Python writeFileの例

コード例 #1

ファイル: DisableGUILogon.py プロジェクト: 5l1v3r1/stonix

    def fixLockdownX(self):
        success = True
        if self.sh.disableService("xfs", _="_"):
            self.iditerator += 1
            myid = iterate(self.iditerator, self.rulenumber)
            event = {"eventtype":   "servicehelper",
                     "servicename": "xfs",
                     "startstate":  "enabled",
                     "endstate":    "disabled"}
            self.statechglogger.recordchgevent(myid, event)
        else:
            success = False
            self.detailedresults += "STONIX was unable to disable the " + \
                "xfs service\n"

        if not self.xservSecure:
            serverrcString = "exec X :0 -nolisten tcp $@"
            if not os.path.exists(self.serverrc):
                createFile(self.serverrc, self.logger)
                self.iditerator += 1
                myid = iterate(self.iditerator, self.rulenumber)
                event = {"eventtype": "creation",
                         "filepath": self.serverrc}
                self.statechglogger.recordchgevent(myid, event)
                writeFile(self.serverrc, serverrcString, self.logger)
            else:
                open(self.serverrc, "a").write(serverrcString)
        return success

コード例 #2

ファイル: PasswordExpiration.py プロジェクト: 5l1v3r1/stonix

    def fixShadow(self):
        success = True
        if not os.path.exists(self.shadowfile):
            self.detailedresults += self.shadowfile + "does not exist. \
Will not perform fix on shadow file\n"
            return False
        if self.fixusers:
            contents = readFile(self.shadowfile, self.logger)

            if self.ph.manager == "apt-get":
                perms = [0, 42, 0o640]
            else:
                perms = [0, 0, 0o400]
            if not checkPerms(self.shadowfile, perms, self.logger) and \
               not checkPerms(self.shadowfile, [0, 0, 0], self.logger):
                self.iditerator += 1
                myid = iterate(self.iditerator, self.rulenumber)
                setPerms(self.shadowfile, perms, self.logger,
                         self.statechglogger, myid)

            tmpdate = strftime("%Y%m%d")
            tmpdate = list(tmpdate)
            date = tmpdate[0] + tmpdate[1] + tmpdate[2] + tmpdate[3] + "-" + \
                tmpdate[4] + tmpdate[5] + "-" + tmpdate[6] + tmpdate[7]
            for user in self.fixusers:
                cmd = ["chage", "-d", date, "-m", "1", "-M", "180", "-W", "28",
                       "-I", "35", user]
                self.ch.executeCommand(cmd)

            # We have to do some gymnastics here, because chage writes directly
            # to /etc/shadow, but statechglogger expects the new contents to
            # be in a temp file.
            newContents = readFile(self.shadowfile, self.logger)
            shadowTmp = "/tmp/shadow.stonixtmp"
            createFile(shadowTmp, self.logger)
            writeFile(shadowTmp, "".join(newContents) + "\n", self.logger)
            writeFile(self.shadowfile, "".join(contents) + "\n", self.logger)
            self.iditerator += 1
            myid = iterate(self.iditerator, self.rulenumber)
            event = {'eventtype': 'conf',
                     'filepath': self.shadowfile}
            self.statechglogger.recordchgevent(myid, event)
            self.statechglogger.recordfilechange(self.shadowfile, shadowTmp,
                                                 myid)
            shutil.move(shadowTmp, self.shadowfile)
            os.chmod(self.shadowfile, perms[2])
            os.chown(self.shadowfile, perms[0], perms[1])
            resetsecon(self.shadowfile)
        return success

コード例 #3

ファイル: PreventXListen.py プロジェクト: 5l1v3r1/stonix

 def writeConfig(self, filepath, myid, regex, mult):
     tempfile = filepath + ".tmp"
     tempstring = ""
     contents = readFile(filepath, self.logger)
     if not contents:
         debug = filepath + " contents are blank\n"
         self.logger.log(LogPriority.DEBUG, debug)
         return False
     if mult:
         for line in contents:
             if re.match("^#", line) or re.match("^\s*$", line):
                 tempstring += line
             elif not re.search(regex, line):
                 tempstring += line.strip() + " -nolisten tcp\n"
     else:
         for line in contents:
             tempstring += line
         tempstring += regex + "\n"
     if not writeFile(tempfile, tempstring, self.logger):
         return False
     event = {"eventtype": "conf", "filepath": filepath}
     self.statechglogger.recordchgevent(myid, event)
     self.statechglogger.recordfilechange(filepath, tempfile, myid)
     os.rename(tempfile, filepath)
     return True

コード例 #4

    def setaccountlockout(self, regex):
        """
        configure the account lockout time in pam

        :param regex: string; regular expression
        :return: success
        :rtype: bool
        """

        success = True
        pamfiles = []
        if self.ph.manager in ("yum", "dnf"):
            pamfiles.append(self.pamauthfile)
            pamfiles.append(self.pampassfile)
            writecontents = self.auth + "\n" + self.acct + "\n" + \
                        self.password + "\n" + self.session
        else:
            pamfiles.append(self.pamauthfile)
            writecontents = self.auth
        for pamfile in pamfiles:
            if not os.path.exists(pamfile):
                self.detailedresults += pamfile + " doesn't exist.\n" + \
                    "Stonix will not attempt to create this file " + \
                    "and the fix for the this rule will not continue\n"
                return False
        # """Check permissions on pam file(s)"""
        for pamfile in pamfiles:
            if not checkPerms(pamfile, [0, 0, 0o644], self.logger):
                self.iditerator += 1
                myid = iterate(self.iditerator, self.rulenumber)
                if not setPerms(pamfile, [0, 0, 0o644], self.logger, self.statechglogger, myid):
                    success = False
                    self.detailedresults += "Unable to set " + \
                        "correct permissions on " + pamfile + "\n"
            contents = readFile(pamfile, self.logger)
            found = False
            for line in contents:
                if re.search(regex, line.strip()):
                    found = True
            if not found:
                tmpfile = pamfile + ".stonixtmp"
                if writeFile(tmpfile, writecontents, self.logger):
                    self.iditerator += 1
                    myid = iterate(self.iditerator, self.rulenumber)
                    event = {'eventtype': 'conf',
                             'filepath': pamfile}
                    self.statechglogger.recordchgevent(myid, event)
                    self.statechglogger.recordfilechange(pamfile, tmpfile, myid)
                    os.rename(tmpfile, pamfile)
                    os.chown(pamfile, 0, 0)
                    os.chmod(pamfile, 0o644)
                    resetsecon(pamfile)
                else:
                    self.detailedresults += "Unable to write to " + pamfile + "\n"
                    success = False
        return success

コード例 #5

ファイル: DisableSerialLoginPrompts.py プロジェクト: 5l1v3r1/stonix

    def fix(self):
        try:
            if not self.ci.getcurrvalue():
                return
            success = True
            self.detailedresults = ""
            self.iditerator = 0
            eventlist = self.statechglogger.findrulechanges(self.rulenumber)
            for event in eventlist:
                self.statechglogger.deleteentry(event)

            if os.path.exists(self.path):
                sttyText = readFile(self.path, self.logger)
                newSttyText = []
                for line in sttyText:
                    # Check for both serial connections and the old style of
                    # virtual connections
                    if re.search(self.serialRE, line) or \
                       re.search(r"^vc/\d", line):
                        line = "#" + line
                    newSttyText.append(line)
                newSttyString = "".join(newSttyText)
                tmpfile = self.path + ".tmp"
                if writeFile(tmpfile, newSttyString, self.logger):
                    self.iditerator += 1
                    myid = iterate(self.iditerator, self.rulenumber)
                    event = {"eventtype": "conf", "filepath": self.path}
                    self.statechglogger.recordchgevent(myid, event)
                    self.statechglogger.recordfilechange(
                        self.path, tmpfile, myid)
                    os.rename(tmpfile, self.path)

                    perms = self.perms
                    setPerms(self.path, perms, self.logger,
                             self.statechglogger, myid)

                    resetsecon(self.path)
                else:
                    success = False
                    self.detailedresults += "Problem writing new " + \
                                            "contents to temporary file"
            self.rulesuccess = success
        except (KeyboardInterrupt, SystemExit):
            # User initiated exit
            raise
        except Exception:
            self.rulesuccess = False
            self.detailedresults += "\n" + traceback.format_exc()
            self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
        self.formatDetailedResults("fix", self.rulesuccess,
                                   self.detailedresults)
        self.logdispatch.log(LogPriority.INFO, self.detailedresults)
        return self.rulesuccess

コード例 #6

ファイル: KVAConf.py プロジェクト: inscriptionweb/stonix

 def commit(self):
     '''
     Private method that actually writes the configuration file as desired
     including fixables and removing desireables.  This method is called
     in the calling class that instantiated the object after the update
     methods have been called.
     @author: dwalker
     @return: Bool
     '''
     for line in self.contents:
         self.tempstring += line
     success = writeFile(self.tmpPath, self.tempstring, self.logger)
     return success

コード例 #7

ファイル: KVAConf.py プロジェクト: amrset/stonix

 def commit(self):
     '''
     Private method that actually writes the configuration file as desired
     including fixables and removing desireables.  This method is called 
     in the calling class that instantiated the object after the update
     methods have been called.
     @author: dwalker
     @return: Bool
     '''
     for line in self.contents:
         self.tempstring += line
     success = writeFile(self.tmpPath, self.tempstring, self.logger)
     return success

コード例 #8

ファイル: DisableAdminLoginOverride.py プロジェクト: 5l1v3r1/stonix

    def fix(self):
        try:
            if not self.ci.getcurrvalue():
                return
            success = True
            self.detailedresults = ""
            self.iditerator = 0
            eventlist = self.statechglogger.findrulechanges(self.rulenumber)
            for event in eventlist:
                self.statechglogger.deleteentry(event)

            if os.path.exists(self.path):
                adminAllowed = "group=admin,wheel fail_safe"
                adminDisabled = "group=wheel fail_safe"
                ssText = "".join(readFile(self.path, self.logger))
                if re.search(adminAllowed, ssText):
                    ssText = re.sub(adminAllowed, adminDisabled, ssText)
                    tmpfile = self.path + ".tmp"
                    if writeFile(tmpfile, ssText, self.logger):
                        self.iditerator += 1
                        myid = iterate(self.iditerator, self.rulenumber)
                        event = {"eventtype": "conf", "filepath": self.path}
                        self.statechglogger.recordchgevent(myid, event)
                        self.statechglogger.recordfilechange(
                            self.path, tmpfile, myid)
                        os.rename(tmpfile, self.path)
                        resetsecon(self.path)
                    else:
                        success = False
                        self.detailedresults += "Problem writing new " + \
                                                "contents to temporary file"
            else:
                success = False
                self.detailedresults += self.path + ''' does not exist. STONIX \
will not attempt to create this file. If you are using OS X 10.9 or later, \
this is most likely a bug, and should be reported. Earlier versions of OS X \
are not currently supported by STONIX.'''

            self.rulesuccess = success
        except (KeyboardInterrupt, SystemExit):
            # User initiated exit
            raise
        except Exception:
            self.rulesuccess = False
            self.detailedresults += "\n" + traceback.format_exc()
            self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
        self.formatDetailedResults("fix", self.rulesuccess,
                                   self.detailedresults)
        self.logdispatch.log(LogPriority.INFO, self.detailedresults)
        return self.rulesuccess

コード例 #9

    def fixgnome(self):
        '''Configure GNOME 3 for automatic logout.
        @author: d.kennel


        '''

        if self.environ.geteuid() != 0:
            debug = "Configuring gnome requires root privileges"
            self.logger.log(LogPriority.DEBUG, debug)
            self.detailedresults += "Configuring gnome requires root " + \
                "privileges\n"
            return False
        success = True
        createddir = False
        debug = ""
        if os.path.exists("/usr/bin/gsettings"):
            if not os.path.exists('/etc/dconf/db/local.d'):
                if not os.makedirs('/etc/dconf/db/local.d/'):
                    success = False
                    debug = "Unable to create the /etc/dconf/db/local.d/ directory"
                    self.detailedresults += "Unable to create the /etc/dconf/db/local.d/ directory"
                    self.logger.log(LogPriority.DEBUG, debug)
                else:
                    createddir = True
                    self.iditerator += 1
                    myid = iterate(self.iditerator, self.rulenumber)
                    event = {
                        "eventtype": "creation",
                        "filepath": "/etc/dconf/db/local.d"
                    }
                    self.statechglogger.recordchgevent(myid, event)
            if os.path.exists('/etc/dconf/db/local.d'):
                created1, created2 = False, False
                self.logdispatch.log(LogPriority.DEBUG, [
                    'ForceIdleLogout.__fixgnome3', 'Working GNOME with dconf'
                ])

                try:
                    seconds = self.timeoutci.getcurrvalue() * 60
                except (TypeError):
                    self.detailedresults += "FORCEIDLELOGOUTTIMEOUT value is " + \
                        "not valid!\n"
                    self.rulesuccess = False
                    return False
                if not os.path.exists(self.gnomesettingpath):
                    if not createFile(self.gnomesettingpath, self.logger):
                        success = False
                        self.detailedresults += "Unable to create " + self.gnomesettingpath + " file\n"
                    else:
                        created1 = True
                        if not createddir:
                            self.iditerator += 1
                            myid = iterate(self.iditerator, self.rulenumber)
                            event = {
                                "eventtype": "creation",
                                "filepath": self.gnomesettingpath
                            }
                            self.statechglogger.recordchgevent(myid, event)
                if os.path.exists(self.gnomesettingpath):
                    gdirectives = {
                        "org.gnome.settings-daemon.plugins.power": {
                            "sleep-inactive-ac-type": "'logout'",
                            'sleep-inactive-ac-timeout': str(seconds)
                        }
                    }
                    geditor = KVEditorStonix(self.statechglogger, self.logger,
                                             "tagconf", self.gnomesettingpath,
                                             self.gnomesettingpath + '.tmp',
                                             gdirectives, "present",
                                             "closedeq")
                    geditor.report()
                    if geditor.fixables:
                        if geditor.fix():
                            self.iditerator += 1
                            myid = iterate(self.iditerator, self.rulenumber)
                            geditor.setEventID(myid)
                            if geditor.commit():
                                debug = self.gnomesettingpath + "'s contents have been " + \
                                    "corrected\n"
                                self.logger.log(LogPriority.DEBUG, debug)
                                os.chown(self.gnomesettingpath, 0, 0)
                                os.chmod(self.gnomesettingpath, 0o644)
                                resetsecon(self.gnomesettingpath)

                            else:
                                debug = "kveditor commit not successful\n"
                                self.logger.log(LogPriority.DEBUG, debug)
                                self.detailedresults += self.gnomesettingpath + \
                                    " properties could not be set\n"
                                succeess = False
                        else:
                            debug = "kveditor fix not successful\n"
                            self.logger.log(LogPriority.DEBUG, debug)
                            self.detailedresults += self.gnomesettingpath + \
                                                    " properties could not be set\n"
                            succeess = False
                    if not checkPerms(self.gnomesettingpath, [0, 0, 0o644],
                                      self.logger):
                        if not created1:
                            self.iditerator += 1
                            myid = iterate(self.iditerator, self.rulenumber)
                            if not setPerms(self.gnomesettingpath,
                                            [0, 0, 0o644], self.logger,
                                            self.statechglogger, myid):
                                self.detailedresults += "Unable to set permissions on " + \
                                    self.gnomesettingpath + " file\n"
                                success = False
                        else:
                            if not setPerms(self.gnomesettingpath,
                                            [0, 0, 0o644], self.logger):
                                self.detailedresults += "Unable to set permissions on " + \
                                                        self.gnomesettingpath + " file\n"
                                success = False
                havetimeoutlock = False
                havelogoutlock = False
                lockdata = []
                if not os.path.exists(self.gnomelockpath):
                    if not createFile(self.gnomelockpath, self.logger):
                        success = False
                        self.detailedresults += "Unable to create " + self.gnomelockpath + " file\n"
                    else:

