def scan(self, option=None):
messages = {'messages': []}
retval = True
# leave quickly if we are N/A due to architecture.
test_arch = platform.machine()
if test_arch == 's390x':
msg = "GRand Unified Bootloader (GRUB) not used on S390 hardware"
self.logger.notice(self.module_name, "Not Applicable: " + msg)
raise tcs_utils.ScanNotApplicable('%s %s' %
(self.module_name, msg))
elif sb_utils.os.info.is_solaris() == True and sb_utils.os.info.is_x86(
) == False:
msg = "GRand Unified Bootloader (GRUB) not used on SPARC hardware"
self.logger.notice(self.module_name, "Not Applicable: " + msg)
raise tcs_utils.ScanNotApplicable('%s %s' %
(self.module_name, msg))
# Ok, quickly test the permissions on the grub file. It should be owned by root and perms no greater than 0600:
# This module won't fix the problems, but so only indicate any issues with a warning. Permission problems do not
# Constitute a failure case, as the 'System Configuration File Permissions' module will fix (if that module is enabled).
msg = "Checking access controls on %s" % self.__target_file
self.logger.info(self.module_name, 'Scan: ' + msg)
try:
statinfo = os.stat(self.__target_file)
except OSError, err:
msg = "Unable to stat %s: %s" % (self.__target_file, err)
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def scan(self, option=None):
messages = {}
messages['messages'] = []
results = sb_utils.os.software.is_installed(pkgname=self.__pkgname)
if results == False:
msg = "%s package is not installed on the system" % self.__pkgname
self.logger.info(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' %
(self.module_name, msg))
if not os.path.isfile(self.__target_file):
msg = "%s package is installed but %s is missing" % self.__target_file
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
try:
in_obj = open(self.__target_file, 'r')
except (OSError, IOError), err:
msg = "Unable to read %s: %s" % (self.__target_file, err)
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' %
(self.module_name, msg))
def scan(self, option=None):
"""
Examine /etc/php.ini for missing or invalid values
"""
if option != None:
option = None
results = sb_utils.os.software.is_installed(pkgname=self.__pkgname)
if results == False:
msg = "'%s' is not installed on the system" % self.__pkgname
self.logger.warn(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' %
(self.module_name, msg))
if not os.path.isfile(self.__php_ini):
msg = "%s not found. Is PHP installed?" % self.__php_ini
self.logger.warn(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' %
(self.module_name, msg))
self.logger.info(self.module_name, 'Checking %s' % self.__php_ini)
try:
in_obj = open(self.__php_ini, 'r')
except IOError, err:
msg = "Unable to read %s (%s)" % (self.__php_ini, err)
self.logger.info(self.module_name, 'Scan Failed: ' + msg)
return 'Fail', msg
def scan(self, option=None):
if option != None:
option = None
messages = {'messages': []}
results = sb_utils.os.software.is_installed(pkgname=self.__pkgname)
if results == False:
msg = "'%s' package is not installed" % self.__pkgname
self.logger.notice(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' %
(self.module_name, msg))
else:
msg = "'%s' package is installed" % self.__pkgname
self.logger.info(self.module_name, 'Not Applicable: ' + msg)
messages['messages'].append(msg)
if not os.path.isfile(self.__php_ini):
msg = "%s not found. Is PHP installed?" % self.__php_ini
self.logger.warn(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' %
(self.module_name, msg))
msg = "Checking %s" % (self.__php_ini)
messages['messages'].append(msg)
self.logger.info(self.module_name, msg)
try:
in_obj = open(self.__php_ini, 'r')
except IOError, err:
msg = "Unable to read %s (%s)" % (self.__newfile, err)
self.logger.error(self.module_name, 'Scan Failed: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def scan(self, option=None):
messages = {'messages': []}
results = sb_utils.os.software.is_installed(pkgname=self.__pkgname)
if results == None:
msg = "Unable to determine if %s installed." % self.__pkgname
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
if results == False:
msg = "Samba (%s) is not installed on the system" % self.__pkgname
self.logger.warn(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' %
(self.module_name, msg))
else:
msg = "Samba (%s) package is installed" % self.__pkgname
messages['messages'].append(msg)
found = False
if not os.path.isfile(self.__conf_file):
msg = "%s does not exist" % self.__conf_file
self.logger.warn(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' %
(self.module_name, msg))
else:
msg = "Checking %s for 'smb guest' parameter" % self.__conf_file
messages['messages'].append(msg)
try:
in_obj = open(self.__conf_file, 'r')
except IOError, err:
msg = "Unable to open %s: %s " % (self.__conf_file, err)
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def checkStatus(self, optionDict={}):
