def fixLockdownX(self): success = True if self.sh.disableService("xfs", _="_"): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "servicehelper", "servicename": "xfs", "startstate": "enabled", "endstate": "disabled"} self.statechglogger.recordchgevent(myid, event) else: success = False self.detailedresults += "STONIX was unable to disable the " + \ "xfs service\n" if not self.xservSecure: serverrcString = "exec X :0 -nolisten tcp $@" if not os.path.exists(self.serverrc): createFile(self.serverrc, self.logger) self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "creation", "filepath": self.serverrc} self.statechglogger.recordchgevent(myid, event) writeFile(self.serverrc, serverrcString, self.logger) else: open(self.serverrc, "a").write(serverrcString) return success
def fixShadow(self): success = True if not os.path.exists(self.shadowfile): self.detailedresults += self.shadowfile + "does not exist. \ Will not perform fix on shadow file\n" return False if self.fixusers: contents = readFile(self.shadowfile, self.logger) if self.ph.manager == "apt-get": perms = [0, 42, 0o640] else: perms = [0, 0, 0o400] if not checkPerms(self.shadowfile, perms, self.logger) and \ not checkPerms(self.shadowfile, [0, 0, 0], self.logger): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) setPerms(self.shadowfile, perms, self.logger, self.statechglogger, myid) tmpdate = strftime("%Y%m%d") tmpdate = list(tmpdate) date = tmpdate[0] + tmpdate[1] + tmpdate[2] + tmpdate[3] + "-" + \ tmpdate[4] + tmpdate[5] + "-" + tmpdate[6] + tmpdate[7] for user in self.fixusers: cmd = ["chage", "-d", date, "-m", "1", "-M", "180", "-W", "28", "-I", "35", user] self.ch.executeCommand(cmd) # We have to do some gymnastics here, because chage writes directly # to /etc/shadow, but statechglogger expects the new contents to # be in a temp file. newContents = readFile(self.shadowfile, self.logger) shadowTmp = "/tmp/shadow.stonixtmp" createFile(shadowTmp, self.logger) writeFile(shadowTmp, "".join(newContents) + "\n", self.logger) writeFile(self.shadowfile, "".join(contents) + "\n", self.logger) self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {'eventtype': 'conf', 'filepath': self.shadowfile} self.statechglogger.recordchgevent(myid, event) self.statechglogger.recordfilechange(self.shadowfile, shadowTmp, myid) shutil.move(shadowTmp, self.shadowfile) os.chmod(self.shadowfile, perms[2]) os.chown(self.shadowfile, perms[0], perms[1]) resetsecon(self.shadowfile) return success
def writeConfig(self, filepath, myid, regex, mult): tempfile = filepath + ".tmp" tempstring = "" contents = readFile(filepath, self.logger) if not contents: debug = filepath + " contents are blank\n" self.logger.log(LogPriority.DEBUG, debug) return False if mult: for line in contents: if re.match("^#", line) or re.match("^\s*$", line): tempstring += line elif not re.search(regex, line): tempstring += line.strip() + " -nolisten tcp\n" else: for line in contents: tempstring += line tempstring += regex + "\n" if not writeFile(tempfile, tempstring, self.logger): return False event = {"eventtype": "conf", "filepath": filepath} self.statechglogger.recordchgevent(myid, event) self.statechglogger.recordfilechange(filepath, tempfile, myid) os.rename(tempfile, filepath) return True
def setaccountlockout(self, regex): """ configure the account lockout time in pam :param regex: string; regular expression :return: success :rtype: bool """ success = True pamfiles = [] if self.ph.manager in ("yum", "dnf"): pamfiles.append(self.pamauthfile) pamfiles.append(self.pampassfile) writecontents = self.auth + "\n" + self.acct + "\n" + \ self.password + "\n" + self.session else: pamfiles.append(self.pamauthfile) writecontents = self.auth for pamfile in pamfiles: if not os.path.exists(pamfile): self.detailedresults += pamfile + " doesn't exist.