                        created2 = True
                        if not createddir:
                            self.iditerator += 1
                            myid = iterate(self.iditerator, self.rulenumber)
                            event = {
                                "eventtype": "creation",
                                "filepath": self.gnomelockpath
                            }
                            self.statechglogger.recordchgevent(myid, event)
                if os.path.exists(self.gnomelockpath):
                    contents = readFile(self.gnomelockpath, self.logger)
                    for line in contents:
                        if re.search(
                                '/org/gnome/settings-daemon/plugins/power/sleep-inactive-ac-timeout',
                                line):
                            havetimeoutlock = True
                        if re.search(
                                "/org/gnome/settings-daemon/plugins/power/sleep-inactive-ac-type",
                                line):
                            havelogoutlock = True
                    if not havetimeoutlock:
                        lockdata.append(
                            '/org/gnome/settings-daemon/plugins/power/sleep-inactive-ac-timeout\n'
                        )
                    if not havelogoutlock:
                        lockdata.append(
                            "/org/gnome/settings-daemon/plugins/power/sleep-inactive-ac-type\n"
                        )
                    tempfile = self.gnomelockpath + ".tmp"
                    if writeFile(tempfile, lockdata, self.logger):
                        self.iditerator += 1
                        myid = iterate(self.iditerator, self.rulenumber)
                        event = {
                            "eventtype": "conf",
                            "filepath": self.gnomelockpath
                        }
                        self.statechglogger.recordchgevent(myid, event)
                        self.statechglogger.recordfilechange(
                            self.gnomelockpath, tempfile, myid)
                        os.rename(tempfile, self.gnomelockpath)
                        os.chown(self.gnomelockpath, 0, 0)
                        os.chmod(self.gnomelockpath, 0o644)
                        resetsecon(self.gnomelockpath)
                    else:
                        self.detailedresults += "Unable to write contents to " + \
                            self.gnomelockpath
                        success = False
                    if not checkPerms(self.gnomelockpath, [0, 0, 0o644],
                                      self.logger):
                        if not created2:
                            self.iditerator += 1
                            myid = iterate(self.iditerator, self.rulenumber)
                            if not setPerms(self.gnomelockpath, [0, 0, 0o644],
                                            self.logger, self.statechglogger,
                                            myid):
                                self.detailedresults += "Unable to set permissions on " + \
                                    self.gnomelockpath + " file\n"
                                success = False
                        else:
                            if not setPerms(self.gnomelockpath, [0, 0, 0o644],
                                            self.logger):
                                self.detailedresults += "Unable to set permissions on " + \
                                                        self.gnomelockpath + " file\n"
                                success = False

        if self.ph.check(self.gconf):
            self.logdispatch.log(
                LogPriority.DEBUG,
                ['ForceIdleLogout.__fixgnome3', 'Working GNOME with gconf'])
            undocmd = ""
            undoprefix = '/usr/bin/gconftool-2 --direct --config-source ' + \
                'xml:readwrite:/etc/gconf/gconf.xml.mandatory '
            setprefix = '/usr/bin/gconftool-2 --direct --config-source ' + \
                'xml:readwrite:/etc/gconf/gconf.xml.mandatory --set '
            settime = setprefix + \
                '--type integer /desktop/gnome/session/max_idle_time ' + \
                str(self.timeoutci.getcurrvalue())
            setlogout = setprefix + \
                '--type string /desktop/gnome/session/' + \
                'max_idle_action forced-logout'
            if self.timeoutwrong:
                self.cmdhelper.executeCommand(settime)
                retcode = self.cmdhelper.getReturnCode()
                if retcode != 0:
                    errstr = self.cmdhelper.getErrorString()
                    self.logger.log(LogPriority.DEBUG, errstr)
                    self.detailedresults += 'Failed to configure idle time limit option.\n'
                    success = False
                else:
                    if self.undotimeout == "unset":
                        undocmd = undoprefix + '--unset /desktop/gnome/session/max_idle_time'
                    else:
                        undocmd = setprefix + '--type integer /desktop/gnome/session/max_idle_time ' + \
                            self.undotimeout
                    self.iditerator += 1
                    myid = iterate(self.iditerator, self.rulenumber)
                    event = {"eventtype": "command", "command": undocmd}
                    self.statechglogger.recordchgevent(myid, event)
                    self.detailedresults += 'Maximum idle time limit configured successfully.\n'
            if self.logoutwrong:
                self.cmdhelper.executeCommand(setlogout)
                retcode = self.cmdhelper.getReturnCode()
                if retcode != 0:
                    errstr = self.cmdhelper.getErrorString()
                    self.logger.log(LogPriority.DEBUG, errstr)
                    self.detailedresults += 'Failed to configure idle forced-logout option.\n'
                    success = False
                else:
                    if self.undoforcelogout == "unset":
                        undocmd = undoprefix + '--unset /desktop/gnome/session/max_idle_action'
                    else:
                        undocmd = setprefix + '--type integer /desktop/gnome/session/max_idle_action ' + \
                            self.undoforcelogout
                    self.iditerator += 1
                    myid = iterate(self.iditerator, self.rulenumber)
                    event = {"eventtype": "command", "command": undocmd}
                    self.statechglogger.recordchgevent(myid, event)
                    self.detailedresults += 'Idle forced-logout option configured successfully.\n'
        return success

コード例 #10

ファイル: SecureSquidProxy.py プロジェクト: 5l1v3r1/stonix

    def fix(self):
        ''' '''
        try:
            if not self.ci.getcurrvalue():
                return
            self.detailedresults = ""
            success = True
            created = False
            self.iditerator = 0
            eventlist = self.statechglogger.findrulechanges(self.rulenumber)
            for event in eventlist:
                self.statechglogger.deleteentry(event)

            if self.installed:
                if not os.path.exists(self.squidfile):
                    if not createFile(self.squidfile, self.logger):
                        success = False
                    else:
                        created = True
                        self.iditerator += 1
                        myid = iterate(self.iditerator, self.rulenumber)
                        event = {"eventtype": "creation",
                                 "filepath": self.squidfile}
                        self.statechglogger.recordchgevent(myid, event)
                if not checkPerms(self.squidfile, [0, 0, 420], self.logger):
                    if not created:
                        self.iditerator += 1
                        myid = iterate(self.iditerator, self.rulenumber)
                        if not setPerms(self.squidfile, [0, 0, 420], self.logger,
                                        self.statechglogger, myid):
                            success = False
                    else:
                        if not setPerms(self.squidfile, [0, 0, 420], self.logger):
                            success = False
                tempstring = ""
                contents = readFile(self.squidfile, self.logger)
                newcontents = []
                if contents:
                    '''Remove any undesired acl lines'''
                    for line in contents:
                        if re.match('^#', line) or re.match(r'^\s*$', line):
                            newcontents.append(line)
                        elif re.search("^acl Safe_ports port ", line.strip()):
                            m = re.search("acl Safe_ports port ([0-9]+).*", line)
                            if m.group(1):
                                item = "acl Safe_ports port " + m.group(1)
                                if item in self.denied:
                                    continue
                                else:
                                    newcontents.append(line)
                        else:
                            newcontents.append(line)
                    '''removeables list holds key vals we find in the file
                    that we can remove from self.data'''
                    removeables = []
                    '''deleteables list holds key vals we can delete from 
                    newcontents list if it's incorrect.'''
                    deleteables = {}
                    for key in self.data1:
                        found = False
                        for line in reversed(newcontents):
                            if re.match('^#', line) or re.match(r'^\s*$', line):
                                continue
                            elif re.search("^" + key + " ", line) or re.search("^" + key, line):
                                temp = line.strip()
                                temp = re.sub("\s+", " ", temp)
                                temp = temp.split(" ")
                                if len(temp) >= 3:
                                    joinlist = [temp[1], temp[2]]
                                    joinstring = " ".join(joinlist)
                                    if self.data1[key] == joinstring:
                                        '''We already found this line and value
                                        No need for duplicates'''
                                        if found:
                                            newcontents.remove(line)
                                            continue
                                        removeables.append(key)
                                        found = True
                                    else:
                                        try:
                                            deleteables[line] = ""
                                        except Exception:
                                            continue
                                        continue
                                elif len(temp) == 2:
                                    if self.data1[key] == temp[1]:
                                        '''We already found this line and value
                                        No need for duplicates'''
                                        if found:
                                            newcontents.remove(line)
                                            continue
                                        removeables.append(key)
                                        found = True
                                    else:
                                        try:
                                            deleteables[line] = ""
                                        except Exception:
                                            continue
                                        continue
                                elif len(temp) == 1:
                                    try:
                                        deleteables[line] = ""
                                    except Exception:
                                        continue
                                    continue
                    if deleteables:
                        for item in deleteables:
                            newcontents.remove(item)
                    '''anything in removeables we found in the file so
                    we will remove from the self.data1 dictionary'''
                    if removeables:
                        for item in removeables:
                            del(self.data1[item])
                    '''now check if there is anything left over in self.data1
                    if there is we need to add that to newcontents list'''
                    if self.data1:
                        for item in self.data1:
                            line = item + " " + self.data1[item] + "\n"
                            newcontents.append(line)
                    for line in newcontents:
                        found = False
                        if re.search("^http_access", line.strip()):
                            temp = line.strip()
                            temp = re.sub("\s+", " ", temp)
                            temp = re.sub("http_access\s+", "", temp)
                            if re.search("^deny to_localhost", temp):
                                found = True
                                break
                    if not found:
                        newcontents.append("http_access deny to_localhost\n")
                    for item in newcontents:
                        tempstring += item
                    tmpfile = self.squidfile + ".tmp"
                    if not writeFile(tmpfile, tempstring, self.logger):
                        success = False
                    else:
                        if not created:
                            self.iditerator += 1
                            myid = iterate(self.iditerator, self.rulenumber)
                            event = {"eventtype": "conf",
                                     "filepath": self.squidfile}
                            self.statechglogger.recordchgevent(myid, event)
                            self.statechglogger.recordfilechange(self.squidfile,
                                                                 tmpfile, myid)
                            os.rename(tmpfile, self.squidfile)
                            os.chown(self.squidfile, 0, 0)
                            os.chmod(self.squidfile, 420)
                            resetsecon(self.squidfile)
                else:
                    tempstring = ""
                    for item in self.data1:
                        tempstring += item + " " + self.data1[item] + "\n"
                    for item in self.data2:
                        tempstring += item + " " + self.data2[item] + "\n"
                    tmpfile = self.squidfile + ".tmp"
                    if not writeFile(tmpfile, tempstring, self.logger):
                        success = False
                    else:
                        if not created:
                            self.iditerator += 1
                            myid = iterate(self.iditerator, self.rulenumber)
                            event = {"eventtype": "conf",
                                     "filepath": self.squidfile}
                            self.statechglogger.recordchgevent(myid, event)
                            self.statechglogger.recordfilechange(self.squidfile,
                                                                 tmpfile, myid)
                        os.rename(tmpfile, self.squidfile)
                        os.chown(self.squidfile, 0, 0)
                        os.chmod(self.squidfile, 420)
                        resetsecon(self.squidfile)
                self.rulesuccess = success
        except (KeyboardInterrupt, SystemExit):
            # User initiated exit
            raise
        except Exception as err:
            self.rulesuccess = False
            self.detailedresults = self.detailedresults + "\n" + str(err) + \
                " - " + str(traceback.format_exc())
            self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
        self.formatDetailedResults("fix", self.rulesuccess,
                                   self.detailedresults)
        self.logdispatch.log(LogPriority.INFO, self.detailedresults)
        return self.rulesuccess 

コード例 #11

ファイル: RestrictMounting.py プロジェクト: 5l1v3r1/stonix

    def fix(self):
        ''' '''

        self.detailedresults = ""
        self.iditerator = 0
        self.rulesuccess = True
        success = True
        consoleaccess = self.consoleCi.getcurrvalue()
        autofs = self.autofsCi.getcurrvalue()
        gnomeautomount = self.gnomeCi.getcurrvalue()
        mylist = [consoleaccess, autofs, gnomeautomount]

        try:

            # if none of the CIs are enabled, skip fix
            if not any(mylist):
                self.detailedresults += "\nNone of the CI's were enabled. Nothing was done."
                self.formatDetailedResults("fix", self.rulesuccess, self.detailedresults)
                self.logdispatch.log(LogPriority.INFO, self.detailedresults)
                return self.rulesuccess

            # clear event list data
            eventlist = self.statechglogger.findrulechanges(self.rulenumber)
            for event in eventlist:
                self.statechglogger.deleteentry(event)

            # if restrict console access CI is enabled, restrict console access
            if self.consoleCi.getcurrvalue():
                if os.path.exists(self.sec_console_perms1):
                    tmpfile = self.sec_console_perms1 + ".stonixtmp"
                    defaultPerms = open(self.sec_console_perms1, "r").read()
                    defaultPerms = re.sub("(<[x]?console>)", r"#\1", defaultPerms)
                    if writeFile(tmpfile, defaultPerms, self.logger):
                        self.iditerator += 1
                        myid = iterate(self.iditerator, self.rulenumber)
                        event = {"eventtype": "conf", "filepath": self.sec_console_perms1}
                        self.statechglogger.recordchgevent(myid, event)
                        self.statechglogger.recordfilechange(self.sec_console_perms1, tmpfile, myid)
                        os.rename(tmpfile, self.sec_console_perms1)
                        resetsecon(self.sec_console_perms1)
                    else:
                        success = False
                        self.detailedresults += "Problem writing new contents to " + \
                                   "temporary file"
                if os.path.exists(self.sec_console_perms2):
                    self.editor = KVEditorStonix(self.statechglogger, self.logger, "conf", self.sec_console_perms2, self.console_perms_temppath, self.data, "present", "closedeq")
                    self.editor.report()
                    if self.editor.fixables:
                        if self.editor.fix():
                            self.iditerator += 1
                            myid = iterate(self.iditerator, self.rulenumber)
                            self.editor.setEventID(myid)
                            if self.editor.commit():
                                debug = self.sec_console_perms2 + "'s contents have been " \
                                    + "corrected\n"
                                self.logger.log(LogPriority.DEBUG, debug)
                                resetsecon(self.sec_console_perms2)
                            else:
                                debug = "kveditor commit not successful\n"
                                self.logger.log(LogPriority.DEBUG, debug)
                                success = False
                                self.detailedresults += self.sec_console_perms2 + \
                                    " properties could not be set\n"
                        else:
                            debug = "kveditor fix not successful\n"
                            self.logger.log(LogPriority.DEBUG, debug)
                            success = False
                            self.detailedresults += self.sec_console_perms2 + \
                                " properties could not be set\n"

            # if autofs CI is enabled, disable autofs
            if self.autofsCi.getcurrvalue():
                if self.ph.check(self.autofspkg) and \
                   self.sh.auditService(self.autofssvc, _="_"):
                    if self.sh.disableService(self.autofssvc, _="_"):
                        debug = "autofs service successfully disabled\n"
                        self.logger.log(LogPriority.DEBUG, debug)
                        self.iditerator += 1
                        myid = iterate(self.iditerator, self.rulenumber)
                        event = {"eventtype": "servicehelper", "servicename":
                                 self.autofssvc, "startstate": "enabled",
                                 "endstate": "disabled"}
                        self.statechglogger.recordchgevent(myid, event)
                    else:
                        success = False
                        debug = "Unable to disable autofs service\n"
                        self.logger.log(LogPriority.DEBUG, debug)

            returnCode = 0
            if self.gnomeCi.getcurrvalue():
                if os.path.exists(self.gsettings):
                    # gsettings requires a D-Bus session bus in order to make
                    # any changes. This is because the dconf daemon must be
                    # activated using D-Bus.
                    if not os.path.exists(self.dbuslaunch):
                        self.ph.install("dbus-x11")
                    
                    if os.path.exists(self.dbuslaunch):
                        if not self.automountOff:
                            cmd = [self.dbuslaunch, self.gsettings, "set",
                                   "org.gnome.desktop.media-handling",
                                   "automount", "false"]
                            self.ch.executeCommand(cmd)
                            returnCode = self.ch.getReturnCode()

                            if not returnCode:
                                self.iditerator += 1
                                myid = iterate(self.iditerator, 
                                               self.rulenumber)
                                event = {"eventtype": "comm", "command":
                                        ["dbus-launch", "gsettings", "set",
                                         "org.gnome.desktop.media-handling",
                                         "automount", "true"]}
                                self.statechglogger.recordchgevent(myid, event)

                        if not self.autorunNever:
                            cmd = [self.dbuslaunch, "gsettings", "set",
                                   "org.gnome.desktop.media-handling",
                                   "autorun-never", "true"]
                            self.ch.executeCommand(cmd)
                            returnCode += self.ch.getReturnCode()

                            if not self.ch.getReturnCode():
                                self.iditerator += 1
                                myid = iterate(self.iditerator, self.rulenumber)
                                event = {"eventtype": "comm", "command":
                                        [self.dbuslaunch, self.gsettings, "set",
                                         "org.gnome.desktop.media-handling",
                                         "autorun-never", "false"]}
                                self.statechglogger.recordchgevent(myid, event)
                    else:
                        success = False
                        debug = "Unable to disable GNOME automounting: " + \
                                "dbus-x11 is not installed"
                        self.logger.log(LogPriority.DEBUG, debug)

                if os.path.exists(self.gconftool):
                    if self.automountMedia:
                        cmd = [self.gconftool, "--direct", "--config-source",
                               "xml:readwrite:/etc/gconf/gconf.xml.mandatory",
                               "--type", "bool", "--set",
                               "/desktop/gnome/volume_manager/automount_media",
                               "false"]
                        self.ch.executeCommand(cmd)
                        returnCode = self.ch.getReturnCode()

                        if not returnCode:
                            self.iditerator += 1
                            myid = iterate(self.iditerator, self.rulenumber)
                            event = {"eventtype": "comm", "command":
                                     [self.gconftool, "--direct",
                                      "--config-source", "xml:readwrite:" +
                                      "/etc/gconf/gconf.xml.mandatory",
                                      "--type", "bool", "--set",
                                      "/desktop/gnome/volume_manager/" +
                                      "automount_media", "true"]}
                            self.statechglogger.recordchgevent(myid, event)

                    if self.automountDrives:
                        cmd = [self.gconftool, "--direct", "--config-source",
                               "xml:readwrite:/etc/gconf/gconf.xml.mandatory",
                               "--type", "bool", "--set",
                               "/desktop/gnome/volume_manager/automount_drives",
                               "false"]
                        self.ch.executeCommand(cmd)
                        returnCode += self.ch.getReturnCode()

                        if not self.ch.getReturnCode():
                            self.iditerator += 1
                            myid = iterate(self.iditerator, self.rulenumber)
                            event = {"eventtype": "comm", "command":
                                     [self.gconftool, "--direct",
                                      "--config-source", "xml:readwrite:" +
                                      "/etc/gconf/gconf.xml.mandatory",
                                      "--type", "bool", "--set",
                                      "/desktop/gnome/volume_manager/" +
                                      "automount_drives",
                                      "true"]}
                            self.statechglogger.recordchgevent(myid, event)

                if returnCode:
                    success = False
                    self.detailedresults += "Fix failed to disable GNOME automounting\n"

