable to perform undo operation without change record." self.logger.error(self.module_name, 'Undo Error: ' + msg) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg)) failure_flag = False for xparam in change_record.split('\n'): if not xparam: continue if '=' not in xparam: msg = 'Malformed change record: %s' % (xparam) self.logger.error(self.module_name, 'Undo Error: ' + msg) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg)) param_key = xparam.split('=')[0] param_val = xparam.split('=')[1] if not param_val: results = sb_utils.os.config.unsetparam( param=param_key, configfile=self.__target_file) msg = 'Removing %s from %s' % (param_key, self.__target_file) self.logger.notice(self.module_name, 'Undo Performed: ' + msg) else: results = sb_utils.os.config.setparam( param=param_key, delim='=', value=param_val, configfile=self.__target_file) msg = 'Resetting %s to %s from %s' % \ (param_key, param_val, self.__target_file) self.logger.notice(self.module_name, 'Undo Performed: ' + msg) if results == False: msg = "Unable to restore %s in %s" % (param_key, self.__target_file) self.logger.error(self.module_name, 'Undo Failed: ' + msg) failure_flag = True # Set in memory settings ... if param_key.startswith('ip'): thedrvr = 'ip' if param_key.startswith('icmp'): thedrvr = 'icmp' if param_key.startswith('tcp'): thedrvr = 'tcp' if param_key.startswith('udp'): thedrvr = 'udp' results = sb_utils.os.solaris.ndd_set(param=param_key, paramValue=param_val, driver=thedrvr) if results == False: msg = "Unable to set %s to %s in current running kernel" % ( param_key, param_key) self.logger.error(self.module_name, 'Undo Error: ' + msg) failure_flag = True if failure_flag == True: return 0 else: return 1
def apply(self, optionDict=None): result, reason = self.scan(optionDict) if result == 'Pass': return 0, '' zonename = sb_utils.os.solaris.zonename() if zonename != 'global': msg = "Unable to perform module apply or undo action to a "\ "non-global Solaris zone (%s)" % zonename self.logger.notice(self.module_name, msg) raise tcs_utils.ZoneNotApplicable('%s %s' % (self.module_name, msg)) action_record = [] if optionDict != None and 'tcpMaxSynBacklog' in optionDict: option = optionDict['tcpMaxSynBacklog'] option = int(option) if option < 1024: msg = "Specified option value %d < 1024 is not recommended "\ "for tcp_conn_req_max_q0 therefore, using 4096 instead." \ % (option) self.logger.warn(self.module_name, msg) option = 4096 self._param['tcp_conn_req_max_q0'] = 4096 if option > 4096: msg = "Specified option %d > 4096; not recommended for "\ "tcp_conn_req_max_q0 however, still using value" % (option) self.logger.warn(self.module_name, msg) else: msg = "No specified option value for tcp_conn_req_max_q0 "\ "therefore, defaulting to 4096" self.logger.warn(self.module_name, msg) option = 1024 self._param['tcp_conn_req_max_q0'] = 4096 for xparam in self._param.keys(): results = sb_utils.os.config.setparam( \ configfile=self.__target_file, \ param=xparam, value=str(self._param[xparam]), delim='=') if results == False: msg = "Unable to set %s in %s" % (xparam, self.__target_file) self.logger.error(self.module_name, 'Apply Error: ' + msg) raise tcs_utils.ActionError('%s %s' % (self.module_name, msg)) else: action_record.append(xparam + '=' + results + '\n') msg = "Apply Performed: %s set to '%d' in %s" % \ (xparam, self._param[xparam], self.__target_file) self.logger.notice(self.module_name, msg) # Set in memory settings ... if xparam.startswith('ip'): thedrvr = 'ip' if xparam.startswith('icmp'): thedrvr = 'icmp' if xparam.startswith('tcp'): thedrvr = 'tcp' if xparam.startswith('udp'): thedrvr = 'udp' results = sb_utils.os.solaris.ndd_set(param=xparam, paramValue=str( self._param[xparam]), driver=thedrvr) if results == False: msg = "Unable to set %s to %s in current running kernel" % ( xparam, str(self._param[xparam])) self.logger.error(self.module_name, 'Apply Error: ' + msg) return 1, ''.join(action_record)