# assume true, and we'll set to false if needed
status = True
# Step 1: Check to see if NTP package(s) are installed.
for pkg in self.__pkgnames:
if sb_utils.os.software.is_installed(pkgname=pkg) == False:
status = False
msg = "'%s' package is not installed on the system" % self.__pkgname
if optionDict['required'] == False:
self.logger.info(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' %
(self.module_name, msg))
else:
self.logger.warning(self.module_name, 'Scan failed: ' + msg)
# Step 2: Check to see if the NTP Service daemon is enabled.
if sb_utils.os.service.is_enabled(svcname=self.__svcname) == False:
status = False
msg = "'%s' service is off. It is not configured to start "\
"during system startup." % self.__svcname
self.logger.notice(self.module_name, 'Scan failed: ' + msg)
# Step 3: Check to see if service is running.
if sb_utils.os.service.status(svcname=self.__svcname) == False:
status = False
msg = "'%s' service is not running" % self.__svcname
self.logger.notice(self.module_name, 'Scan failed: ' + msg)
if optionDict['Required'] == True and not status:
self.logger.info(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' %
(self.module_name, msg))
def scan(self, option=None):
"""
Examine /etc/samba/smb.conf for missing or invalid values
"""
if option != None:
option = None
messages = {'messages':[]}
results = sb_utils.os.software.is_installed(pkgname=self.__pkgname)
if results == False:
msg = "%s package is not installed" % self.__pkgname
self.logger.warn(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' % (self.module_name, msg))
if not os.path.isfile(self.__smb_ini):
msg = "Missing %s but samba is installed" % self.__smb_ini
self.logger.notice(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' % (self.module_name, msg))
try:
in_obj = open(self.__smb_ini, 'r')
except (IOError, OSError), err:
msg = "Unable to read %s: %s" % (self.__smb_ini, err)
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def scan(self, option=None):
"""
Examine /etc/php.ini for missing or invalid values
"""
messages = {'messages':[]}
if option != None:
option = None
results = sb_utils.os.software.is_installed(pkgname=self.__pkgname)
if results == False:
msg = "'%s' is not installed on the system" % self.__pkgname
self.logger.warn(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' % (self.module_name, msg))
if not os.path.isfile(self.__php_ini):
msg = "%s not found." % self.__php_ini
self.logger.warn(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' % (self.module_name, msg))
msg = 'Analyzing %s' % self.__php_ini
self.logger.debug(self.module_name, 'Scan: ' + msg)
self.logger.info(self.module_name, 'Checking %s' % self.__php_ini)
try:
in_obj = open(self.__php_ini, 'r')
except IOError, err:
msg = "Unable to read %s (%s)" % (self.__newfile, err)
messages['messages'].append(msg)
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def scan(self, option=None):
if self.__IA32 == True:
msg = "An Intel CPU (Family < 6) is installed"
raise tcs_utils.ScanNotApplicable('%s %s' % (self.module_name, msg))
if not os.path.exists('/etc/init.d/microcode.ctl'):
msg = "The 'microcode_ctl' service does not seem to be present"
raise tcs_utils.ScanNotApplicable('%s %s' % (self.module_name, msg))
return Enable_Disable_Any_Service.scan(self.module_name, enable=False)
def scan(self, option=None):
"""Check for rpm and file permissions"""
if option != None:
option = None
# For Linux look for the package name to see if it is installed
if sb_utils.os.info.is_solaris() == False:
results1 = sb_utils.os.software.is_installed(pkgname='gaim')
results2 = sb_utils.os.software.is_installed(pkgname='pidgin')
if results1 == False and results2 == False:
msg = "Neither gaim or pidgin is installed on the system"
self.logger.warn(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' %
(self.module_name, msg))