            # reset these directories to be owned by their respective users
            dirs = ''
            if os.path.exists('/run/user'):
                dirs = os.listdir('/run/user')

            if dirs:
                for d in dirs:
                    # check if the directory is an integer representing a uid
                    if re.search('^([+-]?[1-9]\d*|0)$', d, re.IGNORECASE):
                        self.logger.log(LogPriority.DEBUG, "Found UID directory")
                        try:
                            os.chown('/run/user/' + d + '/dconf/user', int(d), int(d))
                        except Exception as errmsg:
                            self.logger.log(LogPriority.DEBUG, str(errmsg))
                            continue
            else:
                self.logger.log(LogPriority.DEBUG, "no directories in /run/user")

            self.rulesuccess = success

        except (KeyboardInterrupt, SystemExit):
            raise
        except Exception:
            self.rulesuccess = False
            self.detailedresults += "\n" + traceback.format_exc()
            self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
        self.formatDetailedResults("fix", self.rulesuccess, self.detailedresults)
        self.logdispatch.log(LogPriority.INFO, self.detailedresults)
        return self.rulesuccess

コード例 #12

ファイル: DisableScreenSavers.py プロジェクト: 5l1v3r1/stonix

    def fix(self):
        try:
            if not self.ci.getcurrvalue():
                return True
            config = ""
            if os.path.exists(self.path):
                config = readFile(self.path, self.logger)
            tmpconfig = self.path + ".tmp"
            config2 = []
            configstring = ""
            if config:
                for line in config:
                    splitline = line.split()
                    if len(splitline) >= 1:
                        if search("^\*timeout:", splitline[0]):
                            continue
                        elif search("^\*lockTimeout:", splitline[0]):
                            continue
                        elif search("^\*grabDesktopImages:", splitline[0]):
                            continue
                        elif search("^\*chooseRandomImages:", splitline[0]):
                            continue
                        elif search("^\*lock:", line):
                            continue
                        elif len(splitline) == 1 and splitline[0] not in \
                             self.badsavers:
                            config2.append(line)
                        elif len(splitline) == 2 and splitline[0] not in \
                             self.badsavers and splitline[1] not in self.badsavers:
                            config2.append(line)
                        elif len(splitline) > 2 and splitline[0] not in \
                             self.badsavers and splitline[1] not in \
                             self.badsavers and splitline[2] not in \
                             self.badsavers:
                            config2.append(line)
                        else:
                            config2.append(line)
                    else:
                        config2.append(line)
                for line in config2:
                    configstring += line
                configstring += "timeout:    0:10:00\nlockTimeout:    0:05:00\n\
                grabDesktopImages:    False\nchooseRandomImages:    True\n\
                lock:    True\n"

                if writeFile(tmpconfig, configstring, self.logger):
                    os.rename(tmpconfig, self.path)
                    os.chown(self.path, 0, 0)
                    os.chmod(self.path, 420)
                    resetsecon(self.path)
                else:
                    self.rulesuccess = False
            for saver in self.badsavers:
                for k, v in list(self.paths.items()):
                    try:
                        if os.path.exists(k + saver):
                            os.remove(k + saver)
                        elif os.path.exists(k + saver + v):
                            os.remove(k + saver + v)
                    except (OSError):
                        self.detailedresults += "The following file had " + \
                            "issues being removed:" + saver + "\n"
                        self.rulesuccess = False

            for saver in self.badkss:
                try:
                    if os.path.exists("/usr/bin/" + saver):
                        os.remove("/usr/bin/" + saver)
                except (OSError):
                    self.detailedresults += "The following file had " + \
                        "issues being removed" + saver + "\n"
                    self.rulesuccess = False
        except (KeyboardInterrupt, SystemExit):
            # User initiated exit
            raise
        except Exception:
            self.rulesuccess = False
            self.detailedresults += "\n" + traceback.format_exc()
            self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
        self.formatDetailedResults("fix", self.rulesuccess,
                                   self.detailedresults)
        self.logdispatch.log(LogPriority.INFO, self.detailedresults)
        return self.rulesuccess

コード例 #13

ファイル: PasswordExpiration.py プロジェクト: 5l1v3r1/stonix

    def fixLogin(self):
        success = True
        tempstring = ""
        debug = ""
        if not os.path.exists(self.loginfile):
            self.detailedresults = self.loginfile + "does not exist. \
Will not perform fix on useradd file\n"
            return False
        if not checkPerms(self.loginfile, [0, 0, 0o644], self.logger):
            self.iditerator += 1
            myid = iterate(self.iditerator, self.rulenumber)
            if not setPerms(self.loginfile, [0, 0, 0o644], self.logger,
                            self.statechglogger, myid):
                success = False
        contents = readFile(self.loginfile, self.logger)
        iterator1 = 0
        for line in contents:
            if re.search("^#", line) or re.match('^\s*$', line):
                iterator1 += 1
            elif re.search('^default:\\\\$', line.strip()):
                contents1 = contents[:iterator1 + 1]
                temp = contents[iterator1 + 1:]
                length2 = len(temp) - 1
                iterator2 = 0
                for line2 in temp:
                    if re.search('^[^:][^:]*:\\\\$', line2):
                        contents3 = temp[iterator2:]
                        contents2 = temp[:iterator2]
                        break
                    elif iterator2 < length2:
                        iterator2 += 1
                    elif iterator2 == length2:
                        contents2 = temp[:iterator2]
                break
            else:
                iterator1 += 1
        if contents2:
            for key in self.Fspecs:
                iterator = 0
                found = False
                for line in contents2:
                    if re.search("^#", line) or re.match('^\s*$', line):
                        iterator += 1
                        continue
                    elif re.search('^:' + key, line.strip()):
                        if re.search('=', line):
                            temp = line.split('=')
                            if re.search(str(self.Fspecs[key]) +
                                         '(:\\\\|:|\\\\|\s)',
                                         temp[1]):
                                iterator += 1
                                found = True
                            else:
                                contents2.pop(iterator)
                    else:
                        iterator += 1
                if not found:
                    contents2.append('\t' + key + '=' + str(self.Fspecs[key]) +
                                     ':\\\\\n')
        final = []
        for line in contents1:
            final.append(line)
        for line in contents2:
            final.append(line)
        for line in contents3:
            final.append(line)
        for line in final:
            tempstring += line
        debug += "tempstring to be written to: " + self.loginfile + "\n"
        self.logger.log(LogPriority.DEBUG, debug)
        tmpfile = self.loginfile + ".tmp"
        if writeFile(tmpfile, tempstring, self.logger):
            self.iditerator += 1
            myid = iterate(self.iditerator, self.rulenumber)
            event = {'eventtype': 'conf',
                     'filepath': self.loginfile}
            self.statechglogger.recordchgevent(myid, event)
            self.statechglogger.recordfilechange(self.loginfile, tmpfile, myid)
            shutil.move(tmpfile, self.loginfile)
            os.chown(self.loginfile, 0, 0)
            os.chmod(self.loginfile, 0o644)
            resetsecon(self.loginfile)
        else:
            success = False
        return success

コード例 #14

    def fixLinux(self):
        '''
        @change: dkennel removed extraneous arg from setperms call on 864
        '''
        universal = "#The following lines were added by stonix\n"
        debug = ""
        success = True
        ifacefile = ""
        netwrkfile = ""
        sysctl = "/etc/sysctl.conf"
        blacklistfile = "/etc/modprobe.d/stonix-blacklist.conf"

        # STIG portion, correct netconfig file
        if self.ph.manager == "apt-get":
            nfspkg = "nfs-common"
        else:
            nfspkg = "nfs-utils.x86_64"
        # if package not installed, no need to configure it
        if self.ph.check(nfspkg):
            if os.path.exists("/etc/netconfig"):
                filestring = ""
                # we want to make sure the following two lines don't
                # appear in the netconfig file
                item1 = "udp6 tpi_clts v inet6 udp - -"
                item2 = "tcp6 tpi_cots_ord v inet6 tcp - -"
                contents = readFile("/etc/netconfig", self.logger)
                for line in contents:
                    templine = re.sub("\s+", " ", line.strip())
                    # if we find the lines, skip them thus leaving them out of
                    # of the rewrite
                    if re.search(item1, templine) or re.search(
                            item2, templine):
                        continue
                    else:
                        filestring += line
                tmpfile = "/etc/netconfig.tmp"
                if not writeFile(tmpfile, filestring, self.logger):
                    success = False
                else:
                    # record event, rename file, set perms
                    self.iditerator += 1
                    myid = iterate(self.iditerator, self.rulenumber)
                    event = {"eventtype": "conf", "filepath": "/etc/netconfig"}
                    self.statechglogger.recordchgevent(myid, event)
                    self.statechglogger.recordfilechange(
                        "/etc/netconfig", tmpfile, myid)
                    os.rename(tmpfile, "/etc/netconfig")
                    os.chown("/etc/netconfig", 0, 0)
                    os.chmod("/etc/netconfig", 420)
                    resetsecon("/etc/netconfig")

        # remove any ipv6 addresses from /etc/hosts file
        if os.path.exists("/etc/hosts"):
            contents = readFile("/etc/hosts", self.logger)
            tempstring = ""
            tmpfile = "/etc/hosts.tmp"
            for line in contents:
                if re.search("^#", line) or re.match("^\s*$", line):
                    tempstring += line
                    continue
                elif re.search(":", line):
                    tempstring += "#" + line
                else:
                    tempstring += line
            if writeFile(tmpfile, tempstring, self.logger):
                self.iditerator += 1
                myid = iterate(self.iditerator, self.rulenumber)
                event = {"eventtype": "conf", "filepath": "/etc/hosts"}
                self.statechglogger.recordchgevent(myid, event)
                self.statechglogger.recordfilechange("/etc/hosts", tmpfile,
                                                     myid)
                os.rename(tmpfile, "/etc/hosts")
                os.chown("/etc/hosts", 0, 0)
                os.chmod("/etc/hosts", 420)
                resetsecon("/etc/hosts")
            else:
                success = False
                debug = "Unable to write to file /etc/hosts\n"
                self.logger.log(LogPriority.DEBUG, debug)

        # fix sysctl / tuning kernel parameters
        # manually write key value pairs to /etc/sysctl.conf
        created = False
        if not os.path.exists(sysctl):
            if createFile(sysctl, self.logger):
                created = True
                setPerms(sysctl, [0, 0, 0o644], self.logger)
                self.iditerator += 1
                myid = iterate(self.iditerator, self.rulenumber)
                event = {"eventtype": "creation", "filepath": sysctl}
                self.statechglogger.recordchgevent(myid, event)
            else:
                success = False
                debug = "Unable to create " + sysctl + "\n"
                self.logger.log(LogPriority.DEBUG, debug)
        if os.path.exists(sysctl):
            if not checkPerms(sysctl, [0, 0, 0o644], self.logger):
                if not created:
                    self.iditerator += 1
                    myid = iterate(self.iditerator, self.rulenumber)
                    if not setPerms(sysctl, [0, 0, 0o644], self.logger,
                                    self.statechglogger, myid):
                        success = False

            tmpfile = sysctl + ".tmp"
            self.editor1 = KVEditorStonix(self.statechglogger, self.logger,
                                          "conf", sysctl, tmpfile,
                                          self.sysctls, "present", "openeq")
            if not self.editor1.report():
                if self.editor1.fixables:
                    # If we did not create the file, set an event ID for the
                    # KVEditor's undo event
                    if not created:
                        self.iditerator += 1
                        myid = iterate(self.iditerator, self.rulenumber)
                        self.editor1.setEventID(myid)
                    if not self.editor1.fix():
                        success = False
                        debug = "Unable to complete kveditor fix method" + \
                            "for /etc/sysctl.conf file\n"
                        self.logger.log(LogPriority.DEBUG, debug)
                    elif not self.editor1.commit():
                        success = False
                        debug = "Unable to complete kveditor commit " + \
                            "method for /etc/sysctl.conf file\n"
                        self.logger.log(LogPriority.DEBUG, debug)
                    if not checkPerms(sysctl, [0, 0, 0o644], self.logger):
                        if not setPerms(self.path, [0, 0, 0o644], self.logger):
                            self.detailedresults += "Could not set permissions on " + \
                                                    self.path + "\n"
                            success = False
                    resetsecon(sysctl)

        # here we also check the output of the sysctl command for each key
        # to cover all bases
        for key in self.sysctls:
            if self.ch.executeCommand("/sbin/sysctl " + key):
                output = self.ch.getOutputString().strip()
                errmsg = output + self.ch.getErrorString()
                if re.search("unknown key", errmsg):
                    continue
                if not re.search(self.sysctls[key] + "$", output):
                    undovalue = output[-1]
                    self.ch.executeCommand("/sbin/sysctl -q -e -w " + key +
                                           "=" + self.sysctls[key])
                    retcode = self.ch.getReturnCode()
                    if retcode != 0:
                        success = False
                        self.detailedresults += "Failed to set " + key + " = " + self.sysctls[
                            key] + "\n"
                        errmsg = self.ch.getErrorString()
                        self.logger.log(LogPriority.DEBUG, errmsg)
                    else:
                        self.iditerator += 1
                        myid = iterate(self.iditerator, self.rulenumber)
                        command = "/sbin/sysctl -q -e -w " + key + "=" + undovalue
                        event = {
                            "eventtype": "commandstring",
                            "command": command
                        }
                        self.statechglogger.recordchgevent(myid, event)
            else:
                self.detailedresults += "Unable to get value for " + key + "\n"
                success = False
        # at the end do a print and ignore any key errors to ensure
        # the new values are read into the kernel
        self.ch.executeCommand("/sbin/sysctl -q -e -p")
        retcode2 = self.ch.getReturnCode()
        if retcode2 != 0:
            success = False
            self.detailedresults += "Failed to load new sysctl configuration from config file\n"
            errmsg2 = self.ch.getErrorString()
            self.logger.log(LogPriority.DEBUG, errmsg2)

        # We never found the correct contents in any of the modprobe.d files
        # so we're going to created the stonix-blacklist file
        # this file is used in other rules
        if not self.modprobeOK:
            created = False
            tmpfile = blacklistfile + ".tmp"
            modprobekveditor = KVEditorStonix(self.statechglogger, self.logger,
                                              "conf", blacklistfile, tmpfile,
                                              self.modprobes, "notpresent",
                                              "space")
            if not os.path.exists(blacklistfile):
                # create the file and record the event as file creation
                if createFile(blacklistfile, self.logger):
                    created = True
                    self.iditerator += 1
                    myid = iterate(self.iditerator, self.rulenumber)
                    event = {
                        "eventtype": "creation",
                        "filepath": blacklistfile
                    }
                    self.statechglogger.recordchgevent(myid, event)
            if os.path.exists(blacklistfile):
                if not modprobekveditor.report():
                    if not modprobekveditor.fix():
                        success = False
                        self.detailedresults += "Unable to correct contents in " + \
                                                blacklistfile + "\n"
                    else:
                        # if the file was created, then we already recorded an event
                        # for that, so this step would get skipped
                        if not created:
                            self.iditerator += 1
                            myid = iterate(self.iditerator, self.rulenumber)
                            modprobekveditor.setEventID(myid)
                        if not modprobekveditor.commit():
                            success = False
                            self.detailedresults += "Unable to correct contents in " + \
                                                blacklistfile + "\n"

        # fix ifcfg (interface) files
        if self.ph.manager == "yum":
            ifacefile = "/etc/sysconfig/network-scripts/"
            netwrkfile = "/etc/sysconfig/network"
        elif self.ph.manager == "zypper":
            ifacefile = "/etc/sysconfig/network/"
        if ifacefile:
            if os.path.exists(ifacefile):
                dirs = glob.glob(ifacefile + "*")
                if dirs:
                    for loc in dirs:
                        interface = {"IPV6INIT": "no", "NETWORKING_IPV6": "no"}
                        interface2 = {
                            "IPV6INIT": "no",
                            "NETWORKING_IPV6": "no"
                        }
                        found = False
                        tempstring = ""
                        if re.search('^' + ifacefile + 'ifcfg', loc):
                            filename = loc
                            tmpfile = filename + ".tmp"
                            contents = readFile(filename, self.logger)
                            if not checkPerms(filename, [0, 0, 420],
                                              self.logger):
                                self.iditerator += 1
                                myid = iterate(self.iditerator,
                                               self.rulenumber)
                                if not setPerms(filename, [0, 0, 420],
                                                self.logger,
                                                self.statechglogger, myid):
                                    debug = "Unable to set permissions on " + \
                                        filename + "\n"
                                    self.logger.log(LogPriority.DEBUG, debug)
                                    success = False
                            for key in interface:
                                found = False
                                for line in contents:
                                    if re.search("^#", line) or \
                                       re.match("^\s*$", line):
                                        continue
                                    if re.search("^" + key, line):
                                        if re.search("=", line):
                                            temp = line.split("=")
                                            if temp[1].strip(
                                            ) == interface[key]:
                                                if found:
                                                    continue
                                                found = True
                                            else:
                                                contents.remove(line)
                                if found:
                                    del interface2[key]
                            for line in contents:
                                tempstring += line
                            tempstring += universal
                            for key in interface2:
                                tempstring += key + "=" + interface2[key] + \
                                    "\n"
                            if not writeFile(tmpfile, tempstring, self.logger):
                                success = False
                                debug = "Unable to write to file " + loc + "\n"
                                self.logger.log(LogPriority.DEBUG, debug)
                            self.iditerator += 1
                            myid = iterate(self.iditerator, self.rulenumber)
                            event = {'eventtype': 'conf', 'filepath': filename}
                            self.statechglogger.recordchgevent(myid, event)
                            self.statechglogger.recordfilechange(
                                filename, tmpfile, myid)
                            os.rename(tmpfile, filename)
                            os.chown(filename, 0, 0)
                            os.chmod(filename, 420)
                            resetsecon(filename)
            elif not os.path.exists(ifacefile) and ifacefile != "":
                # will not attempt to create the interface files
                debug = "interface directory which holds interface \
                files, doesn't exist, stonix will not attempt to make this \
                directory or the files contained therein"

                success = False
                self.logger.log(LogPriority.DEBUG, debug)