\n" + \ "Stonix will not attempt to create this file " + \ "and the fix for the this rule will not continue\n" return False # """Check permissions on pam file(s)""" for pamfile in pamfiles: if not checkPerms(pamfile, [0, 0, 0o644], self.logger): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) if not setPerms(pamfile, [0, 0, 0o644], self.logger, self.statechglogger, myid): success = False self.detailedresults += "Unable to set " + \ "correct permissions on " + pamfile + "\n" contents = readFile(pamfile, self.logger) found = False for line in contents: if re.search(regex, line.strip()): found = True if not found: tmpfile = pamfile + ".stonixtmp" if writeFile(tmpfile, writecontents, self.logger): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {'eventtype': 'conf', 'filepath': pamfile} self.statechglogger.recordchgevent(myid, event) self.statechglogger.recordfilechange(pamfile, tmpfile, myid) os.rename(tmpfile, pamfile) os.chown(pamfile, 0, 0) os.chmod(pamfile, 0o644) resetsecon(pamfile) else: self.detailedresults += "Unable to write to " + pamfile + "\n" success = False return success
def fix(self): try: if not self.ci.getcurrvalue(): return success = True self.detailedresults = "" self.iditerator = 0 eventlist = self.statechglogger.findrulechanges(self.rulenumber) for event in eventlist: self.statechglogger.deleteentry(event) if os.path.exists(self.path): sttyText = readFile(self.path, self.logger) newSttyText = [] for line in sttyText: # Check for both serial connections and the old style of # virtual connections if re.search(self.serialRE, line) or \ re.search(r"^vc/\d", line): line = "#" + line newSttyText.append(line) newSttyString = "".join(newSttyText) tmpfile = self.path + ".tmp" if writeFile(tmpfile, newSttyString, self.logger): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "conf", "filepath": self.path} self.statechglogger.recordchgevent(myid, event) self.statechglogger.recordfilechange( self.path, tmpfile, myid) os.rename(tmpfile, self.path) perms = self.perms setPerms(self.path, perms, self.logger, self.statechglogger, myid) resetsecon(self.path) else: success = False self.detailedresults += "Problem writing new " + \ "contents to temporary file" self.rulesuccess = success except (KeyboardInterrupt, SystemExit): # User initiated exit raise except Exception: self.rulesuccess = False self.detailedresults += "\n" + traceback.format_exc() self.logdispatch.log(LogPriority.ERROR, self.detailedresults) self.formatDetailedResults("fix", self.rulesuccess, self.detailedresults) self.logdispatch.log(LogPriority.INFO, self.detailedresults) return self.rulesuccess
def commit(self): ''' Private method that actually writes the configuration file as desired including fixables and removing desireables. This method is called in the calling class that instantiated the object after the update methods have been called. @author: dwalker @return: Bool ''' for line in self.contents: self.tempstring += line success = writeFile(self.tmpPath, self.tempstring, self.logger) return success
def fix(self): try: if not self.ci.getcurrvalue(): return success = True self.detailedresults = "" self.iditerator = 0 eventlist = self.statechglogger.findrulechanges(self.rulenumber) for event in eventlist: self.statechglogger.deleteentry(event) if os.path.exists(self.path): adminAllowed = "group=admin,wheel fail_safe" adminDisabled = "group=wheel fail_safe" ssText = "".join(readFile(self.path, self.logger)) if re.search(adminAllowed, ssText): ssText = re.sub(adminAllowed, adminDisabled, ssText) tmpfile = self.path + ".tmp" if writeFile(tmpfile, ssText, self.logger): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "conf", "filepath": self.path} self.statechglogger.recordchgevent(myid, event) self.statechglogger.recordfilechange( self.path, tmpfile, myid) os.rename(tmpfile, self.path) resetsecon(self.path) else: success = False self.detailedresults += "Problem writing new " + \ "contents to temporary file" else: success = False self.detailedresults += self.path + ''' does not exist. STONIX \ will not attempt to create this file. If you are using OS X 10.9 or later, \ this is most likely a bug, and should be reported. Earlier versions of OS X \ are not currently supported by STONIX.''' self.rulesuccess = success except (KeyboardInterrupt, SystemExit): # User initiated exit raise except Exception: self.rulesuccess = False self.detailedresults += "\n" + traceback.format_exc() self.logdispatch.log(LogPriority.ERROR, self.detailedresults) self.formatDetailedResults("fix", self.rulesuccess, self.detailedresults) self.logdispatch.log(LogPriority.INFO, self.detailedresults) return self.rulesuccess