# Check gaim
gaim_reason = self._scan_for_file(self._gaim_path)
# Now check pidgin
pidgin_reason = self._scan_for_file(self._pidgin_path)
if gaim_reason != "" or pidgin_reason != "":
return 'Fail', 'Either gaim or pidgin is not owned by root, with perms 000'
else:
return 'Pass', ''
def scan(self, option=None):
results_flag = True
messages = {}
messages['messages'] = []
msg_string = ''
results = sb_utils.os.software.is_installed(pkgname=self._pkgname)
if results != True:
msg = "'%s' package is not installed on the system" % self._pkgname
self.logger.warning(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' % (self.module_name, msg))
else:
msg = "'%s' package is installed." % (self._pkgname)
messages['messages'].append(msg)
self.logger.info(self.module_name, msg)
results = sb_utils.os.service.is_enabled(svcname=self._svcname)
if results == False:
msg = "Fail: '%s' service is disabled" % (self._svcname)
messages['messages'].append(msg)
self.logger.notice(self.module_name, 'Scan Failed: ' + msg)
results_flag = False
msg_string = msg
else:
msg = "'%s' service is enabled" % (self._svcname)
messages['messages'].append(msg)
self.logger.notice(self.module_name, 'Scan Passed: ' + msg)
results_flag = True
return results_flag, msg_string, messages
def scan(self, option=None):
if sb_utils.os.info.is_solaris() == True:
results = sb_utils.os.software.is_installed(pkgname='SUNWsndmr')
else:
results = sb_utils.os.software.is_installed(pkgname='sendmail')
if results == False:
msg = "sendmail does not appear to be installed on the system"
self.logger.warn(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' %
(self.module_name, msg))
if not os.path.isfile(self.__file):
msg = "sendmail is installed but %s is missing" % self.__file
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
paramlist = sb_utils.os.config.get_list(
configfile='/etc/mail/sendmail.cf', delim='=')
if paramlist == None:
msg = 'Unable to determine Sendmail Help is enabled'
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
if paramlist.has_key('O HelpFile'):
reason = "Sendmail Help is enabled; found 'O HelpFile' configured "\
"in %s" % (self.__file)
self.logger.notice(self.module_name, 'Scan Failed: ' + reason)
return 'Fail', reason
return 'Pass', ''
def scan(self, option=None):
messages = {}
messages['messages'] = []
pkg = "sendmail"
if sb_utils.os.info.is_solaris() == True:
pkg = "SUNWsndmr"
results = sb_utils.os.software.is_installed(pkgname = pkg)
if results == False:
msg = "sendmail does not appear to be installed on the system"
self.logger.notice(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' % (self.module_name, msg))
msg = "%s package is installed" % pkg
self.logger.info(self.module_name, msg)
messages['messages'].append(msg)
if not os.path.isfile(self.__file):
msg = "%s is installed but %s is missing" % (pkg, self.__file)
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
try:
in_obj = open(self.__file, 'r')
except (OSError, IOError), err:
msg = "Unable to read file %s: %s" % (self.__file, err)
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def scan(self, option=None):
"""Check for rpm and for -s mode"""
if option != None:
option = None
messages = {'messages': []}
flagIndex = None
dirIndex = None
dirName = None
results = sb_utils.os.software.is_installed(pkgname=self.rpm_name)
if results != True:
msg = "'%s' package is not installed" % self.rpm_name
self.logger.notice(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' %
(self.module_name, msg))
else:
msg = "'%s' package is installed" % self.rpm_name
self.logger.info(self.module_name, msg)
messages['messages'].append(msg)
try:
myfile = open('/etc/xinetd.d/tftp', 'r')
except IOError, err:
msg = "Unable to open /etc/xinetd.d/tftp: %s" % str(err)
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def scan(self, option=None):
boot_pat = re.compile('-s /tftpboot')