        # fix network file if it exists
        if netwrkfile:
            if not os.path.exists(netwrkfile):
                if not createFile(netwrkfile, self.logger):
                    debug = "Unable to create " + netwrkfile + "file\n"
                    self.logger.log(LogPriority.DEBUG, debug)
                    success = False
                else:
                    if not checkPerms(netwrkfile, [0, 0, 420], self.logger):
                        self.iditerator += 1
                        myid = iterate(self.iditerator, self.rulenumber)
                        if not setPerms(netwrkfile, [0, 0, 420], self.logger,
                                        self.statechglogger, myid):
                            debug = "Unable to set permissions on " + \
                                    netwrkfile + "\n"
                            self.logger.log(LogPriority.DEBUG, debug)
                            success = False
                    tmpfile = netwrkfile + ".tmp"
                    self.editor2 = KVEditorStonix(self.statechglogger,
                                                  self.logger, "conf",
                                                  netwrkfile, tmpfile,
                                                  self.interface, "present",
                                                  "closedeq")
                    if not self.editor2.report():
                        self.detailedresults += netwrkfile + " doesn't contain \
the correct contents\n"

            if self.editor2:
                if self.editor2.fixables:
                    self.iditerator += 1
                    myid = iterate(self.iditerator, self.rulenumber)
                    self.editor2.setEventID(myid)
                    if not self.editor2.fix():
                        success = False
                        debug = "Unable to complete kveditor fix method" + \
                            "for " + netwrkfile + "\n"
                        self.logger.log(LogPriority.DEBUG, debug)
                    elif not self.editor2.commit():
                        success = False
                        debug = "Unable to complete kveditor commit " + \
                            "method for " + netwrkfile + "\n"
                        self.logger.log(LogPriority.DEBUG, debug)
                    os.chown(netwrkfile, 0, 0)
                    os.chmod(netwrkfile, 420)
                    resetsecon(netwrkfile)

        # fix sshd_config file for apt-get systems if ssh is installed
        if self.ph.manager == "apt-get":
            if not os.path.exists("/etc/ssh/sshd_config"):
                msg = "/etc/ssh/ssd_config doesn\'t exist.  This could mean ssh \
    is not installed or the file has been inadvertantly deleted.  Due to the \
    complexity of this file stonix will not attempt to create this file"

                self.logger.log(LogPriority.DEBUG, msg)
                success = False
            else:
                if not checkPerms("/etc/ssh/sshd_config", [0, 0, 420],
                                  self.logger):
                    self.iditerator += 1
                    myid = iterate(self.iditerator, self.rulenumber)
                    if not setPerms("/etc/ssh/sshd_config", [0, 0, 420],
                                    self.logger, self.statechglogger, myid):
                        success = False
                        debug = "Unable to set permissions on " + \
                            "/etc/ssh/sshd_config\n"
                        self.logger.log(LogPriority.DEBUG, debug)
                if self.editor3:
                    if self.editor3.fixables:
                        self.iditerator += 1
                        myid = iterate(self.iditerator, self.rulenumber)
                        self.editor3.setEventID(myid)
                        if not self.editor3.fix():
                            success = False
                            debug = "Unable to complete kveditor fix method" + \
                                "for /etc/ssh/sshd_config file\n"
                            self.logger.log(LogPriority.DEBUG, debug)
                        elif not self.editor3.commit():
                            success = False
                            debug = "Unable to complete kveditor commit " + \
                                "method for /etc/ssh/sshd_config file\n"
                            self.logger.log(LogPriority.DEBUG, debug)
                        os.chown("/etc/ssh/sshd_config", 0, 0)
                        os.chmod("/etc/ssh/sshd_config", 420)
                        resetsecon("/etc/ssh/sshd_config")
        return success

コード例 #15

ファイル: SetTFTPDSecureMode.py プロジェクト: 5l1v3r1/stonix

    def fixDebianSys(self):
        """

        :return: success
        :rtype: bool
        """

        success = True
        if not checkPerms(self.tftpFile, [0, 0, 420], self.logger):
            self.iditerator += 1
            myid = iterate(self.iditerator, self.rulenumber)
            if not setPerms(self.tftpFile, [0, 0, 420], self.logger,
                            self.statechglogger, myid):
                self.detailedresults += "Unable to set " + \
                    "permissions on " +  self.tftpFile + "\n"
                success = False
        contents = readFile(self.tftpFile, self.logger)
        found1 = False
        found2 = False
        tempstring = ""
        for line in contents:
            if re.search("TFTP_OPTIONS", line):
                if found1:
                    continue
                if re.search("=", line):
                    tmp = line.strip()
                    tmp = tmp.split("=")
                    try:
                        #remove beginning and ending spaces of the part
                        #after = if necessary
                        opts = tmp[1].strip()
                        #opts = "\" sdfads \""
                        #replace actual quotes with nothing
                        opts = re.sub("\"", "", opts)
                        #opts = " sdfads "
                        #once again replace any whitespace with just one space
                        opts = re.sub("/s+", " ", opts.strip())
                        #split by single whitespace
                        opts = opts.split(" ")
                        if "--secure" not in opts:
                            continue
                        else:
                            tempstring += line
                            found1 = True
                    except IndexError:
                        continue
                else:
                    continue
            elif re.search("TFTP_DIRECTORY", line):
                if found2:
                    continue

                if re.search("=", line):
                    tmp = line.strip()
                    tmp = tmp.split("=")
                    try:
                        opts = tmp[1].strip()
                        opts = re.sub("\"", "", opts)
                        if not re.search("^/var/lib/tftpboot$", opts):
                            continue
                        else:
                            tempstring += line
                            found2 = True
                    except IndexError:
                        continue
            else:
                tempstring += line
        if not found1:
            tempstring += "TFTP_OPTIONS=\"--secure\"\n"
        if not found2:
            tempstring += "TFTP_DIRECTORY=\"/var/lib/tftpboot\"\n"
        tmpfile = self.tftpFile + ".tmp"
        if writeFile(tmpfile, tempstring, self.logger):
            self.iditerator += 1
            myid = iterate(self.iditerator, self.rulenumber)
            event = {"eventtype": "conf", "filepath": self.tftpFile}
            self.statechglogger.recordchgevent(myid, event)
            self.statechglogger.recordfilechange(self.tftpFile, tmpfile, myid)
            os.rename(tmpfile, self.tftpFile)
            os.chown(self.tftpFile, 0, 0)
            os.chmod(self.tftpFile, 420)
            resetsecon(self.tftpFile)
        else:
            self.detailedresults += "Unable to write new contents " + \
                "to " + self.tftpFile + " file.\n"
            success = False
        return success

コード例 #16

ファイル: DisableGUILogon.py プロジェクト: 5l1v3r1/stonix

    def fixBootMode(self):
        success = True
        if self.initver == "systemd":
            cmd = ["/bin/systemctl", "set-default",
                   "multi-user.target"]
            if not self.ch.executeCommand(cmd):
                success = False
                self.detailedresults += '"systemctl set-default ' \
                    + 'multi-user.target" did not succeed\n'
            else:
                self.iditerator += 1
                myid = iterate(self.iditerator, self.rulenumber)
                commandstring = "/bin/systemctl set-default " + \
                                "graphical.target"
                event = {"eventtype": "commandstring",
                         "command": commandstring}
                self.statechglogger.recordchgevent(myid, event)

        elif self.initver == "debian":
            dmlist = ["gdm", "gdm3", "lightdm", "xdm", "kdm"]
            for dm in dmlist:
                cmd = ["update-rc.d", "-f", dm, "disable"]
                if not self.ch.executeCommand(cmd):
                    self.detailedresults += "Failed to disable desktop " + \
                        "manager " + dm
                else:
                    self.iditerator += 1
                    myid = iterate(self.iditerator, self.rulenumber)
                    event = {"eventtype": "servicehelper",
                             "servicename": dm,
                             "startstate": "enabled",
                             "endstate": "disabled"}
                    self.statechglogger.recordchgevent(myid, event)

        elif self.initver == "ubuntu":
            ldmover = "/etc/init/lightdm.override"
            tmpfile = ldmover + ".tmp"
            created = False
            if not os.path.exists(ldmover):
                createFile(ldmover, self.logger)
                self.iditerator += 1
                myid = iterate(self.iditerator, self.rulenumber)
                event = {"eventtype": "creation", "filepath": ldmover}
                self.statechglogger.recordchgevent(myid, event)
                created = True
            writeFile(tmpfile, "manual\n", self.logger)
            if not created:
                self.iditerator += 1
                myid = iterate(self.iditerator, self.rulenumber)
                event = {"eventtype": "conf", "filepath": ldmover}
                self.statechglogger.recordchgevent(myid, event)
                self.statechglogger.recordfilechange(ldmover, tmpfile, myid)
            os.rename(tmpfile, ldmover)
            resetsecon(ldmover)

            grub = "/etc/default/grub"
            if not os.path.exists(grub):
                createFile(grub, self.logger)
                self.iditerator += 1
                myid = iterate(self.iditerator, self.rulenumber)
                event = {"eventtype": "creation", "filepath": grub}
                self.statechglogger.recordchgevent(myid, event)
            tmppath = grub + ".tmp"
            data = {"GRUB_CMDLINE_LINUX_DEFAULT": '"quiet"'}
            editor = KVEditorStonix(self.statechglogger, self.logger,
                                    "conf", grub, tmppath, data,
                                    "present", "closedeq")
            editor.report()
            if editor.fixables:
                if editor.fix():
                    self.iditerator += 1
                    myid = iterate(self.iditerator, self.rulenumber)
                    editor.setEventID(myid)
                    debug = "kveditor fix ran successfully\n"
                    self.logger.log(LogPriority.DEBUG, debug)
                    if editor.commit():
                        debug = "kveditor commit ran successfully\n"
                        self.logger.log(LogPriority.DEBUG, debug)
                    else:
                        error = "kveditor commit did not run " + \
                                "successfully\n"
                        self.logger.log(LogPriority.ERROR, error)
                        success = False
                else:
                    error = "kveditor fix did not run successfully\n"
                    self.logger.log(LogPriority.ERROR, error)
                    success = False
            cmd = "update-grub"
            self.ch.executeCommand(cmd)

        else:
            inittab = "/etc/inittab"
            tmpfile = inittab + ".tmp"
            if os.path.exists(inittab):
                initText = open(inittab, "r").read()
                initre = r"id:\d:initdefault:"
                if re.search(initre, initText):
                    initText = re.sub(initre, "id:3:initdefault:",
                                      initText)
                    writeFile(tmpfile, initText, self.logger)
                    self.iditerator += 1
                    myid = iterate(self.iditerator, self.rulenumber)
                    event = {"eventtype": "conf", "filepath": inittab}
                    self.statechglogger.recordchgevent(myid, event)
                    self.statechglogger.recordfilechange(inittab,
                                                         tmpfile, myid)
                    os.rename(tmpfile, inittab)
                    resetsecon(inittab)
                else:
                    initText += "\nid:3:initdefault:\n"
                    writeFile(tmpfile, initText, self.logger)
                    self.iditerator += 1
                    myid = iterate(self.iditerator, self.rulenumber)
                    event = {"eventtype": "conf", "filepath": inittab}
                    self.statechglogger.recordchgevent(myid, event)
                    self.statechglogger.recordfilechange(inittab,
                                                         tmpfile, myid)
                    os.rename(tmpfile, inittab)
                    resetsecon(inittab)
            else:
                self.detailedresults += inittab + " not found, no other " + \
                    "init system found. If you are using a supported " + \
                    "Linux OS, please report this as a bug\n"
        return success

コード例 #17

    def setpasswordsetup(self, regex1, pkglist = None):
        """
        configure password requirements in pam, install necessary packages

        :param regex1: string; regular expression
        :param pkglist: list; string names of packages to install
        :return: success
        :rtype: bool
        """

        regex2 = "^password[ \t]+sufficient[ \t]+pam_unix.so sha512 shadow " + \
            "try_first_pass use_authtok remember=10"
        success = True
        pamfiles = []
        installed = False
        if pkglist:
            for pkg in pkglist:
                if self.ph.check(pkg):
                    installed = True
                    break
        else:
            installed = True
        if not installed:
            for pkg in pkglist:
                if self.ph.checkAvailable(pkg):
                    if not self.ph.install(pkg):
                        self.detailedresults += "Unable to install pkg " + pkg + "\n"
                        return False
                    else:
                        installed = True
                        if self.usingpwquality:
                            self.iditerator += 1
                            myid = iterate(self.iditerator, self.rulenumber)
                            comm = self.ph.getRemove() + pkg
                            event = {"eventtype": "commandstring",
                                     "command": comm}
                            self.statechglogger.recordchgevent(myid, event)
                            pwqfile = "/etc/security/pwquality.conf"
                            tmpfile = pwqfile + ".stonixtmp"
                            if self.environ.getsystemfismacat() == "high":
                                data = {"difok": "7",
                                        "minlen": "14",
                                        "dcredit": "0",
                                        "ucredit": "0",
                                        "lcredit": "0",
                                        "ocredit": "0",
                                        "maxrepeat": "3",
                                        "minclass": "4"}
                            else:
                                data = {"difok": "7",
                                        "minlen": "8",
                                        "dcredit": "0",
                                        "ucredit": "0",
                                        "lcredit": "0",
                                        "ocredit": "0",
                                        "maxrepeat": "3",
                                        "minclass": "3"}
                            self.pwqeditor = KVEditorStonix(self.statechglogger,
                                                            self.logger, "conf",
                                                            pwqfile, tmpfile, data,
                                                            "present", "openeq")
                            self.pwqeditor.report()
                            break
        if not installed:
            self.detailedresults += "No password checking program available\n"
            return False
        if self.usingpwquality:
            if not self.setpwquality():
                success = False
        if self.ph.manager in ("yum", "dnf"):
            writecontents = self.auth + "\n" + self.acct + "\n" + \
                self.password + "\n" + self.session
            pamfiles.append(self.pamauthfile)
            pamfiles.append(self.pampassfile)
        else:
            writecontents = self.password
            pamfiles.append(self.pampassfile)
        for pamfile in pamfiles:
            if not os.path.exists(pamfile):
                self.detailedresults += pamfile + " doesn't exist.\n" + \
                    "Stonix will not attempt to create this file " + \
                    "and the fix for the this rule will not continue\n"
                return False
        # """Check permissions on pam file(s)"""
        for pamfile in pamfiles:
            if not checkPerms(pamfile, [0, 0, 0o644], self.logger):
                self.iditerator += 1
                myid = iterate(self.iditerator, self.rulenumber)
                if not setPerms(pamfile, [0, 0, 0o644], self.logger, self.statechglogger, myid):
                    success = False
                    self.detailedresults += "Unable to set correct permissions on " + pamfile + "\n"
            contents = readFile(pamfile, self.logger)
            found1, found2 = False, False
            for line in contents:
                if re.search(regex1, line.strip()):
                    found1 = True
                if re.search(regex2, line.strip()):
                    found2 = True
            if not found1 or not found2:
                tmpfile = pamfile + ".stonixtmp"
                if writeFile(tmpfile, writecontents, self.logger):
                    self.iditerator += 1
                    myid = iterate(self.iditerator, self.rulenumber)
                    event = {'eventtype': 'conf',
                             'filepath': pamfile}
                    self.statechglogger.recordchgevent(myid, event)
                    self.statechglogger.recordfilechange(pamfile, tmpfile, myid)
                    os.rename(tmpfile, pamfile)
                    os.chown(pamfile, 0, 0)
                    os.chmod(pamfile, 0o644)
                    resetsecon(pamfile)
                else:
                    self.detailedresults += "Unable to write to " + pamfile + "\n"
                    success = False
        return success

コード例 #18

ファイル: ConfigureLinuxFirewall.py プロジェクト: 5l1v3r1/stonix

    def fix(self):
        '''Enable the firewall services and establish basic rules if needed.