def fixgnome(self): '''Configure GNOME 3 for automatic logout. @author: d.kennel ''' if self.environ.geteuid() != 0: debug = "Configuring gnome requires root privileges" self.logger.log(LogPriority.DEBUG, debug) self.detailedresults += "Configuring gnome requires root " + \ "privileges\n" return False success = True createddir = False debug = "" if os.path.exists("/usr/bin/gsettings"): if not os.path.exists('/etc/dconf/db/local.d'): if not os.makedirs('/etc/dconf/db/local.d/'): success = False debug = "Unable to create the /etc/dconf/db/local.d/ directory" self.detailedresults += "Unable to create the /etc/dconf/db/local.d/ directory" self.logger.log(LogPriority.DEBUG, debug) else: createddir = True self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = { "eventtype": "creation", "filepath": "/etc/dconf/db/local.d" } self.statechglogger.recordchgevent(myid, event) if os.path.exists('/etc/dconf/db/local.d'): created1, created2 = False, False self.logdispatch.log(LogPriority.DEBUG, [ 'ForceIdleLogout.__fixgnome3', 'Working GNOME with dconf' ]) try: seconds = self.timeoutci.getcurrvalue() * 60 except (TypeError): self.detailedresults += "FORCEIDLELOGOUTTIMEOUT value is " + \ "not valid!\n" self.rulesuccess = False return False if not os.path.exists(self.gnomesettingpath): if not createFile(self.gnomesettingpath, self.logger): success = False self.detailedresults += "Unable to create " + self.gnomesettingpath + " file\n" else: created1 = True if not createddir: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = { "eventtype": "creation", "filepath": self.gnomesettingpath } self.statechglogger.recordchgevent(myid, event) if os.path.exists(self.gnomesettingpath): gdirectives = { "org.gnome.settings-daemon.plugins.power": { "sleep-inactive-ac-type": "'logout'", 'sleep-inactive-ac-timeout': str(seconds) } } geditor = KVEditorStonix(self.statechglogger, self.logger, "tagconf", self.gnomesettingpath, self.gnomesettingpath + '.tmp', gdirectives, "present", "closedeq") geditor.report() if geditor.fixables: if geditor.fix(): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) geditor.setEventID(myid) if geditor.commit(): debug = self.gnomesettingpath + "'s contents have been " + \ "corrected\n" self.logger.log(LogPriority.DEBUG, debug) os.chown(self.gnomesettingpath, 0, 0) os.chmod(self.gnomesettingpath, 0o644) resetsecon(self.gnomesettingpath) else: debug = "kveditor commit not successful\n" self.logger.log(LogPriority.DEBUG, debug) self.detailedresults += self.gnomesettingpath + \ " properties could not be set\n" succeess = False else: debug = "kveditor fix not successful\n" self.logger.log(LogPriority.DEBUG, debug) self.detailedresults += self.gnomesettingpath + \ " properties could not be set\n" succeess = False if not checkPerms(self.gnomesettingpath, [0, 0, 0o644], self.logger): if not created1: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) if not setPerms(self.gnomesettingpath, [0, 0, 0o644], self.logger, self.statechglogger, myid): self.detailedresults += "Unable to set permissions on " + \ self.gnomesettingpath + " file\n" success = False else: if not setPerms(self.gnomesettingpath, [0, 0, 0o644], self.logger): self.detailedresults += "Unable to set permissions on " + \ self.gnomesettingpath + " file\n" success = False havetimeoutlock = False havelogoutlock = False lockdata = [] if not os.path.exists(self.gnomelockpath): if not createFile(self.gnomelockpath, self.logger): success = False self.detailedresults += "Unable to create " + self.gnomelockpath + " file\n" else: created2 = True if not createddir: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = { "eventtype": "creation", "filepath": self.gnomelockpath } self.statechglogger.recordchgevent(myid, event) if os.path.exists(self.gnomelockpath): contents = readFile(self.gnomelockpath, self.logger) for line in contents: if re.search( '/org/gnome/settings-daemon/plugins/power/sleep-inactive-ac-timeout', line): havetimeoutlock = True if re.search( "/org/gnome/settings-daemon/plugins/power/sleep-inactive-ac-type", line): havelogoutlock = True if not havetimeoutlock: lockdata.append( '/org/gnome/settings-daemon/plugins/power/sleep-inactive-ac-timeout\n' ) if not havelogoutlock: lockdata.append( "/org/gnome/settings-daemon/plugins/power/sleep-inactive-ac-type\n" ) tempfile = self.gnomelockpath + ".tmp" if writeFile(tempfile, lockdata, self.logger): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = { "eventtype": "conf", "filepath": self.gnomelockpath } self.statechglogger.recordchgevent(myid, event) self.statechglogger.recordfilechange( self.gnomelockpath, tempfile, myid) os.rename(tempfile, self.gnomelockpath) os.chown(self.gnomelockpath, 0, 0) os.chmod(self.gnomelockpath, 0o644) resetsecon(self.gnomelockpath) else: self.detailedresults += "Unable to write contents to " + \ self.gnomelockpath success = False if not checkPerms(self.gnomelockpath, [0, 0, 0o644], self.logger): if not created2: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) if not setPerms(self.gnomelockpath, [0, 0, 0o644], self.logger, self.statechglogger, myid): self.detailedresults += "Unable to set permissions on " + \ self.gnomelockpath + " file\n" success = False else: if not setPerms(self.gnomelockpath, [0, 0, 0o644], self.logger): self.detailedresults += "Unable to set permissions on " + \ self.gnomelockpath + " file\n" success = False if self.ph.check(self.gconf): self.logdispatch.log( LogPriority.DEBUG, ['ForceIdleLogout.__fixgnome3', 'Working GNOME with gconf']) undocmd = "" undoprefix = '/usr/bin/gconftool-2 --direct --config-source ' + \ 'xml:readwrite:/etc/gconf/gconf.xml.mandatory ' setprefix = '/usr/bin/gconftool-2 --direct --config-source ' + \ 'xml:readwrite:/etc/gconf/gconf.xml.mandatory --set ' settime = setprefix + \ '--type integer /desktop/gnome/session/max_idle_time ' + \ str(self.timeoutci.getcurrvalue()) setlogout = setprefix + \ '--type string /desktop/gnome/session/' + \ 'max_idle_action forced-logout' if self.timeoutwrong: self.cmdhelper.executeCommand(settime) retcode = self.cmdhelper.getReturnCode() if retcode != 0: errstr = self.cmdhelper.getErrorString() self.logger.log(LogPriority.DEBUG, errstr) self.detailedresults += 'Failed to configure idle time limit option.\n' success = False else: if self.undotimeout == "unset": undocmd = undoprefix + '--unset /desktop/gnome/session/max_idle_time' else: undocmd = setprefix + '--type integer /desktop/gnome/session/max_idle_time ' + \ self.undotimeout self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "command", "command": undocmd} self.statechglogger.recordchgevent(myid, event) self.detailedresults += 'Maximum idle time limit configured successfully.\n' if self.logoutwrong: self.cmdhelper.executeCommand(setlogout) retcode = self.cmdhelper.getReturnCode() if retcode != 0: errstr = self.cmdhelper.getErrorString() self.logger.log(LogPriority.DEBUG, errstr) self.detailedresults += 'Failed to configure idle forced-logout option.\n' success = False else: if self.undoforcelogout == "unset": undocmd = undoprefix + '--unset /desktop/gnome/session/max_idle_action' else: undocmd = setprefix + '--type integer /desktop/gnome/session/max_idle_action ' + \ self.undoforcelogout self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "command", "command": undocmd} self.statechglogger.recordchgevent(myid, event) self.detailedresults += 'Idle forced-logout option configured successfully.\n' return success
def fix(self): ''' ''' try: if not self.ci.getcurrvalue(): return self.detailedresults = "" success = True created = False self.iditerator = 0 eventlist = self.statechglogger.findrulechanges(self.rulenumber) for event in eventlist: self.statechglogger.deleteentry(event) if self.installed: if not os.path.exists(self.squidfile): if not createFile(self.squidfile, self.logger): success = False else: created = True self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "creation", "filepath": self.squidfile} self.statechglogger.recordchgevent(myid, event) if not checkPerms(self.squidfile, [0, 0, 420], self.logger): if not created: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) if not setPerms(self.squidfile, [0, 0, 420], self.logger, self.statechglogger, myid): success = False else: if not setPerms(self.squidfile, [0, 0, 420], self.logger): success = False tempstring = "" contents = readFile(self.squidfile, self.logger) newcontents = [] if contents: '''Remove any undesired acl lines''' for line in contents: if re.match('^#', line) or re.match(r'^\s*$', line): newcontents.append(line) elif re.search("^acl Safe_ports port ", line.strip()): m = re.search("acl Safe_ports port ([0-9]+).