# Is TFTP server package installed?
if sb_utils.os.software.is_installed(pkgname='SUNWtftp') != True:
msg = "TFTP Server (SUNWtftp) package is not installed"
self.logger.notice(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' %
(self.module_name, msg))
prop = sb_utils.os.service.getprop(svcname='tftp',
property='inetd_start/exec')
if prop != None:
prop = prop.replace('\\', '')
if not boot_pat.search(prop):
msg = "Tftp service 'inetd_start/exec' property (%s) does not "\
"contain '-s /tftpboot'" % prop
self.logger.notice(self.module_name, 'Scan Failed: ' + msg)
return 'Fail', msg
self.logger.debug(self.module_name, 'Checking /etc/inet/inetd.conf')
try:
infile = open('/etc/inet/inetd.conf', 'r')
except IOError, err:
msg = "Unable to read /etc/inet/inetd.conf: %s" % err
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def apply(self, option=None):
messages = {'messages':[]}
self.validate_input(option)
results = sb_utils.os.software.is_installed(pkgname=self.__pkgname)
if results == False:
msg = "%s package is not installed" % self.__pkgname
self.logger.warn(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' % (self.module_name, msg))
already_done = {}
change_record = ""
for subkey in self.__smb_settings.keys():
already_done[subkey] = {}
for subsubkey in self.__smb_settings[subkey].keys():
already_done[subkey][subsubkey] = False
if not os.path.isfile(self.__smb_ini):
msg = "%s does not exist" % self.__smb_ini
self.logger.notice(self.module_name, 'Not Applicable: ' + msg)
return 0, ''
try:
in_obj = open(self.__smb_ini, 'r')
except (OSError, IOError), err:
self.logger.error(self.module_name, 'Apply Error: ' + err)
raise tcs_utils.ActionError('%s %s' % (self.module_name, err))
def scan(self, option=None):
"""
Examine /etc/php.ini for missing or invalid values
"""
if option != None:
option = None
messages = {'messages': []}
if not os.path.isfile(self.__php_ini):
msg = "%s not found." % self.__php_ini
self.logger.warn(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' %
(self.module_name, msg))
msg = 'Analyzing %s' % self.__php_ini
messages['messages'].append(msg)
self.logger.debug(self.module_name, 'Scan: ' + msg)
try:
in_obj = open(self.__php_ini, 'r')
except IOError, err:
msg = "Unable to read %s (%s)" % (self.__newfile, err)
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def scan(self, option=None):
"""
Scan system to see if /etc/logrotate.d/audit is
rotating audit logs daily
"""
results = sb_utils.os.software.is_installed(pkgname='logrotate')
if results != True:
msg = "logrotate is not installed on the system; you should install"\
"this package."