        @author: D. Kennel


        '''
        try:
            if not self.clfci.getcurrvalue():
                return
            self.iditerator = 0
            self.detailedresults = ""
            success = True
            # delete past state change records from previous fix
            eventlist = self.statechglogger.findrulechanges(self.rulenumber)
            for event in eventlist:
                self.statechglogger.deleteentry(event)
            #firewall-cmd portion
            if self.checkFirewalld():
                if self.servicehelper.enableService('firewalld.service', serviceTarget=self.serviceTarget):
                    self.iditerator += 1
                    myid = iterate(self.iditerator, self.rulenumber)
                    cmd = "/usr/bin/systemctl disable firewalld.service"
                    event = {"eventtype": "commandstring",
                             "command": cmd}
                    self.statechglogger.recordchgevent(myid, event)
                    self.detailedresults += "Firewall configured.\n "
                else:
                    success = False
                    self.detailedresults += "Unable to enable firewall\n"
                    debug = "Unable to enable firewall\n"
                    self.logger.log(LogPriority.DEBUG, debug)

            #ufw command portion
            elif self.checkUFW():
                self.logger.log(LogPriority.DEBUG, "System uses ufw. Running ufw commands...")
                cmdufw = '/usr/sbin/ufw status'
                if not self.cmdhelper.executeCommand(cmdufw):
                    self.detailedresults += "Unable to run " + \
                        "ufw status command\n"
                    success = False
                else:
                    outputufw = self.cmdhelper.getOutputString()
                    if re.search('Status: inactive', outputufw):
                        ufwcmd = '/usr/sbin/ufw --force enable'
                        if not self.cmdhelper.executeCommand(ufwcmd):
                            self.detailedresults += "Unable to run " + \
                                "ufw enable command\n"
                            success = False
                        else:
                            self.iditerator += 1
                            myid = iterate(self.iditerator, self.rulenumber)
                            undocmd = "/usr/sbin/ufw --force disable"
                            event = {"eventtype": "commandstring",
                                     "command": undocmd}
                            self.statechglogger.recordchgevent(myid, event)
                            cmdufw = "/usr/sbin/ufw status verbose"
                            if not self.cmdhelper.executeCommand(cmdufw):
                                self.detailedresults += "Unable to retrieve firewall rules\n"
                                success = False
                            else:
                                outputfw = self.cmdhelper.getOutputString()
                                if not re.search("Default\:\ deny\ \(incoming\)", outputfw):
                                    ufwcmd = "/usr/sbin/ufw default deny incoming"
                                    if not self.cmdhelper.executeCommand(ufwcmd):
                                        self.detailedresults += "Unable to set default " + \
                                            "rule for incoming unspecified packets\n"
                                        success = False
                                    else:
                                        self.iditerator += 1
                                        myid = iterate(self.iditerator, self.rulenumber)
                                        undocmd = "/usr/sbin/ufw default allow incoming"
                                        event = {"eventtype": "commandstring",
                                                 "command": undocmd}
                                        self.statechglogger.recordchgevent(myid, event)
                    elif re.search('Status: active', outputufw):
                        cmdufw = "/usr/sbin/ufw status verbose"
                        if not self.cmdhelper.executeCommand(cmdufw):
                            self.detailedresults += "Cannot retrieve firewall rules\n"
                            success = False
                        else:
                            outputufw = self.cmdhelper.getOutputString()
                            if not re.search("Default\:\ deny\ \(incoming\)", outputufw):
                                ufwcmd = "/usr/sbin/ufw default deny incoming"
                                if not self.cmdhelper.executeCommand(ufwcmd):
                                    self.detailedresults += "Unable to set default " + \
                                        "rule for incoming unspecified packets\n"
                                    success = False
                                else:
                                    self.iditerator += 1
                                    myid = iterate(self.iditerator, self.rulenumber)
                                    undocmd = "/usr/sbin/ufw default allow incoming"
                                    event = {"eventtype": "commandstring",
                                             "command": undocmd}
                                    self.statechglogger.recordchgevent(myid, event)
            else:
                #following portion is mainly for debian and opensuse systems only

                if os.path.exists("/etc/network/if-pre-up.d"):
                    self.iptScriptPath = "/etc/network/if-pre-up.d/iptables"
                    self.scriptType = "debian"
                    servicename = "networking"
                elif os.path.exists("/etc/sysconfig/scripts"):
                    self.iptScriptPath = "/etc/sysconfig/scripts/SuSEfirewall2-custom"
                    self.scriptType = "suse"
                    servicename = "network"
                #this script will ensure that iptables gets configured
                #each time the network restarts
                iptables = self.getScriptValues("iptables")
                ip6tables = self.getScriptValues("ip6tables")
                iptScript = ""
                created = False
                if self.iptScriptPath:
                    if self.scriptType == "debian":
                        if self.iprestore and self.ip6restore:
                            iptScript = '#!/bin/bash\n' + self.iprestore + \
                                        ' <<< "' + iptables + '"\n' + self.ip6restore + \
                                        ' <<< "' + ip6tables + '"'
                    else:
                        iptScript = self.getScriptValues("iptscript")
                    if iptScript:
                        if not os.path.exists(self.iptScriptPath):
                            if not createFile(self.iptScriptPath, self.logger):
                                success = False
                                self.detailedresults += "Unable to create file " + self.iptScriptPath + "\n"
                            else:
                                created = True
                                self.iditerator += 1
                                myid = iterate(self.iditerator, self.rulenumber)
                                event = {"eventtype": "creation",
                                         "filepath": self.iptScriptPath}
                                self.statechglogger.recordchgevent(myid, event)
                        if os.path.exists(self.iptScriptPath):
                            if not checkPerms(self.iptScriptPath, [0, 0, 0o755], self.logger):
                                if not created:
                                    self.iditerator += 1
                                    myid = iterate(self.iditerator, self.rulenumber)
                                    if not setPerms(self.iptScriptPath, [0, 0, 0o755], self.logger, self.statechglogger, myid):
                                        success = False
                                        self.detailedresults += "Unable to set permissions on " + self.iptScriptPath + "\n"
                            contents = readFile(self.iptScriptPath, self.logger)
                            if contents != iptScript:
                                tempfile = self.iptScriptPath + ".tmp"
                                if not writeFile(tempfile, iptScript, self.logger):
                                    success = False
                                    self.detailedresults += "Unable to write contents to " + self.iptScriptPath + "\n"
                                else:
                                    if not created:
                                        self.iditerator += 1
                                        myid = iterate(self.iditerator, self.rulenumber)
                                        event = {"eventtype": "conf",
                                                 "filepath": self.iptScriptPath}
                                        self.statechglogger.recordchgevent(myid, event)
                                        self.statechglogger.recordfilechange(self.iptScriptPath, tempfile, myid)
                                    os.rename(tempfile, self.iptScriptPath)
                                    os.chown(self.iptScriptPath, 0, 0)
                                    os.chmod(self.iptScriptPath, 0o755)
                                    resetsecon(self.iptScriptPath)

                            stonixfilepath = "/var/db/stonix/"
                            savecmd = "/sbin/iptables-save > " + stonixfilepath + "user-firewall-pre-stonix"
                            if not self.cmdhelper.executeCommand(savecmd):
                                success = False
                                self.detailedresults += "Unable to save current ipv4 " + \
                                                        "firewall rules for revert\n"
                                debug = "Unable to save current ipv4 " + \
                                        "firewall rules for revert\n"
                                self.logger.log(LogPriority.DEBUG, debug)
                            save6cmd = "/sbin/ip6tables-save > " + stonixfilepath + "user-firewall6-pre-stonix"
                            if not self.cmdhelper.executeCommand(save6cmd):
                                success = False
                                self.detailedresults += "Unable to save current ipv6 " + \
                                                        "firewall rules for revert\n"
                                debug = "Unable to save current ipv6 " + \
                                        "firewall rules for revert\n"
                                self.logger.log(LogPriority.DEBUG, debug)
                            self.servicehelper.stopService(servicename)

                            if not self.servicehelper.startService(servicename):
                                success = False
                                self.detailedresults += "Unable to restart networking\n"
                                debug = "Unable to restart networking\n"
                                self.logger.log(LogPriority.DEBUG, debug)
                            else:
                                self.iditerator += 1
                                myid = iterate(self.iditerator, self.rulenumber)
                                cmd = "/sbin/iptables-restore < " + stonixfilepath + "user-firewall-pre-stonix"
                                event = {"eventtype": "commandstring",
                                         "command": cmd}
                                self.statechglogger.recordchgevent(myid, event)
                                self.iditerator += 1
                                myid = iterate(self.iditerator, self.rulenumber)
                                cmd = "/sbin/ip6tables-restore < " + stonixfilepath + "user-firewall6-pre-stonix"
                                event = {"eventtype": "commandstring",
                                         "command": cmd}
                                self.statechglogger.recordchgevent(myid, event)

                    else:
                        success = False
                        self.detailedresults += "There is no iptables startup script\n"
                        debug = "There is no iptables startup script\n"
                        self.logger.log(LogPriority.DEBUG, debug)

                #this portion mostly applies to RHEL6 and Centos6
                if os.path.exists('/usr/bin/system-config-firewall') or \
                        os.path.exists('/usr/bin/system-config-firewall-tui'):
                    systemconfigfirewall = self.getScriptValues("systemconfigfirewall")
                    sysconfigiptables = self.getScriptValues("sysconfigiptables")
                    sysconfigip6tables = self.getScriptValues("sysconfigip6tables")

                    fwpath = '/etc/sysconfig/system-config-firewall'
                    iptpath = '/etc/sysconfig/iptables'
                    ip6tpath = '/etc/sysconfig/ip6tables'
                    #portion to handle the system-config-firewall file
                    created = False
                    if not os.path.exists(fwpath):
                        if not createFile(fwpath, self.logger):
                            success = False
                            self.detailedresults += "Unable to create file " + fwpath + "\n"
                        else:
                            created = True
                            self.iditerator += 1
                            myid = iterate(self.iditerator, self.rulenumber)
                            event = {"eventtype": "creation",
                                     "filepath": fwpath}
                            self.statechglogger.recordchgevent(myid, event)
                    if os.path.exists(fwpath):
                        if not checkPerms(fwpath, [0, 0, 0o600], self.logger):
                            if not created:
                                self.iditerator += 1
                                myid = iterate(self.iditerator, self.rulenumber)
                                if not setPerms(fwpath, [0, 0, 0o600], self.logger, self.statechglogger, myid):
                                    success = False
                                    self.detailedresults += "Unable to set permissions on " + fwpath + "\n"
                        contents = readFile(fwpath, self.logger)
                        if contents != systemconfigfirewall:
                            print("contents don't equal systemconfigurefirewall contents\n")
                            tempfile = fwpath + ".tmp"
                            if not writeFile(tempfile, systemconfigfirewall, self.logger):
                                success = False
                                self.detailedresults += "Unable to write contents to " + fwpath + "\n"
                            else:
                                if not created:
                                    self.iditerator += 1
                                    myid = iterate(self.iditerator, self.rulenumber)
                                    event = {"eventtype": "conf",
                                             "filepath": fwpath}
                                    self.statechglogger.recordchgevent(myid, event)
                                    self.statechglogger.recordfilechange(fwpath, tempfile, myid)
                                os.rename(tempfile, fwpath)
                                os.chown(fwpath, 0, 0)
                                os.chmod(fwpath, 0o600)
                                resetsecon(fwpath)
                    created = False
                    #portion to handle the iptables rules file
                    if not os.path.exists(iptpath):
                        if not createFile(iptpath, self.logger):
                            success = False
                            self.detailedresults += "Unable to create file " + iptpath + "\n"
                        else:
                            created = True
                            self.iditerator += 1
                            myid = iterate(self.iditerator, self.rulenumber)
                            event = {"eventtype": "creation",
                                     "filepath": iptpath}
                            self.statechglogger.recordchgevent(myid, event)
                    if os.path.exists(iptpath):
                        if not checkPerms(iptpath, [0, 0, 0o644], self.logger):
                            if not created:
                                self.iditerator += 1
                                myid = iterate(self.iditerator, self.rulenumber)
                                if not setPerms(iptpath, [0, 0, 0o644], self.logger, self.statechglogger, myid):
                                    success = False
                                    self.detailedresults += "Unable to set permissions on " + iptpath + "\n"
                        contents = readFile(iptpath, self.logger)
                        if contents != sysconfigiptables:
                            tempfile = iptpath + ".tmp"
                            if not writeFile(tempfile, sysconfigiptables, self.logger):
                                success = False
                                self.detailedresults += "Unable to write contents to " + iptpath + "\n"
                            else:
                                if not created:
                                    self.iditerator += 1
                                    myid = iterate(self.iditerator, self.rulenumber)
                                    event = {"eventtype": "conf",
                                             "filepath": iptpath}
                                    self.statechglogger.recordchgevent(myid, event)
                                    self.statechglogger.recordfilechange(iptpath, tempfile, myid)
                                os.rename(tempfile, iptpath)
                                os.chown(iptpath, 0, 0)
                                os.chmod(iptpath, 0o644)
                                resetsecon(iptpath)
                    created = False
                    #portion to handle ip6tables rules file
                    if not os.path.exists(ip6tpath):
                        if not createFile(ip6tpath, self.logger):
                            success = False
                            self.detailedresults += "Unable to create file " + ip6tpath + "\n"
                        else:
                            created = True
                            self.iditerator += 1
                            myid = iterate(self.iditerator, self.rulenumber)
                            event = {"eventtype": "creation",
                                     "filepath": ip6tpath}
                            self.statechglogger.recordchgevent(myid, event)
                    if os.path.exists(ip6tpath):
                        if not checkPerms(ip6tpath, [0, 0, 0o644], self.logger):
                            if not created:
                                self.iditerator += 1
                                myid = iterate(self.iditerator, self.rulenumber)
                                if not setPerms(ip6tpath, [0, 0, 0o644], self.logger, self.statechglogger, myid):
                                    success = False
                                    self.detailedresults += "Unable to set permissions on " + ip6tpath + "\n"
                        contents = readFile(ip6tpath, self.logger)
                        if contents != sysconfigip6tables:
                            tempfile = ip6tpath + ".tmp"
                            if not writeFile(tempfile, sysconfigip6tables, self.logger):
                                success = False
                                self.detailedresults += "Unable to write contents to " + ip6tpath + "\n"
                            else:
                                if not created:
                                    self.iditerator += 1
                                    myid = iterate(self.iditerator, self.rulenumber)
                                    event = {"eventtype": "conf",
                                             "filepath": ip6tpath}
                                    self.statechglogger.recordchgevent(myid, event)
                                    self.statechglogger.recordfilechange(ip6tpath, tempfile, myid)
                                os.rename(tempfile, ip6tpath)
                                os.chown(ip6tpath, 0, 0)
                                os.chmod(ip6tpath, 0o644)
                                resetsecon(ip6tpath)
                    # check if iptables is enabled to run at start
                    if not self.servicehelper.auditService('iptables'):
                        # enable service to run at start if not
                        if not self.servicehelper.enableService('iptables'):
                            self.detailedresults += "Unable to enable iptables service\n"
                            debug = "Unable to enable iptables service\n"
                            self.logger.log(LogPriority.DEBUG, debug)
                            success = False
                        else:
                            # record event if successful
                            self.iditerator += 1
                            myid = iterate(self.iditerator, self.rulenumber)
                            cmd = self.servicehelper.getDisableCommand('iptables')
                            event = {"eventtype": "commandstring",
                                     "command": cmd}
                            self.statechglogger.recordchgevent(myid, event)

                    self.servicehelper.stopService('iptables')
                    # start iptables if not
                    if not self.servicehelper.startService('iptables'):
                        self.detailedresults += "Unable to start iptables service\n"
                        debug = "Unable to start iptables service\n"
                        self.logger.log(LogPriority.DEBUG, debug)
                        success = False
                    else:
                        stonixfilepath = "/var/db/stonix/"
                        savecmd = "/sbin/iptables-save > " + stonixfilepath + "user-firewall-pre-stonix"
                        if not self.cmdhelper.executeCommand(savecmd):
                            success = False
                            self.detailedresults += "Unable to save current ipv4 " + \
                                                    "firewall rules for revert\n"
                            debug = "Unable to save current ipv4 " + \
                                    "firewall rules for revert\n"
                            self.logger.log(LogPriority.DEBUG, debug)
                        else:
                            self.iditerator += 1
                            myid = iterate(self.iditerator, self.rulenumber)
                            cmd = "/sbin/iptables-restore < " + stonixfilepath + "user-firewall-pre-stonix"
                            event = {"eventtype": "commandstring",
                                     "command": cmd}
                            self.statechglogger.recordchgevent(myid, event)
                        savecmd = "/sbin/ip6tables-save > " + stonixfilepath + "user-firewall6-pre-stonix"
                        if not self.cmdhelper.executeCommand(savecmd):
                            success = False
                            self.detailedresults += "Unable to save current ipv6 " + \
                                                    "firewall rules for revert\n"
                            debug = "Unable to save current ipv6 " + \
                                    "firewall rules for revert\n"
                            self.logger.log(LogPriority.DEBUG, debug)
                        else:
                            self.iditerator += 1
                            myid = iterate(self.iditerator, self.rulenumber)
                            cmd = "/sbin/ip6tables-restore < " + stonixfilepath + "user-firewall6-pre-stonix"
                            event = {"eventtype": "commandstring",
                                     "command": cmd}
                            self.statechglogger.recordchgevent(myid, event)
                    # check if ip6tables is enabled to run at start
                    if not self.servicehelper.auditService('ip6tables'):
                        # enable service to run at start if not
                        if not self.servicehelper.enableService('ip6tables'):
                            self.detailedresults += "Unable to enable ip6tables service\n"
                            debug = "Unable to enable ip6tables service\n"
                            self.logger.log(LogPriority.DEBUG, debug)
                            success = False
                        else:
                            # record event if successful
                            self.iditerator += 1
                            myid = iterate(self.iditerator, self.rulenumber)
                            cmd = self.servicehelper.getDisableCommand('ip6tables')
                            event = {"eventtype": "commandstring",
                                     "command": cmd}
                            self.statechglogger.recordchgevent(myid, event)

                    self.servicehelper.stopService('ip6tables')
                    # start ip6tables if not
                    if not self.servicehelper.startService('ip6tables'):
                        self.detailedresults += "Unable to start ip6tables service\n"
                        debug = "Unable to start ip6tables service\n"
                        self.logger.log(LogPriority.DEBUG, debug)
                        success = False

                     # Sleep for a bit to let the restarts occur
                    time.sleep(10)
            self.rulesuccess = success
        except (KeyboardInterrupt, SystemExit):
            # User initiated exit
            raise
        except Exception:
            self.rulesuccess = False
            self.detailedresults += "\n" + traceback.format_exc()
            self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
        self.formatDetailedResults("fix", self.rulesuccess,
                                   self.detailedresults)
        self.logdispatch.log(LogPriority.INFO, self.detailedresults)
        return self.rulesuccess