*", line) if m.group(1): item = "acl Safe_ports port " + m.group(1) if item in self.denied: continue else: newcontents.append(line) else: newcontents.append(line) '''removeables list holds key vals we find in the file that we can remove from self.data''' removeables = [] '''deleteables list holds key vals we can delete from newcontents list if it's incorrect.''' deleteables = {} for key in self.data1: found = False for line in reversed(newcontents): if re.match('^#', line) or re.match(r'^\s*$', line): continue elif re.search("^" + key + " ", line) or re.search("^" + key, line): temp = line.strip() temp = re.sub("\s+", " ", temp) temp = temp.split(" ") if len(temp) >= 3: joinlist = [temp[1], temp[2]] joinstring = " ".join(joinlist) if self.data1[key] == joinstring: '''We already found this line and value No need for duplicates''' if found: newcontents.remove(line) continue removeables.append(key) found = True else: try: deleteables[line] = "" except Exception: continue continue elif len(temp) == 2: if self.data1[key] == temp[1]: '''We already found this line and value No need for duplicates''' if found: newcontents.remove(line) continue removeables.append(key) found = True else: try: deleteables[line] = "" except Exception: continue continue elif len(temp) == 1: try: deleteables[line] = "" except Exception: continue continue if deleteables: for item in deleteables: newcontents.remove(item) '''anything in removeables we found in the file so we will remove from the self.data1 dictionary''' if removeables: for item in removeables: del(self.data1[item]) '''now check if there is anything left over in self.data1 if there is we need to add that to newcontents list''' if self.data1: for item in self.data1: line = item + " " + self.data1[item] + "\n" newcontents.append(line) for line in newcontents: found = False if re.search("^http_access", line.strip()): temp = line.strip() temp = re.sub("\s+", " ", temp) temp = re.sub("http_access\s+", "", temp) if re.search("^deny to_localhost", temp): found = True break if not found: newcontents.append("http_access deny to_localhost\n") for item in newcontents: tempstring += item tmpfile = self.squidfile + ".tmp" if not writeFile(tmpfile, tempstring, self.logger): success = False else: if not created: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "conf", "filepath": self.squidfile} self.statechglogger.recordchgevent(myid, event) self.statechglogger.recordfilechange(self.squidfile, tmpfile, myid) os.rename(tmpfile, self.squidfile) os.chown(self.squidfile, 0, 0) os.chmod(self.squidfile, 420) resetsecon(self.squidfile) else: tempstring = "" for item in self.data1: tempstring += item + " " + self.data1[item] + "\n" for item in self.data2: tempstring += item + " " + self.data2[item] + "\n" tmpfile = self.squidfile + ".tmp" if not writeFile(tmpfile, tempstring, self.logger): success = False else: if not created: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "conf", "filepath": self.squidfile} self.statechglogger.recordchgevent(myid, event) self.statechglogger.recordfilechange(self.squidfile, tmpfile, myid) os.rename(tmpfile, self.squidfile) os.chown(self.squidfile, 0, 0) os.chmod(self.squidfile, 420) resetsecon(self.squidfile) self.rulesuccess = success except (KeyboardInterrupt, SystemExit): # User initiated exit raise except Exception as err: self.rulesuccess = False self.detailedresults = self.detailedresults + "\n" + str(err) + \ " - " + str(traceback.format_exc()) self.logdispatch.log(LogPriority.ERROR, self.detailedresults) self.formatDetailedResults("fix", self.rulesuccess, self.detailedresults) self.logdispatch.log(LogPriority.INFO, self.detailedresults) return self.rulesuccess