self.logger.warn(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' %
(self.module_name, msg))
if not os.path.isfile(self.__target_file):
msg = "%s does not exist" % (self.__target_file)
self.logger.notice(self.module_name, 'Scan Failed: ' + msg)
return 'Fail', msg
try:
in_obj = open(self.__target_file, 'r')
except IOError, err:
msg = "Unable to open %s: %s" % (self.__target_file, str(err))
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def scan(self, option=None):
foundit = False
for squid in self.__pkgname:
results = sb_utils.os.software.is_installed(pkgname=squid)
if results == None:
msg = "Unable to determine if %s installed." % squid
self.logger.error(self.module_name, 'Scan Error: ' + msg)
if results == False:
msg = "%s (%s) is not installed on the system" % \
(self.__svcdesc, squid)
self.logger.warn(self.module_name, 'Not Applicable: ' + msg)
foundit = True
continue
msg = '%s is installed' % squid
self.logger.info(self.module_name, 'Scan: ' + msg)
results = sb_utils.os.service.is_enabled(
svcname=self.__svcname[squid])
if results == True:
msg = "svcprop reports %s is on" % self.__svcdesc
self.logger.info(self.module_name, 'Scan Failed: ' + msg)
return 'Fail', msg
if foundit == False:
msg = "%s not installed on the system" % self.__svcdesc
raise tcs_utils.ScanNotApplicable('%s %s' %
(self.module_name, msg))
return 'Pass', ''
def scan(self, option=None):
if sb_utils.os.info.is_solaris() == True:
msg = "'%s' service is not part of the standard Solaris "\
"distribution." % self._svcname
self.logger.notice(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.OSNotApplicable('%s %s' % (self.module_name, msg))
results = sb_utils.os.software.is_installed(pkgname=self._pkgname)
if results != True:
msg = "'%s' is not installed on the system" % self._pkgname
self.logger.warn(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' % (self.module_name, msg))
msg = "'%s' package is installed." % self._pkgname
self.logger.debug(self.module_name, msg)
results = sb_utils.os.service.is_enabled(svcname=self._svcname)
if results == True:
msg = "'%s' service is on" % self._svcname
self.logger.notice(self.module_name, 'Scan Failed: ' + msg)
return 'Fail', msg
elif not self.serviceExists(self._svcname):
msg = "'%s' service does not exist! Manual action required to fix." % self._svcname
self.logger.notice(self.module_name, 'Scan Failed: ' + msg)
return 'Fail', msg
if results == None:
msg = "'%s' does not appear to be a service in %s %s - nothing to disable, adminstrator should remove '%s' unless this package is required." % (self._svcname,
sb_utils.os.info.getDistroName(), str(sb_utils.os.info.getDistroVersion()) , self._pkgname)
self.logger.warn(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ManualActionReqd('%s %s' % (self.module_name, msg))
return 'Pass', ''
def scan(self, option=None):
zonename = sb_utils.os.solaris.zonename()
if zonename != 'global':
msg = "module not applicable in non-global Solaris zones"
self.logger.notice(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ZoneNotApplicable('%s %s' %
(self.module_name, msg))
results = sb_utils.os.software.is_installed(pkgname=self.__pkgname)
if results == None:
msg = "Unable to determine if %s installed." % self.__pkgname
self.logger.error(self.module_name, 'Scan Error: ' + msg)
if results == False:
msg = "%s (%s) is not installed on the system" % \
(self.__svcdesc, self.__pkgname)
self.logger.warn(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' %
(self.module_name, msg))
results = sb_utils.os.service.is_enabled(svcname=self.__svcname)
if results == True:
msg = "svcprop reports %s is on" % self.__svcdesc
self.logger.info(self.module_name, 'Scan Failed: ' + msg)
return 'Fail', msg
return 'Pass', ''
def scan(self, option=None):
packageList = getPackageList(libraryName=self.module_name)
for pkg_item in packageList:
results = sb_utils.os.software.is_installed(pkgname=pkg_item)
if results == False:
msg = "'%s' package is not installed" % pkg_item
raise tcs_utils.ScanNotApplicable('%s %s' % (self.module_name, msg))
# assume the module passes a scan - we'll change this if we fail
retval = True
msg = "Did not find 'active = yes' in %s" % self.pluginName
messages = {'messages':[]}
self._readFile()
problems, changes = self._tryChange('yes', 'no')
if problems:
retval = False
msg = problems
messages['messages'].append(problems)
logger.warning(self.module_name, msg)
else:
logger.notice(self.module_name, msg)
return retval, msg, messages
def scan(self, option=None):
messages = {}
messages['messages'] = []
results = sb_utils.os.software.is_installed(pkgname='finger-server')
if results != True:
msg = "'finger-server' package is not installed."