コード例 #19

    def fixLinux(self):
        '''sub method for linux portion of compliance fixing
        @author: dwalker


        :returns: success

        :rtype: boolean

        '''
        success = True
        created1, created2 = False, False
        changed = False
        tempstring = ""
        grubfilefound = False

        for grub in self.grubfiles:
            if os.path.exists(grub):
                grubfilefound = True
                if self.grubperms:
                    if not checkPerms(grub, self.grubperms, self.logger):
                        self.iditerator += 1
                        myid = iterate(self.iditerator, self.rulenumber)
                        if not setPerms(grub, self.grubperms, self.logger,
                                        self.statechglogger, myid):
                            success = False
                contents = readFile(grub, self.logger)
                kernellinefound = False
                if contents:
                    for line in contents:
                        if re.search("^kernel", line.strip()) or re.search("^linux", line.strip()) \
                                or re.search("^linux16", line.strip()):
                            kernellinefound = True
                            if not re.search("\s+nousb\s*", line):
                                changed = True
                                tempstring += line.strip() + " nousb"
                            if not re.search(
                                    "\s+usbcore\.authorized_default=0\s+",
                                    line):
                                changed = True
                                tempstring += line.strip(
                                ) + " usbcore.authorized_default=0"
                            tempstring += "\n"
                        elif re.search("^set default_kernelopts",
                                       line.strip()):
                            # Fedora 31 has changed it's kernel option line format
                            kernellinefound = True
                            kernelline = line.strip()
                            if not re.search("\s+nousb\s*", kernelline):
                                changed = True
                                kernelline = re.sub("\"$", " nousb\"",
                                                    kernelline)
                            if not re.search(
                                    "\s+usbcore\.authorized_default=0\s+",
                                    kernelline):
                                changed = True
                                kernelline = re.sub(
                                    "\"$", " usbcore.authorized_default=0\"",
                                    kernelline)
                            tempstring += kernelline + "\n"
                        else:
                            tempstring += line
                if not kernellinefound:
                    changed = False
                    self.detailedresults += "The grub file doesn't contain kernel line\n" + \
                                            "Unable to fully implement fixes in this rule\n"
                    success = False
                if changed:
                    tmpfile = grub + ".tmp"
                    if writeFile(tmpfile, tempstring, self.logger):
                        self.iditerator += 1
                        myid = iterate(self.iditerator, self.rulenumber)
                        event = {"eventtype": "conf", "filepath": grub}
                        self.statechglogger.recordchgevent(myid, event)
                        self.statechglogger.recordfilechange(
                            grub, tmpfile, myid)
                        os.rename(tmpfile, grub)
                        if not setPerms(grub, self.grubperms, self.logger):
                            success = False
                            self.detailedresults += "Unable to set permissions on " + \
                                                    grub + " file\n"
                    else:
                        success = False
        if not grubfilefound:
            self.detailedresults += "No grub configuration file found\n" + \
                                    "Unable to fully fix system for this rule\n"
            success = False
        blacklistf = "/etc/modprobe.d/stonix-blacklist.conf"
        tempstring = ""
        # Check if self.blacklist still contains values, if it
        # does, then we didn't find all the blacklist values
        # in report
        if self.blacklist:
            # didn't find one or more directives in the files
            # inside modprobe.d so we now check an alternate file
            # we create stonixblacklist file if it doesn't
            # exist and put remaining unfound blacklist
            # items there
            if not os.path.exists(blacklistf):
                created1 = True
                createFile(blacklistf, self.logger)
                self.iditerator += 1
                myid = iterate(self.iditerator, self.rulenumber)
                event = {"eventtype": "creation", "filepath": blacklistf}
                self.statechglogger.recordchgevent(myid, event)
            # file was already present and we need contents already
            # inside file to remain in newly written file
            if not created1:
                contents = readFile(blacklistf, self.logger)
                for item in contents:
                    tempstring += item
            for item in self.blacklist:
                tempstring += item + "\n"
            tmpfile = blacklistf + ".tmp"
            if writeFile(tmpfile, tempstring, self.logger):
                self.iditerator += 1
                myid = iterate(self.iditerator, self.rulenumber)
                event = {"eventtype": "conf", "filepath": blacklistf}
                self.statechglogger.recordchgevent(myid, event)
                self.statechglogger.recordfilechange(blacklistf, tmpfile, myid)
                os.rename(tmpfile, blacklistf)
                os.chown(blacklistf, 0, 0)
                os.chmod(blacklistf, 420)
                resetsecon(blacklistf)
            if not checkPerms(blacklistf, [0, 0, 420], self.logger):
                self.iditerator += 1
                myid = iterate(self.iditerator, self.rulenumber)
                if not setPerms(blacklistf, [0, 0, 420], self.logger,
                                self.statechglogger, myid):
                    success = False
            if self.ph.manager == "apt-get":
                cmd = ["/usr/sbin/update-initramfs", "-u"]
                if not self.ch.executeCommand(cmd):
                    success = False
                    self.detailedresults += "Unable to run update-initramfs command\n"
        for item in self.pcmcialist:
            if self.ph.check(item):
                self.ph.remove(item)
                self.pkgremovedlist.append(item)
        if not os.path.exists(self.udevfile):
            if not createFile(self.udevfile, self.logger):
                self.detailedresults += "Unable to create " + \
                                        self.udevfile + " file\n"
                success = False
            else:
                created2 = True
        if os.path.exists(self.udevfile):
            if not checkPerms(self.udevfile, [0, 0, 0o644], self.logger):
                if created2:
                    if not setPerms(self.udevfile, [0, 0, 0o644], self.logger):
                        success = False
                        self.detailedresults += "Unable to set " + \
                                                "permissions on " + self.udevfile + "\n"
                else:
                    self.iditerator += 1
                    myid = iterate(self.iditerator, self.rulenumber)
                    if not setPerms(self.udevfile, [0, 0, 0o644], self.logger,
                                    self.statechglogger, myid):
                        success = False
                        self.detailedresults += "Unable to set " + \
                                                "permissions on " + self.udevfile + "\n"
            found = False
            contents = readFile(self.udevfile, self.logger)
            tempstring = ""
            for line in contents:
                if re.search(
                        "ACTION==\"add\"\, SUBSYSTEMS==\"usb\"\, RUN+=\"/bin/sh -c \'for host in /sys/bus/usb/devices/usb\*\; do echo 0 > \$host/authorized_default; done\'\"",
                        line.strip()):
                    found = True
                tempstring += line
            if not found:
                tempstring += "ACTION==\"add\", SUBSYSTEMS==\"usb\", RUN+=\"/bin/sh -c \'for host in /sys/bus/usb/devices/usb*; do echo 0 > $host/authorized_default; done\'\""
                tmpfile = self.udevfile + ".tmp"
                if writeFile(tmpfile, tempstring, self.logger):
                    if not created2:
                        self.iditerator += 1
                        myid = iterate(self.iditerator, self.rulenumber)
                        event = {
                            "eventtype": "conf",
                            "filepath": self.udevfile
                        }
                        self.statechglogger.recordchgevent(myid, event)
                        self.statechglogger.recordfilechange(
                            self.udevfile, tmpfile, myid)
                    os.rename(tmpfile, self.udevfile)
                    os.chown(self.udevfile, 0, 0)
                    os.chmod(self.udevfile, 0o644)
                    resetsecon(self.udevfile)
                else:
                    success = False
                    self.detailedresults += "Unable to write changes " + \
                                            "to " + self.udevfile + "\n"
        return success

コード例 #20

ファイル: SecureDHCPServer.py プロジェクト: 5l1v3r1/stonix

    def fix(self):
        try:
            if not self.ci.getcurrvalue():
                return
            success = True
            # Clean out old undo events
            self.iditerator = 0
            eventlist = self.statechglogger.findrulechanges(self.rulenumber)
            for event in eventlist:
                self.statechglogger.deleteentry(event)

            self.detailedresults = ""
            if not os.path.exists(self.path):
                createFile(self.path, self.logger)
                self.created = True
                self.iditerator += 1
                myid = iterate(self.iditerator, self.rulenumber)
                event = {"eventtype": "creation", "filepath": self.path}
                self.statechglogger.recordchgevent(myid, event)
                self.editor = KVEditorStonix(self.statechglogger, self.logger,
                                             "conf", self.path, self.tmppath,
                                             self.data1, "present", "space")
                self.editor.report()
            tempstring = ""
            tmpfile = self.path + ".tmp"
            contents = readFile(self.path, self.logger)
            changes = False
            for line in contents:
                found = False
                if re.match('^#', line) or re.match(r'^\s*$', line):
                    tempstring += line
                    continue
                if re.search("^option", line):
                    temp = line.split()
                    if len(temp) >= 2:
                        for item in self.data2:
                            if re.search(item, temp[1]):
                                found = True
                                changes = True
                                break
                        if found:
                            continue
                        else:
                            tempstring += line
                else:
                    tempstring += line
            if changes:
                debug = "Writing changes to " + tmpfile
                self.logger.log(LogPriority.DEBUG, debug)
                if not writeFile(tmpfile, tempstring, self.logger):
                    debug = "Unable to write changes to " + tmpfile
                    self.detailedresults += debug
                    self.logger.log(LogPriority.DEBUG, debug)
                    success = False
                else:
                    self.iditerator += 1
                    myid = iterate(self.iditerator, self.rulenumber)
                    event = {"eventtype": "conf", "filepath": self.path}
                    self.statechglogger.recordchgevent(myid, event)
                    self.statechglogger.recordfilechange(
                        self.path, tmpfile, myid)
                    os.rename(tmpfile, self.path)
                    self.iditerator += 1
                    myid = iterate(self.iditerator, self.rulenumber)
                    setPerms(self.path, [0, 0, 0o644], self.logger,
                             self.statechglogger, myid)
                    resetsecon(self.path)
            if self.editor.fixables:
                if not self.created:
                    if not checkPerms(self.path, [0, 0, 0o644], self.logger):
                        self.iditerator += 1
                        myid = iterate(self.iditerator, self.rulenumber)
                        if not setPerms(self.path, [0, 0, 0o644], self.logger,
                                        self.statechglogger, myid):
                            success = False
                    self.iditerator += 1
                    myid = iterate(self.iditerator, self.rulenumber)
                    self.editor.setEventID(myid)
                if self.editor.fix():
                    if self.editor.commit():
                        debug = self.path + "'s contents have been " + \
                            "corrected\n"
                        self.logger.log(LogPriority.DEBUG, debug)
                        os.chown(self.path, 0, 0)
                        os.chmod(self.path, 0o644)
                        resetsecon(self.path)
                    else:
                        debug = "kveditor commit not successful\n"
                        self.logger.log(LogPriority.DEBUG, debug)
                        success = False
                else:
                    debug = "kveditor fix not successful\n"
                    self.logger.log(LogPriority.DEBUG, debug)
                    success = False
            self.rulesuccess = success
        except (KeyboardInterrupt, SystemExit):
            # User initiated exit
            raise
        except Exception:
            self.rulesuccess = False
            self.detailedresults += "\n" + traceback.format_exc()
            self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
        self.formatDetailedResults("fix", self.rulesuccess,
                                   self.detailedresults)
        self.logdispatch.log(LogPriority.INFO, self.detailedresults)
        return self.rulesuccess

コード例 #21

ファイル: NoDirectRootLogin.py プロジェクト: 5l1v3r1/stonix

    def fix(self):
        '''The report method examines the current configuration and determines
        whether or not it is correct. If the config is correct then the
        self.compliant, self.detailedresults and self.currstate properties are
        updated to reflect the system status. self.rulesuccess will be updated
        if the rule does not succeed.


        :returns: self.rulesuccess

        :rtype: bool
@author bgonz12

        '''
        try:
            self.iditerator = 0
            self.detailedresults = ""
            if not self.ci.getcurrvalue():
                return
            success = True
            if not os.path.exists(self.securettypath):
                if not createFile(self.securettypath, self.logger):
                    success = False
                    self.detailedresults += "Unable to create " + \
                                            self.securettypath + "\n"
                else:
                    self.iditerator += 1
                    myid = iterate(self.iditerator, self.rulenumber)
                    event = {"eventtype": "creation",
                             "filepath": self.securettypath}
                    self.statechglogger.recordchgevent(myid, event)
                    if not setPerms(self.securettypath, [0, 0, 0o600], self.logger):
                        success = False
                        self.detailedresults += "Unable to correct permissions on " + \
                                                self.securettypath + "\n"
            elif not self.isblank:
                tempfile = self.securettypath + ".tmp"
                if not checkPerms(self.securettypath, [0, 0, 0o600], self.logger):
                    self.iditerator += 1
                    myid = iterate(self.iditerator, self.rulenumber)
                    if not setPerms(self.securettypath, [0, 0, 0o600], self.logger,
                                    self.statechglogger, myid):
                        success = False
                        self.detailedresults += "Unable to correct permissions on " + \
                            self.securettypath + "\n"
                if not writeFile(tempfile, "", self.logger):
                    success = False
                    self.detailedresults += "Unable to write blank contents " + \
                        "to " + self.securettypath + "\n"
                else:
                    self.iditerator += 1
                    myid = iterate(self.iditerator, self.rulenumber)
                    event = {"eventtype": "conf",
                             "filepath": self.securettypath}
                    self.statechglogger.recordchgevent(myid, event)
                    self.statechglogger.recordfilechange(self.securettypath, tempfile, myid)
                    os.rename(tempfile, self.securettypath)
                    os.chmod(self.securettypath, 0o600)
                    os.chown(self.securettypath, 0, 0)
                    resetsecon(self.securettypath)
            else:
                if not checkPerms(self.securettypath, [0, 0, 0o600], self.logger):
                    self.iditerator += 1
                    myid = iterate(self.iditerator, self.rulenumber)
                    if not setPerms(self.securettypath, [0, 0, 0o600], self.logger,
                                    self.statechglogger, myid):
                        success = False
                        self.detailedresults += "Unable to correct permissions on " + \
                                                self.securettypath + "\n"
            self.rulesuccess = success
        except (KeyboardInterrupt, SystemExit):
            # User initiated exit
            raise
        except Exception:
            self.rulesuccess = False
            self.detailedresults += "\n" + traceback.format_exc()
            self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
        self.formatDetailedResults("fix", self.rulesuccess,
                                   self.detailedresults)
        self.logdispatch.log(LogPriority.INFO, self.detailedresults)
        return self.rulesuccess

コード例 #22

    def fix(self):
        try:
            if not self.ci.getcurrvalue():
                self.detailedresults += "CI not enabled\n"
            else:
                success = True
                self.detailedresults = ""
                self.iditerator = 0
                eventlist = self.statechglogger.findrulechanges(self.rulenumber)
                for event in eventlist:
                    self.statechglogger.deleteentry(event)

                if not os.path.exists(self.path1):
                    createFile(self.path1, self.logger)
                    self.created = True
                    self.iditerator += 1
                    myid = iterate(self.iditerator, self.rulenumber)
                    event = {"eventtype": "creation",
                             "filepath": self.path1}
                    self.statechglogger.recordchgevent(myid, event)

                self.tmppath = self.path1 + ".tmp"
                self.editor1 = KVEditorStonix(self.statechglogger, self.logger,
                                              "conf", self.path1, self.tmppath,
                                              self.data1, "present",
                                              "closedeq")
                self.editor1.report()
                self.editor2 = KVEditorStonix(self.statechglogger, self.logger,
                                              "conf", self.path1, self.tmppath,
                                              self.data2, "present", "space")
                self.editor2.report()

                if self.editor1.fixables or self.editor2.fixables:
                    if self.editor1.fix():
                        self.iditerator += 1
                        myid = iterate(self.iditerator, self.rulenumber)
                        self.editor1.setEventID(myid)
                        if self.editor1.commit():
                            debug = self.path1 + "'s contents have been " + \
                                "corrected\n"
                            self.logger.log(LogPriority.DEBUG, debug)
                            resetsecon(self.path1)
                        else:
                            debug = "kveditor commit not successful\n"
                            self.logger.log(LogPriority.DEBUG, debug)
                            success = False
                            self.detailedresults += self.path1 + \
                                " properties could not be set\n"
                    else:
                        debug = "kveditor fix not successful\n"
                        self.logger.log(LogPriority.DEBUG, debug)
                        success = False
                        self.detailedresults += self.path1 + \
                            " properties could not be set\n"
                    if self.editor2.fix():
                        self.iditerator += 1
                        myid = iterate(self.iditerator, self.rulenumber)
                        self.editor2.setEventID(myid)
                        if self.editor2.commit():
                            debug = self.path1 + "'s contents have been " + \
                                "corrected\n"
                            self.logger.log(LogPriority.DEBUG, debug)
                            resetsecon(self.path1)
                        else:
                            debug = "kveditor commit not successful\n"
                            self.logger.log(LogPriority.DEBUG, debug)
                            success = False
                            self.detailedresults += self.path1 + \
                                " properties could not be set\n"
                    else:
                        debug = "kveditor fix not successful\n"
                        self.logger.log(LogPriority.DEBUG, debug)
                        success = False
                        self.detailedresults += self.path1 + \
                            " properties could not be set\n"
                if not checkPerms(self.path1, [0, 0, 0o755], self.logger) and \
                   not checkPerms(self.path1, [0, 0, 0o644], self.logger):
                    self.iditerator += 1
                    myid = iterate(self.iditerator, self.rulenumber)
                    if not setPerms(self.path1, [0, 0, 0o644], self.logger,
                                    self.statechglogger, myid):
                        success = False
                        self.detailedresults += "Could not set permissions " + \
                            "for " + self.path1 + "\n"

                if not os.path.exists(self.path2):
                    createFile(self.path2, self.logger)
                    self.created = True
                    self.iditerator += 1
                    myid = iterate(self.iditerator, self.rulenumber)
                    event = {"eventtype": "creation",
                             "filepath": self.path2}
                    self.statechglogger.recordchgevent(myid, event)
                writeFile(self.path2, self.cshData, self.logger)
                if not checkPerms(self.path2, [0, 0, 0o755], self.logger) and \
                   not checkPerms(self.path2, [0, 0, 0o644], self.logger):
                    self.iditerator += 1
                    myid = iterate(self.iditerator, self.rulenumber)
                    if not setPerms(self.path2, [0, 0, 0o644],
                                    self.logger, self.statechglogger, myid):
                        success = False
                        self.detailedresults += "Could not set permissions " + \
                            "for " + self.path2 + "\n"

                self.rulesuccess = success
        except (KeyboardInterrupt, SystemExit):
            # User initiated exit
            raise
        except Exception:
            self.rulesuccess = False
            self.detailedresults += "\n" + traceback.format_exc()
            self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
        self.formatDetailedResults("fix", self.rulesuccess,
                                   self.detailedresults)
        self.logdispatch.log(LogPriority.INFO, self.detailedresults)
        return self.rulesuccess