def scan(self, option=None): paramlist = sb_utils.os.config.get_list(configfile=self.__target_file, delim='=') zonename = sb_utils.os.solaris.zonename() if zonename != 'global' and not os.path.islink('/dev/ip'): msg = "Non-global Solaris zone (%s): /dev/ip is unavailable" % (zonename) self.logger.notice(self.module_name, 'Scan: ' + msg) raise tcs_utils.ZoneNotApplicable('%s %s' % (self.module_name, msg)) failure_flag = False if paramlist == None: msg = 'Scan Error: Unable to determine parameter setting' self.logger.error(self.module_name, msg) raise tcs_utils.ScanError('%s %s' % (self.module_name, msg)) for param in self.__param.keys(): if param.startswith('ip'): thedriver = 'ip' if param.startswith('icmp'): thedriver = 'icmp' if param.startswith('tcp'): thedriver = 'tcp' if param.startswith('udp'): thedriver = 'udp' curvalue = sb_utils.os.solaris.ndd_get(param=param, driver=thedriver) if int(curvalue) != int(self.__param[param]): reason = "Scan Failed: %s is set to '%s' instead of %d" % \ (param, curvalue, self.__param[param]) self.logger.notice(self.module_name, reason) failure_flag = True continue # Module ONLY applies to global Solaris zones if zonename != 'global': msg = "Non-global Solaris zone (%s): Skipping check of "\ "/etc/default/ndd" % (zonename) self.logger.debug(self.module_name, 'Scan: ' + msg) continue # Is parameter implicility set in /etc/default/ndd? if not paramlist.has_key(param): msg = "Scan Failed: %s option is NOT set in %s" % \ (param, self.__target_file) self.logger.notice(self.module_name, msg) failure_flag = True continue # If parameter is set, does it match desired value? value = paramlist[param] if int(value) != int(self.__param[param]): msg = "Scan Failed: %s is set to '%s' instead of %d" % \ (param, value, self.__param[param]) self.logger.notice(self.module_name, msg) failure_flag = True else: msg = "%s is set to '%d' in %s" % \ (param, self.__param[param], self.__target_file) self.logger.info(self.module_name, msg) if failure_flag == True: msg = "%s not disabled" % (self.__desc) self.logger.notice(self.module_name, msg) return 'Fail', msg else: return 'Pass', ''
def scan(self, optionDict=None): messages = {'messages': [] } paramlist = sb_utils.os.config.get_list(configfile=self.__ndd_file, delim='=') zonename = sb_utils.os.solaris.zonename() if zonename != 'global' and not os.path.islink('/dev/arp'): msg = "Non-global Solaris zone (%s): /dev/arp is unavailable" % (zonename) self.logger.notice(self.module_name, 'Scan: ' + msg) raise tcs_utils.ZoneNotApplicable('%s %s' % (self.module_name, msg)) if optionDict != None and 'arpCleanupInterval' in optionDict: option = optionDict['arpCleanupInterval'] option = int(option) if option < 100: msg = "Specified option value %d < 100ms is not recommended "\ "for arp_clean_interval therefore, using default 60000ms instead." % (option) self.logger.warn(self.module_name, msg) messages['messages'].append(msg) else: self.__param['arp_cleanup_interval'] = option else: msg = "No specified option value for arp_cleanup_interval "\ "therefore, defaulting to 60000ms" self.logger.warn(self.module_name, msg) messages['messages'].append(msg) failure_flag = False if paramlist == None: msg = 'Scan Error: Unable to determine parameter setting' self.logger.error(self.module_name, msg) raise tcs_utils.ScanError('%s %s' % (self.module_name, msg)) for param in self.