self.logger.notice(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' %
(self.module_name, msg))
else:
msg = "'finger-server' package is installed."
messages['messages'].append(msg)
self.logger.info(self.module_name, msg)
results = sb_utils.os.xinetd.is_enabled(svcname='finger')
if results == None:
msg = "Unable to determine status of the 'finger' service"
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
if results == True:
msg = "'finger' service is enabled."
self.logger.notice(self.module_name, 'Scan Failed: ' + msg)
return False, msg, messages
msg = "'finger' service is disabled"
messages['messages'].append(msg)
self.logger.notice(self.module_name, 'Scan Passed: ' + msg)
return True, msg, messages
def scan(self, option=None):
results = sb_utils.os.software.is_installed(pkgname=self.__pkgName)
if results != True:
msg = "'%s' package is not installed." % self.__pkgName
self.logger.info(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' %
(self.module_name, msg))
# first, check to see whether the target file exists at all
if not os.path.isfile(self.__target_file):
msg = "File %s does not exist" % self.__target_file
self.logger.info(self.module_name, 'Scan Failed: ' + msg)
return 'Fail', msg
# now check its contents to be sure it contains what we want
if not os.path.isfile(self.__target_file):
msg = "%s does not exist" % self.__target_file
self.logger.notice(self.module_name, 'Scan Failed: ' + msg)
return 'Fail', msg
try:
infile = open(self.__target_file, 'r')
except (OSError, IOError), err:
msg = "Unable to open file %s: %s" % (self.__target_file, err)
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def scan(self, option=None):
zonename = sb_utils.os.solaris.zonename()
if zonename != 'global':
msg = "Non-global Solaris zone (%s): SVM services unavailable" % (
zonename)
self.logger.notice(self.module_name, 'Scan: ' + msg)
raise tcs_utils.ZoneNotApplicable('%s %s' %
(self.module_name, msg))
if sb_utils.os.software.is_installed(pkgname=self.__pkgname) != True:
msg = "%s (%s) package is not installed" % (self.__svcdesc,
self.__pkgname)
self.logger.notice(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' %
(self.module_name, msg))
self.do_metastat()
fail_flag = False
for chksvc in self.__svcname:
results = sb_utils.os.service.is_enabled(svcname=chksvc)
if results == True:
msg = "svcprop reports %s is on" % chksvc
self.logger.notice(self.module_name, 'Scan Failed: ' + msg)
fail_flag = True
if fail_flag == True:
return 'Fail', msg
return 'Pass', ''
def __init__(self, module_name):
self.pluginName = '/etc/audisp/plugins.d/sedispatch.conf'
self.module_name = module_name
if not os.path.exists(self.pluginName):
msg = "'%s' does not exist - nothing to check/modify." % self.pluginName
logger.warning(module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' % (module_name, msg))
self.lines = None
def scan(self, option=None):
if sb_utils.os.info.is_LikeSUSE() == False:
return Enable_Disable_Any_Service.scan(self.module_name,
enable=False)
results = sb_utils.os.software.is_installed(
pkgname='nfs-kernel-server')
if results != True:
msg = "'nfs-kernel-server' package is not installed"
self.logger.notice(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' %
(self.module_name, msg))
self.logger.notice(self.module_name,
'Not Applicable: ' + self.suse_msg)
raise tcs_utils.ScanNotApplicable('%s %s' %
(self.module_name, self.suse_msg))
def scan(self, option=None):
if sb_utils.os.suse.pam.passwdqc_configured():
msg = "It appears that pam_passwdqc is installed and configured. "\
"Presently, OS Lockdown only supports pam_cracklib."
self.logger.info(self.module_name, msg)
msg2 = "If wish this module to configure 'ocredit', unconfigure " \
"pam_passwdqc."
self.logger.info(self.module_name, msg2)
raise tcs_utils.ScanNotApplicable('%s %s' %
(self.module_name, msg))
results = sb_utils.os.software.is_installed(pkgname='pam-config')
if results != True:
msg = "'pam-config' package is not installed on the system."