コード例 #23

ファイル: DisablePrelinking.py プロジェクト: 5l1v3r1/stonix

    def fix(self):
        try:
            if not self.ci.getcurrvalue():
                return
            success = True
            path = self.path
            tmppath = path + ".tmp"
            prelinkCache = "/etc/prelink.cache"
            self.detailedresults = ""
            self.iditerator = 0
            eventlist = self.statechglogger.findrulechanges(self.rulenumber)
            for event in eventlist:
                self.statechglogger.deleteentry(event)

            if not os.path.exists(path):
                if createFile(path, self.logger):
                    self.iditerator += 1
                    myid = iterate(self.iditerator, self.rulenumber)
                    event = {"eventtype": "creation", "filepath": path}
                    self.statechglogger.recordchgevent(myid, event)
                else:
                    success = False
                    self.detailedresults += "Failed to create file: " + \
                        path + "\n"

                if writeFile(tmppath, "PRELINKING=no", self.logger):
                    os.rename(tmppath, path)
                    resetsecon(path)
                else:
                    success = False
                    self.detailedresults += "Failed to write settings " + \
                        "to file: " + path + "\n"
            elif not self.editor.report():
                if self.editor.fix():
                    if self.editor.commit():
                        self.detailedresults += "Changes successfully " + \
                            "committed to " + path + "\n"
                    else:
                        success = False
                        self.detailedresults += "Changes could not be " + \
                            "committed to " + path + "\n"
                else:
                    success = False
                    self.detailedresults += "Could not fix file " + path + "\n"

            # Although the guidance and documentation recommends using "prelink
            # -ua" command, testing has shown this command to be completely
            # unreliable. Instead, the prelink cache will be removed entirely.
            if os.path.exists(prelinkCache):
                self.iditerator += 1
                myid = iterate(self.iditerator, self.rulenumber)
                self.statechglogger.recordfiledelete(prelinkCache, myid)
                os.remove(prelinkCache)

            self.rulesuccess = success
        except (KeyboardInterrupt, SystemExit):
            # User initiated exit
            raise
        except Exception:
            self.rulesuccess = False
            self.detailedresults += "\n" + traceback.format_exc()
            self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
        self.formatDetailedResults("fix", self.rulesuccess,
                                   self.detailedresults)
        self.logdispatch.log(LogPriority.INFO, self.detailedresults)
        return self.rulesuccess

コード例 #24

    def fix(self):
        '''will check if the shadow, passwd, or group file is present and
        if so remove the plus(+) account located in the file


        '''

        try:
            if not self.ci.getcurrvalue():
                return
            self.detailedresults = ""
            
            #clear out event history so only the latest fix is recorded
            self.iditerator = 0
            eventlist = self.statechglogger.findrulechanges(self.rulenumber)
            for event in eventlist:
                self.statechglogger.deleteentry(event)
            for path in self.badfiles:
                path = path.strip()
                if os.path.exists(path):
                    tempstring = ""
                    contents = readFile(path, self.logger)
                    if not contents:
                        continue
                    for line in contents:
                        if not re.search('^\+', line.strip()):
                            tempstring += line
                    if path == "/etc/master.passwd":
                        if not checkPerms(path, [0, 0, 384], self.logger):
                            self.iditerator += 1
                            myid = iterate(self.iditerator, self.rulenumber)
                            setPerms(path, [0, 0, 384], self.logger,
                                                     self.statechglogger, myid)
                    elif path == "/etc/shadow":
                        #put in code to handle apt-get systems /etc/shadow file later
                        #for this file, the owner is root, but the group is shadow
                        #by default this group is 42 but may not always be that
                        if self.ph.manager == "apt-get":
                            retval = getUserGroupName("/etc/shadow")
                            if retval[0] != "root" or retval[1] != "shadow":
                                uid = pwd.getpwnam("root").pw_uid
                                gid = grp.getgrnam("shadow").gr_gid
                                self.iditerator += 1
                                myid = iterate(self.iditerator, self.rulenumber)
                                setPerms(path, [uid, gid, 420], self.logger, 
                                                     self.statechglogger, myid)
                        else:
                            if not checkPerms(path, [0, 0, 256], self.logger) and \
                                      not checkPerms(path, [0, 0, 0], self.logger):
                                self.iditerator += 1
                                myid = iterate(self.iditerator, self.rulenumber)
                                setPerms(path, [0, 0, 256], self.logger, 
                                                         self.statechglogger, myid)
                    else:
                        if not checkPerms(path, [0, 0, 420], self.logger):
                            self.iditerator += 1
                            myid = iterate(self.iditerator, self.rulenumber)
                            setPerms(path, [0, 0, 420], self.logger,
                                                     self.statechglogger, myid)
                    tmpfile = path + ".tmp"
                    if not writeFile(tmpfile, tempstring, self.logger):
                        self.rulesuccess = False
                        return
                    self.iditerator += 1
                    myid = iterate(self.iditerator, self.rulenumber)
                    event = {'eventtype': 'conf',
                             'filepath': path}
                    self.statechglogger.recordchgevent(myid, event)
                    self.statechglogger.recordfilechange(path, tmpfile, myid)
                    os.rename(tmpfile, path)
                    if path == "/etc/master.passwd":
                        os.chown(path, 0, 0)
                        os.chmod(path, 384)
                    elif path == "/etc/shadow":
                        if self.ph.manager == "apt-get":
                            os.chown(path, uid, gid)
                            os.chmod(path, 420)
                        else:
                            os.chown(path, 0, 0)
                            os.chmod(path, 256)
                    else:
                        os.chmod(path, 420)
                    resetsecon(path)
        except (KeyboardInterrupt, SystemExit):
            # User initiated exit
            raise
        except Exception:
            self.rulesuccess = False
            self.detailedresults += "\n" + traceback.format_exc()
            self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
        self.formatDetailedResults("fix", self.rulesuccess,
                                   self.detailedresults)
        self.logdispatch.log(LogPriority.INFO, self.detailedresults)
        return self.rulesuccess

コード例 #25

ファイル: SetTFTPDSecureMode.py プロジェクト: 5l1v3r1/stonix

    def fixOtherSys(self):
        """

        :return: success
        :rtype: bool
        """

        success = True
        if not checkPerms(self.tftpFile, [0, 0, 420], self.logger):
            self.iditerator += 1
            myid = iterate(self.iditerator, self.rulenumber)
            if not setPerms(self.tftpFile, [0, 0, 420], self.logger,
                            self.statechglogger, myid):
                self.detailedresults += "Unable to set " + \
                    "permissions on " +  self.tftpFile + "\n"
                success = False
        try:
            contents2 = []
            contents = readFile(self.tftpFile, self.logger)
            found = False
            tempstring = ""
            i = 0
            tftplinefound = False
            for line in contents:
                if re.search("service tftp", line.strip()):
                    tempstring += line
                    tftplinefound = True
                    contents2 = contents[i + 1:]
                    break
                else:
                    tempstring += line
                    i += 1
            if not tftplinefound:
                self.detailedresults += "tftp file doesn't contain " + \
                    "\"service tftp\" line.  Stonix will not attempt to " + \
                    "fix this.  This will require a manual fix\n"
                return False
            if contents2:
                if contents2[0].strip() == "{":
                    tempstring += contents2[0]
                    del (contents2[0])
                    if contents2:
                        for line in contents2:
                            if re.search("server_args", line):
                                found = True
                                if re.search("=", line):
                                    tmp = line.split("=")
                                    val = re.sub("/s+", " ", tmp[1].strip())
                                    if re.search("-s", val) or re.search(
                                            "--secure", val):
                                        if not re.search(
                                                "-s /var/lib/tftpboot", val
                                        ) and not re.search(
                                                "--secure /var/lib/tftpboot",
                                                val):
                                            val = re.sub(
                                                "-s\s{0,1}/{0,1}.*\s{0,1}",
                                                "-s /var/lib/tftpboot", tmp[1])
                                            tempstring += "\tserver_args \t\t= " + val + "\n"
                                        else:
                                            tempstring += line
                                    else:
                                        tempstring += line + " -s /var/lib/tftpboot\n"
                                else:
                                    tempstring += "\tserver_args\t\t= -s /var/lib/tftpboot\n"
                            elif re.search("}", line.strip()):
                                if not found:
                                    tempstring += "\tserver_args\t\t= -s /var/lib/tftpboot\n"
                                    tempstring += "}"
                                    break
                                else:
                                    tempstring = ""
                                    break
                            else:
                                tempstring += line
        except IndexError:
            self.detailedresults += "The tftp file is in bad format\n " + \
                "Will not attempt to correct this file.  Exiting\n"
            return False
        if not tempstring:
            return True
        tmpfile = self.tftpFile + ".tmp"
        if writeFile(tmpfile, tempstring, self.logger):
            self.iditerator += 1
            myid = iterate(self.iditerator, self.rulenumber)
            event = {"eventtype": "conf", "filepath": self.tftpFile}
            self.statechglogger.recordchgevent(myid, event)
            self.statechglogger.recordfilechange(self.tftpFile, tmpfile, myid)
            os.rename(tmpfile, self.tftpFile)
            os.chown(self.tftpFile, 0, 0)
            os.chmod(self.tftpFile, 420)
            resetsecon(self.tftpFile)
        else:
            self.detailedresults += "Unable to write new contents " + \
                "to " + self.tftpFile + " file.\n"
            success = False
        return success

コード例 #26

ファイル: SecureSU.py プロジェクト: 5l1v3r1/stonix

    def fix(self):
        '''The fix method will apply the required settings to the system.
        self.rulesuccess will be updated if the rule does not succeed.
        
        @author bemalmbe


        '''

        try:
            if not self.ci.getcurrvalue():
                return
            success = True
            self.detailedresults = ""
            debug = ""

            # clear out event history so only the latest fix is recorded
            self.iditerator = 0
            eventlist = self.statechglogger.findrulechanges(self.rulenumber)
            for event in eventlist:
                self.statechglogger.deleteentry(event)

            if os.path.exists(self.grp):
                if not self.wheel:
                    ch = CommandHelper(self.logger)
                    if self.ph.manager == "apt-get":
                        cmd = ["/usr/sbin/groupadd", "sudo"]
                    else:
                        cmd = ["/usr/sbin/groupadd", "wheel"]
                    ch.executeCommand(cmd)
                    if ch.getReturnCode() != 0:
                        debug += "unable to create the wheel group, \
unable to continue with the rest of the rule\n"

                        self.logger.log(LogPriority.DEBUG, debug)
                        return False
                else:
                    if not checkPerms(self.grp, [0, 0, 420], self.logger):
                        self.iditerator += 1
                        myid = iterate(self.iditerator, self.rulenumber)
                        if not setPerms(self.grp, [0, 0, 420], self.logger,
                                        self.statechglogger, myid):
                            success = False
            else:
                self.detailedresults += "/etc/group file doesn\'t exist! \
Stonix will not attempt to create this file and will skip to next stage \
of the fix method\n"

                self.logger.log(LogPriority.DEBUG, self.detailedresults)
                success = False

            if not self.pamwheel:
                if os.path.exists(self.pam):
                    if not checkPerms(self.pam, [0, 0, 420], self.logger):
                        self.iditerator += 1
                        myid = iterate(self.iditerator, self.rulenumber)
                        if not setPerms(self.pam, [0, 0, 420], self.logger,
                                        self.statechglogger, myid):
                            success = False
                    tempstring = ""
                    contents = readFile(self.pam, self.logger)
                    for line in contents:
                        if re.search("pam_wheel.so", line):
                            continue
                        else:
                            tempstring += line
                    if self.ph.manager == "apt-get":
                        tempstring += "auth    required    " + \
                            "pam_wheel.so group=sudo\n"
                    else:
                        tempstring += "auth    required    " + \
                            "pam_wheel.so use_uid\n"
                    tmpfile = self.pam + ".tmp"
                    if writeFile(tmpfile, tempstring, self.logger):
                        self.iditerator += 1
                        myid = iterate(self.iditerator, self.rulenumber)
                        event = {"eventtype": "conf", "filepath": self.pam}
                        self.statechglogger.recordchgevent(myid, event)
                        self.statechglogger.recordfilechange(
                            self.pam, tmpfile, myid)
                        os.rename(tmpfile, self.pam)
                        os.chown(self.pam, 0, 0)
                        os.chmod(self.pam, 420)
                        resetsecon(self.pam)
                    else:
                        success = False
                self.rulessuccess = success
        except (KeyboardInterrupt, SystemExit):
            # User initiated exit
            raise
        except Exception:
            self.rulesuccess = False
            self.detailedresults += "\n" + traceback.format_exc()
            self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
        self.formatDetailedResults("fix", self.rulesuccess,
                                   self.detailedresults)
        self.logdispatch.log(LogPriority.INFO, self.detailedresults)
        return self.rulesuccess

コード例 #27

    def fixGnome(self):
        """ensures gnome is configured to automatically screen lock after
        15 minutes of inactivity, if gnome is installed
        @author: dwalker

        :param self: essential if you override this definition
        :returns: bool - True if gnome is successfully configured, False if it
                isn't

        """
        info = ""
        success = True
        gconf = "/usr/bin/gconftool-2"
        gsettings = "/usr/bin/gsettings"
        if os.path.exists(gconf):
            #variable self.setcmds still has items left in its dictionary
            #which was set in the reportGnome method, meaning some values
            #either were incorrect or didn't have values.  Go through and
            #set each remaining value that isn't correct

            cmd = ""

            if self.setcmds:
                for item in self.setcmds:
                    if item == "/apps/gnome-screensaver/idle_activation_enabled":
                        cmd = gconf + " --type bool --set /apps/gnome-screensaver/idle_activation_enabled true"
                    elif item == "/apps/gnome-screensaver/lock_enabled":
                        cmd = gconf + " --type bool --set /apps/gnome-screensaver/lock_enabled true"
                    elif item == "/apps/gnome-screensaver/mode":
                        cmd = gconf + ' --type string --set /apps/gnome-screensaver/mode "blank-only"'
                    elif item == "/desktop/gnome/session/idle_delay":
                        if self.gconfidletime:
                            cmd = gconf + " --type int --set /desktop/gnome/session/idle_delay " + \
                                self.gconfidletime
                        else:
                            cmd = gconf + " --type int --set /desktop/gnome/session/idle_delay 15"
                    if self.cmdhelper.executeCommand(cmd):
                        if self.cmdhelper.getReturnCode() != 0:
                            info += "Unable to set value for " + cmd + "\n"
                            success = False
                    else:
                        info += "Unable to set value for " + cmd + "\n"
                        success = False

        if os.path.exists(gsettings):
            setcmds = [
                "org.gnome.desktop.screensaver idle-activation-enabled true",
                "org.gnome.desktop.screensaver lock-enabled true",
                "org.gnome.desktop.screensaver lock-delay 0",
                "org.gnome.desktop.screensaver picture-opacity 100",
                "org.gnome.desktop.screensaver picture-uri ''",
                "org.gnome.desktop.session idle-delay 900"
            ]
            # " set org.gnome.desktop.session idle-delay " + self.gsettingsidletime]
            for cmd in setcmds:
                cmd2 = gsettings + " set " + cmd
                self.cmdhelper.executeCommand(cmd2)
                if self.cmdhelper.getReturnCode() != 0:
                    success = False
                    info += "Unable to set value for " + cmd + \
                        " using gsettings\n"