__param.keys(): if param.startswith('ip'): thedriver = 'ip' if param.startswith('icmp'): thedriver = 'icmp' if param.startswith('tcp'): thedriver = 'tcp' if param.startswith('udp'): thedriver = 'udp' if param.startswith('arp'): thedriver = 'arp' curvalue = sb_utils.os.solaris.ndd_get(param=param, driver=thedriver) if int(curvalue) != int(self.__param[param]): msg = "%s is set to '%s' instead of %d" % (param, curvalue, self.__param[param]) self.logger.notice(self.module_name, "Scan Failed: %s" % msg) messages['messages'].append("Fail: %s" % msg) failure_flag = True continue else: msg = "%s is set to '%s' in kernel" % (param, curvalue) messages['messages'].append("Okay: %s" % msg) # Module ONLY applies to global Solaris zones if zonename != 'global': msg = "Non-global Solaris zone (%s): Skipping check of "\ "/etc/default/ndd" % (zonename) self.logger.debug(self.module_name, 'Scan: ' + msg) messages['messages'].append("Fail: %s" % msg) continue # Is parameter implicility set in /etc/default/ndd? if not paramlist.has_key(param): msg = "%s option is NOT set in %s" % (param, self.__ndd_file) self.logger.notice(self.module_name, "Scan Failed: %s" % msg) failure_flag = True messages['messages'].append("Fail: %s" % msg) continue # If parameter is set, does it match desired value? value = paramlist[param] if int(value) != int(self.__param[param]): msg = "%s is set to '%s' instead of %d in %s" % (param, value, self.__param[param], self.__ndd_file) self.logger.notice(self.module_name, "Scan Failed: %s" % msg) messages['messages'].append("Fail: %s" % msg) failure_flag = True else: msg = "%s is set to '%d' in %s" % (param, self.__param[param], self.__ndd_file) self.logger.info(self.module_name, msg) messages['messages'].append("Okay: %s" % msg) if failure_flag == True: msg = "%s is not set correctly" % (self.__desc) self.logger.notice(self.module_name, msg) return False, msg, messages else: msg = "%s is set correctly" % (self.__desc) return True, msg, messages
def scan(self, option=None): messages = {'messages': []} failure_flag = False zonename = sb_utils.os.solaris.zonename() if zonename != 'global' and not os.path.islink('/dev/tcp'): msg = "Non-global Solaris zone (%s): /dev/tcp is unavailable" % ( zonename) self.logger.notice(self.module_name, 'Scan: ' + msg) raise tcs_utils.ZoneNotApplicable('%s %s' % (self.module_name, msg)) ############## ## Check value in running kernel curvalues = sb_utils.os.solaris.ndd_get(param='tcp_extra_priv_ports', driver='tcp').split('\n') port_list = [] for port in curvalues: port_list.append(int(port)) if 6112 not in port_list: msg = "Port tcp/6112 is not a privileged port in the running kernel" self.logger.notice(self.module_name, "Scan Failed: %s" % msg) messages['messages'].append("Fail: %s" % msg) failure_flag = True else: msg = "Port tcp/6112 is a privileged port in the running kernel" messages['messages'].append("Okay: %s" % msg) ################## ## Check the ndd configuration file if zonename != 'global': msg = "Non-global Solaris zone (%s): Skipping check of %s" % ( zonename, self.__ndd_file) self.logger.debug(self.module_name, 'Scan: ' + msg) messages['messages'].append("Fail: %s" % msg) else: foundit = False try: in_obj = open(self.__ndd_file, 'r') for line in in_obj.readlines(): if not line.startswith('tcp_extra_priv_ports_add'): continue else: (keyname, keyvalue) = line.rstrip().split('=') if int(keyvalue) == 6112: foundit = True break in_obj.close() if foundit == False: msg = "Could not find 'tcp_extra_priv_ports_add=6112' in %s" % self.__ndd_file messages['messages'].append("Fail: %s" % msg) failure_flag = True else: msg = "Found 'tcp_extra_priv_ports_add=6112' in %s" % self.__ndd_file messages['messages'].append("Okay: %s" % msg) except (IndexError, IOError), err: msg = 'Unable to read %s: %s' % (self.__ndd_file, err) self.logger.error(self.module_name, msg) messages['messages'].append("Error: %s" % msg)