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ManualActionReqd('%s %s' % (self.module_name, msg))
results = sb_utils.os.software.is_installed(pkgname='cracklib')
if results != True:
msg = "'cracklib' package is not installed on the system."
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
cracklib_settings = sb_utils.os.suse.pam.config(modName='cracklib')
#------------------------------------------
# If cracklib is not being used, then fail
if len(cracklib_settings) == 0:
msg = "PAM cracklib is not configured."
self.logger.notice(self.module_name, 'Scan Failed: ' + msg)
return 'Fail', msg
#------------------------------------------
# Check cracklib settings
if not cracklib_settings.has_key('password'):
msg = "PAM cracklib is not configured for 'password'"
self.logger.notice(self.module_name, 'Scan Failed: ' + msg)
return 'Fail', msg
for pw_opt in cracklib_settings['password']:
try:
(pw_key, pw_val) = pw_opt.split('=')
except (ValueError, IndexError):
continue
if pw_key == 'ocredit':
msg = "PAM cracklib 'ocredit' option set to '%s' " % (pw_val)
self.logger.info(self.module_name, msg)
if int(pw_val) != -2:
msg = "PAM cracklib 'ocredit' option is not set to '-2'"
self.logger.notice(self.module_name, 'Scan Failed: ' + msg)
return 'Fail', msg
else:
return 'Pass', ''
return 'Fail', 'ocredit parameter not set'
def scan(self, option=None):
"""
Determine if the audit service is installed on the system and enabled.
If the audit is not installed tcs_utils.ScanNotApplicable exception is
raised.
"""
if option != None:
option = None
results = sb_utils.os.software.is_installed(pkgname='audit')
if results != True:
msg = "audit is not installed on the system"
self.logger.warn(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' %
(self.module_name, msg))
## *ALSO* verify that the /sbin/auditd command exists - early RH4 doesn't have audid as a daemon
if not os.path.exists('/sbin/auditd'):
msg = "Required command '/sbin/auditd' does not exist!"
self.logger.warn(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' %
(self.module_name, msg))
## *ALSO* verify that the /sbin/auditd command exists - early RH4 doesn't have audid as a daemon
if not os.path.exists('/etc/init.d/auditd'):
msg = "Required service '/etc/init.d/auditd' does not exist! Is service installed?"
self.logger.warn(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' %
(self.module_name, msg))
results = sb_utils.os.service.is_enabled(svcname='auditd')
if results == None:
msg = "Unable to determine status of the 'auditd' service"
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
if results == False:
msg = "'auditd' service is disabled."
self.logger.notice(self.module_name, 'Scan Failed: ' + msg)
return 'Fail', msg
return 'Pass', ''
def check_file(self, pkgname, filename, targetValue):
"""
Check the lines in looking for the 'PRELINKING=' line. If the value of 'PRELINKING=' isn't targetValue, then make it so. While
no explicit checks are being done, targetValue should be 'yes' or 'no'.
"""
changeRec = {}
lines = None
msg = None
results = sb_utils.os.software.is_installed(pkgname)
if results != True:
msg = "'%s' package is not installed on the system" % pkgname
self.logger.warn(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' %
(self.module_name, msg))
elif not os.path.isfile(filename):
msg = "No such file '%s'" % filename
self.logger.warning(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' %
(self.module_name, msg))
else:
lines = open(filename).readlines()
for ln in range(len(lines)):
line = lines[ln].strip()
if not line.startswith('PRELINKING='):
continue
value = line.split('=', 1)[1]
if value == targetValue:
self.logger.info(self.module_name,
"Found '%s' in '%s'" % (line, filename))
else:
msg = "Found '%s' in '%s', expected 'PRELINKING=%s'" % (
line, filename, targetValue)
self.logger.warning(self.module_name, msg)
lines[ln] = line.split('=')[0] + '=' + targetValue + '\n'
changeRec = value
break
return lines, changeRec, msg