            # Set gsettings with dconf
            # Unlock dconf settings
            # Create dconf settings lock file
            if self.environ.geteuid() == 0:
                if not os.path.exists(self.dconfsettingslock):
                    if not createFile(self.dconfsettingslock, self.logger):
                        self.rulesuccess = False
                        self.detailedresults += "Unable to create stonix-settings file\n"
                        self.formatDetailedResults("fix", self.rulesuccess,
                                                   self.detailedresults)
                        return False
                #write correct contents to dconf lock file
                if os.path.exists(self.dconfsettingslock):
                    # Write to the lock file
                    if self.dconflockdata:
                        contents = ""
                        tmpfile = self.dconfsettingslock + ".tmp"
                        for line in self.dconflockdata:
                            contents += line + "\n"
                        if not writeFile(tmpfile, contents, self.logger):
                            self.rulesuccess = False
                            self.detailedresults += "Unable to write contents to " + \
                                "stonix-settings file\n"
                        else:
                            os.rename(tmpfile, self.dconfsettingslock)
                            os.chown(self.dconfsettingslock, 0, 0)
                            os.chmod(self.dconfsettingslock, 0o644)
                            resetsecon(self.dconfsettingslock)
                # Create dconf user profile file
                if not os.path.exists(self.dconfuserprofile):
                    if not createFile(self.dconfuserprofile, self.logger):
                        self.rulesuccess = False
                        self.detailedresults += "Unable to create dconf " + \
                                                "user profile file\n"
                        self.formatDetailedResults("fix", self.rulesuccess,
                                                   self.detailedresults)
                        return False
                # Write dconf user profile
                if os.path.exists(self.dconfuserprofile):
                    tmpfile = self.dconfuserprofile + ".tmp"
                    if not writeFile(tmpfile, self.userprofilecontent,
                                     self.logger):
                        self.rulesuccess = False
                        self.detailedresults += "Unabled to write to dconf user" + \
                            " profile file\n"
                        self.formatDetailedResults("fix", self.rulesuccess,
                                                   self.detailedresults)
                        return False
                    else:
                        os.rename(tmpfile, self.dconfuserprofile)
                        os.chown(self.dconfuserprofile, 0, 0)
                        os.chmod(self.dconfuserprofile, 0o644)
                        resetsecon(self.dconfuserprofile)
                # Fix dconf settings
                if not os.path.exists(self.dconfsettings):
                    if not createFile(self.dconfsettings, self.logger):
                        self.rulesuccess = False
                        self.detailedresults += "Unable to create " + self.dconfsettings + " file \n"
                        self.formatDetailedResults("fix", self.rulesuccess,
                                                   self.detailedresults)
                        return False
                    self.dconfdata = {
                        "org/gnome/desktop/screensaver": {
                            "idle-activation-enabled": "true",
                            "lock-enabled": "true",
                            "lock-delay": "0",
                            "picture-opacity": "100",
                            "picture-uri": "\'\'"
                        },
                        "org/gnome/desktop/session": {
                            "idle-delay": "uint32 900"
                        }
                    }
                    self.kveditordconf = KVEditorStonix(
                        self.statechglogger, self.logger, "tagconf",
                        self.dconfsettings, self.dconfsettings + ".tmp",
                        self.dconfdata, "present", "closedeq")
                    self.kveditordconf.report()
                if self.kveditordconf.fixables:
                    if not self.kveditordconf.fix():
                        success = False
                        self.detailedresults += "Unable to put correct settings inside " + \
                            self.dconfsettings + "\n"
                    elif not self.kveditordconf.commit():
                        success = False
                        self.detailedresults += "Unable to put correct settings inside " + \
                            self.dconfsettings + "\n"
                #run dconf update command to make dconf changes take effect
                if os.path.exists("/bin/dconf"):
                    cmd = "/bin/dconf update"
                    self.cmdhelper.executeCommand(cmd)
                elif os.path.exists("/usr/bin/dconf"):
                    cmd = "/usr/bin/dconf update"
                    self.cmdhelper.executeCommand(cmd)
        self.detailedresults += info
        return success

コード例 #28

ファイル: DisableWeakAuthentication.py プロジェクト: 5l1v3r1/stonix

    def fix(self):
        '''DisableWeakAuthentication.fix() Public method to fix any issues
        that were found in the report method.
        @author: dwalker


        :returns: bool - False if the method died during execution

        '''
        try:
            self.detailedresults = ""
            if not self.ci.getcurrvalue():
                return
            success = True
            for item in self.rsh:
                if self.helper.check(item):
                    if not self.helper.remove(item):
                        success = False
            if self.incorrects:
                for item in self.incorrects:
                    tempstring = ""
                    contents = readFile(item, self.logger)
                    if not contents:
                        continue
                    for line in contents:
                        if re.match('^#', line) or re.match(r'^\s*$', line):
                            tempstring += line
                        elif re.search("pam_rhosts", line):
                            continue
                        else:
                            tempstring += line
                    if not checkPerms(item, [0, 0, 420], self.logger):
                        if not setPerms(item, [0, 0, 420], self.logger):
                            success = False
                    tmpfile = item + ".tmp"
                    if writeFile(tmpfile, tempstring, self.logger):
                        os.rename(tmpfile, item)
                        os.chown(item, 0, 0)
                        os.chmod(item, 420)
                        resetsecon(item)
                    else:
                        success = False
            for item in self.pams:
                if os.path.exists(item):
                    if not checkPerms(item, [0, 0, 420], self.logger):
                        if not setPerms(item, [0, 0, 420], self.logger):
                            success = False
            if os.path.exists("/etc/pam.d/"):
                fileItems = glob.glob("/etc/pam.d/*")
                for item in fileItems:
                    if not checkPerms(item, [0, 0, 420], self.logger):
                        if not setPerms(item, [0, 0, 420], self.logger):
                            success = False
            return success
        except (KeyboardInterrupt, SystemExit):
            raise
        except Exception:
            self.rulesuccess = False
            self.detailedresults += "\n" + traceback.format_exc()
            self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
        self.formatDetailedResults("fix", self.rulesuccess,
                                   self.detailedresults)
        self.logdispatch.log(LogPriority.INFO, self.detailedresults)
        return self.rulesuccess

コード例 #29

    def fixLinux(self):
        universal = "#The following lines were added by stonix\n"
        debug = ""
        success = True
        ifacefile = ""
        netwrkfile = ""
        sysctl = "/etc/sysctl.conf"
        interface = {"IPV6_AUTOCONF": "no"}
        interface2 = {"IPV6_PRIVACY": "rfc3041"}
#                     "IPV6_DEFAULTGW": self.gateway,
#                     "IPV6ADDR":self.ipaddr}
        if self.ph.manager == "yum":
            ifacefile = "/etc/sysconfig/network-scripts/"
            netwrkfile = "/etc/sysconfig/network"
        elif self.ph.manager == "zypper":
            ifacefile = "/etc/sysconfig/network/"
        created = False

        # fix sysctl / tuning kernel parameters
        # manually write key value pairs to /etc/sysctl.conf
        if not os.path.exists(sysctl):
            if createFile(sysctl, self.logger):
                created = True
                setPerms(sysctl, [0, 0, 0o644], self.logger)
                self.iditerator += 1
                myid = iterate(self.iditerator, self.rulenumber)
                event = {"eventtype": "creation",
                         "filepath": sysctl}
                self.statechglogger.recordchgevent(myid, event)
            else:
                self.detailedresults += "Could not create file " + sysctl + \
                                        "\n"
                success = False
        if os.path.exists(sysctl):
            if not checkPerms(sysctl, [0, 0, 0o644], self.logger):
                if not created:
                    self.iditerator += 1
                    myid = iterate(self.iditerator, self.rulenumber)
                    if not setPerms(sysctl, [0, 0, 0o644], self.logger,
                                    self.statechglogger, myid):
                        success = False
            tmpfile = sysctl + ".tmp"
            self.editor1 = KVEditorStonix(self.statechglogger, self.logger,
                                          "conf", sysctl, tmpfile, self.sysctls,
                                          "present", "openeq")
            if not self.editor1.report():
                if self.editor1.fixables:
                    # If we did not create the file, set an event ID for the
                    # KVEditor's undo event to record the file write
                    if not created:
                        self.iditerator += 1
                        myid = iterate(self.iditerator, self.rulenumber)
                        self.editor1.setEventID(myid)
                    if not self.editor1.fix():
                        success = False
                        debug = "Unable to complete kveditor fix method" + \
                            "for /etc/sysctl.conf file\n"
                        self.logger.log(LogPriority.DEBUG, debug)
                    elif not self.editor1.commit():
                        success = False
                        debug = "Unable to complete kveditor commit " + \
                            "method for /etc/sysctl.conf file\n"
                        self.logger.log(LogPriority.DEBUG, debug)
                    # permissions on file are incorrect
                    if not checkPerms(sysctl, [0, 0, 0o644], self.logger):
                        if not setPerms(sysctl, [0, 0, 0o644], self.logger):
                            self.detailedresults += "Could not set permissions on " + \
                                                    sysctl + "\n"
                            success = False
                    resetsecon(sysctl)

        # here we also check the output of the sysctl command for each key
        # to cover all bases
        for key in self.sysctls:
            if self.ch.executeCommand("/sbin/sysctl " + key):
                output = self.ch.getOutputString().strip()
                errmsg = output + self.ch.getErrorString()
                if re.search("unknown key", errmsg):
                    continue
                if not re.search(self.sysctls[key] + "$", output):
                    undovalue = output[-1]
                    self.ch.executeCommand("/sbin/sysctl -q -e -w " + key + "=" + self.sysctls[key])
                    retcode = self.ch.getReturnCode()
                    if retcode != 0:
                        success = False
                        self.detailedresults += "Failed to set " + key + " = " + self.sysctls[key] + "\n"
                        errmsg = self.ch.getErrorString()
                        self.logger.log(LogPriority.DEBUG, errmsg)
                    else:
                        self.iditerator += 1
                        myid = iterate(self.iditerator, self.rulenumber)
                        command = "/sbin/sysctl -q -e -w " + key + "=" + undovalue
                        event = {"eventtype": "commandstring",
                                 "command": command}
                        self.statechglogger.recordchgevent(myid, event)
            else:
                self.detailedresults += "Unable to get value for " + key + "\n"
                success = False
        # at the end do a print and ignore any key errors to ensure
        # the new values are read into the kernel
        self.ch.executeCommand("/sbin/sysctl -q -e -p")
        retcode2 = self.ch.getReturnCode()
        if retcode2 != 0:
            success = False
            self.detailedresults += "Failed to load new sysctl configuration from config file\n"
            errmsg2 = self.ch.getErrorString()
            self.logger.log(LogPriority.DEBUG, errmsg2)

        # correct the network file if it exists
        if netwrkfile:
            created = False
            if not os.path.exists(netwrkfile):
                if not createFile(netwrkfile, self.logger):
                    success = False
                    debug = "Unable to create " + netwrkfile + " file\n"
                    self.logger.log(LogPriority.DEBUG, debug)
                else:
                    created = True
                    self.iditerator += 1
                    myid = iterate(self.iditerator, self.rulenumber)
                    event = {"eventtype": "creation",
                             "filepath": netwrkfile}
                    self.statechglogger.recordchgevent(myid, event)
                    tmpfile = netwrkfile + ".tmp"
                    self.editor2 = KVEditorStonix(self.statechglogger, self.logger,
                                                  "conf", netwrkfile, tmpfile,
                                                  self.interface1, "present", "closedeq")
                    self.editor2.report()
            if os.path.exists(netwrkfile):
                if not checkPerms(netwrkfile, [0, 0, 0o644], self.logger):
                    if not created:
                        self.iditerator += 1
                        myid = iterate(self.iditerator, self.rulenumber)
                        if not setPerms(netwrkfile, [0, 0, 0o644], self.logger,
                                        self.statechglogger, myid):
                            success = False
                if self.editor2:
                    if self.editor2.fixables:
                        self.iditerator += 1
                        myid = iterate(self.iditerator, self.rulenumber)
                        self.editor2.setEventID(myid)
                        if not self.editor2.fix():
                            success = False
                        elif not self.editor2.commit():
                            success = False
                        os.chown(netwrkfile, 0, 0)
                        os.chmod(netwrkfile, 0o644)
                        resetsecon(netwrkfile)
        if ifacefile:
            if os.path.exists(ifacefile):
                dirs = glob.glob(ifacefile + "*")
                if dirs:
                    for loc in dirs:
                        interface2 = {"IPV6_PRIVACY": "rfc3041"}
#                                       "IPV6_DEFAULTGW": self.gateway,
#                                       "IPV6ADDR":self.ipaddr}
                        interface3 = {"IPV6_PRIVACY": "rfc3041"}
#                                       "IPV6_DEFAULTGW": self.gateway,
#                                       "IPV6ADDR":self.ipaddr}
                        found = False
                        tempstring = ""
                        if re.search('^' + ifacefile + 'ifcfg', loc):
                            filename = loc
                            tmpfile = filename + ".tmp"
                            contents = readFile(filename, self.logger)
                            if not checkPerms(filename, [0, 0, 0o644],
                                              self.logger):
                                self.iditerator += 1
                                myid = iterate(self.iditerator,
                                               self.rulenumber)
                                if not setPerms(filename, [0, 0, 0o644],
                                                self.logger,
                                                self.statechglogger, myid):
                                    return False
                            for key in interface2:
                                found = False
                                for line in contents:
                                    if re.search("^#", line) or \
                                            re.match("^\s*$", line):
                                        continue
                                    if re.search("^" + key, line):
                                        if re.search("=", line):
                                            temp = line.split("=")
                                            if temp[1].strip() == \
                                                    interface2[key]:
                                                if found:
                                                    continue
                                                found = True
                                            else:
                                                contents.remove(line)
                                if found:
                                    del interface3[key]
                            for line in contents:
                                tempstring += line
                            tempstring += universal
                            for key in interface3:
                                tempstring += key + "=" + interface3[key] + \
                                    "\n"
                            if not writeFile(tmpfile, tempstring, self.logger):
                                return False
                            self.iditerator += 1
                            myid = iterate(self.iditerator, self.rulenumber)
                            event = {'eventtype': 'conf',
                                     'filepath': filename}
                            self.statechglogger.recordchgevent(myid, event)
                            self.statechglogger.recordfilechange(filename,
                                                                 tmpfile, myid)
                            os.rename(tmpfile, filename)
                            os.chown(filename, 0, 0)
                            os.chmod(filename, 0o644)
                            resetsecon(filename)
            elif not os.path.exists(ifacefile) and ifacefile != "":
                # will not attempt to create the interface files
                self.detailedresults += "Interface directory which holds interface \
                files, doesn't exist. Stonix will not attempt to make this \
                directory or the files contained therein."
                success = False
        return success

コード例 #30

    def fix_security_limits(self):
        '''ensure the limits.conf file contains the configuration
        setting * hard core 0


        :returns: succcess

        :rtype: bool
@author: ???

        '''

        success = True
        path1 = "/etc/security/limits.conf"
        lookfor1 = "(^\*)\s+hard\s+core\s+0?"
        created = False
        if not os.path.exists(path1):
            if not createFile(path1, self.logger):
                success = False
                self.detailedresults += "Unable to create " + path1 + " file\n"
            else:
                created = True
                self.iditerator += 1
                myid = iterate(self.iditerator, self.rulenumber)
                event = {"eventtype": "creation", "filepath": "path1"}
                self.statechglogger.recordchgevent(myid, event)
        if os.path.exists(path1):
            if not checkPerms(path1, [0, 0, 0o644], self.logger):
                if not created:
                    self.iditerator += 1
                    myid = iterate(self.iditerator, self.rulenumber)
                    if not setPerms(path1, [0, 0, 0o644], self.logger,
                                    self.statechglogger, myid):
                        success = False
                        self.detailedresults += "Unable to correct permissions on " + path1 + "\n"
            contents = readFile(path1, self.logger)
            found = False
            tempstring = ""
            if contents:
                for line in contents:
                    if re.search(lookfor1, line.strip()):
                        found = True
                    else:
                        tempstring += line
            else:
                found = False
            if not found:
                tempstring += "* hard core 0\n"
                tempfile = path1 + ".stonixtmp"
                if not writeFile(tempfile, tempstring, self.logger):
                    success = False
                    self.detailedresults += "Unable to write contents to " + path1 + "\n"
                else:
                    if not created:
                        self.iditerator += 1
                        myid = iterate(self.iditerator, self.rulenumber)
                        event = {"eventtype": "conf", "filepath": path1}
                        self.statechglogger.recordchgevent(myid, event)
                        self.statechglogger.recordfilechange(
                            path1, tempfile, myid)
                    os.rename(tempfile, path1)
                    setPerms(path1, [0, 0, 0o644], self.logger)
                    resetsecon(path1)
        return success

コード例 #31

ファイル: NoEmptyPasswords.py プロジェクト: 5l1v3r1/stonix

    def fixOther(self):
        config = ""
        success = True
        permswrong = False
        debug = ""
        if not os.path.exists(self.shadow):
            debug += "shadow or master.passwd file not present, \
cannot perform fix"

            self.logger.log(LogPriority.DEBUG, debug)
            return False
        statdata = os.stat(self.shadow)
        owner = statdata.st_uid
        group = statdata.st_gid
        mode = stat.S_IMODE(statdata.st_mode)
        if not checkPerms(self.shadow, [0, 0, 256], self.logger) or \
           not checkPerms(self.shadow, [0, 0, 0], self.logger):
            permswrong = True
            if not setPerms(self.shadow, [0, 0, 256], self.logger):
                success = False
        contents = readFile(self.shadow, self.logger)
        if not contents:
            return False
        if self.empty:
            try:
                for line in contents:
                    for user in self.empty:
                        if re.search(":", line):
                            temp = line.split(':')
                            if temp[0] == user:
                                tempstring = ""
                                if temp[1].strip() == "":
                                    temp[1] = "!"
                                    tempstring = ":".join(temp)
                                    config += tempstring
                                    break
                            else:
                                config += line
                        else:
                            config += line
                            continue
            except IndexError:
                raise
            except Exception:
                self.detailedresults += traceback.format_exc() + "\n"
                self.detailedresults += "Index out of range\n, stonix will \
not continue to complete fix"

                self.logger.log(LogPriority.DEBUG, self.detailedresults)
                return False
            tempfile = self.shadow + ".tmp"
            if not writeFile(tempfile, config, self.logger):
                success = False
            os.rename(tempfile, self.shadow)
            if permswrong:
                os.chown(self.shadow, 0, 0)
                os.chmod(self.shadow, 256)
            else:
                os.chown(self.shadow, owner, group)
                os.chmod(self.shadow, mode)
        return success