def fix(self): ''' ''' self.detailedresults = "" self.iditerator = 0 self.rulesuccess = True success = True consoleaccess = self.consoleCi.getcurrvalue() autofs = self.autofsCi.getcurrvalue() gnomeautomount = self.gnomeCi.getcurrvalue() mylist = [consoleaccess, autofs, gnomeautomount] try: # if none of the CIs are enabled, skip fix if not any(mylist): self.detailedresults += "\nNone of the CI's were enabled. Nothing was done." self.formatDetailedResults("fix", self.rulesuccess, self.detailedresults) self.logdispatch.log(LogPriority.INFO, self.detailedresults) return self.rulesuccess # clear event list data eventlist = self.statechglogger.findrulechanges(self.rulenumber) for event in eventlist: self.statechglogger.deleteentry(event) # if restrict console access CI is enabled, restrict console access if self.consoleCi.getcurrvalue(): if os.path.exists(self.sec_console_perms1): tmpfile = self.sec_console_perms1 + ".stonixtmp" defaultPerms = open(self.sec_console_perms1, "r").read() defaultPerms = re.sub("(<[x]?console>)", r"#\1", defaultPerms) if writeFile(tmpfile, defaultPerms, self.logger): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "conf", "filepath": self.sec_console_perms1} self.statechglogger.recordchgevent(myid, event) self.statechglogger.recordfilechange(self.sec_console_perms1, tmpfile, myid) os.rename(tmpfile, self.sec_console_perms1) resetsecon(self.sec_console_perms1) else: success = False self.detailedresults += "Problem writing new contents to " + \ "temporary file" if os.path.exists(self.sec_console_perms2): self.editor = KVEditorStonix(self.statechglogger, self.logger, "conf", self.sec_console_perms2, self.console_perms_temppath, self.data, "present", "closedeq") self.editor.report() if self.editor.fixables: if self.editor.fix(): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) self.editor.setEventID(myid) if self.editor.commit(): debug = self.sec_console_perms2 + "'s contents have been " \ + "corrected\n" self.logger.log(LogPriority.DEBUG, debug) resetsecon(self.sec_console_perms2) else: debug = "kveditor commit not successful\n" self.logger.log(LogPriority.DEBUG, debug) success = False self.detailedresults += self.sec_console_perms2 + \ " properties could not be set\n" else: debug = "kveditor fix not successful\n" self.logger.log(LogPriority.DEBUG, debug) success = False self.detailedresults += self.sec_console_perms2 + \ " properties could not be set\n" # if autofs CI is enabled, disable autofs if self.autofsCi.getcurrvalue(): if self.ph.check(self.autofspkg) and \ self.sh.auditService(self.autofssvc, _="_"): if self.sh.disableService(self.autofssvc, _="_"): debug = "autofs service successfully disabled\n" self.logger.log(LogPriority.DEBUG, debug) self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "servicehelper", "servicename": self.autofssvc, "startstate": "enabled", "endstate": "disabled"} self.statechglogger.recordchgevent(myid, event) else: success = False debug = "Unable to disable autofs service\n" self.logger.log(LogPriority.DEBUG, debug) returnCode = 0 if self.gnomeCi.getcurrvalue(): if os.path.exists(self.gsettings): # gsettings requires a D-Bus session bus in order to make # any changes. This is because the dconf daemon must be # activated using D-Bus. if not os.path.exists(self.dbuslaunch): self.ph.install("dbus-x11") if os.path.exists(self.dbuslaunch): if not self.automountOff: cmd = [self.dbuslaunch, self.gsettings, "set", "org.gnome.desktop.media-handling", "automount", "false"] self.ch.executeCommand(cmd) returnCode = self.ch.getReturnCode() if not returnCode: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "comm", "command": ["dbus-launch", "gsettings", "set", "org.gnome.desktop.media-handling", "automount", "true"]} self.statechglogger.recordchgevent(myid, event) if not self.autorunNever: cmd = [self.dbuslaunch, "gsettings", "set", "org.gnome.desktop.media-handling", "autorun-never", "true"] self.ch.executeCommand(cmd) returnCode += self.ch.getReturnCode() if not self.ch.getReturnCode(): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "comm", "command": [self.dbuslaunch, self.gsettings, "set", "org.gnome.desktop.media-handling", "autorun-never", "false"]} self.statechglogger.recordchgevent(myid, event) else: success = False debug = "Unable to disable GNOME automounting: " + \ "dbus-x11 is not installed" self.logger.log(LogPriority.DEBUG, debug) if os.path.exists(self.gconftool): if self.automountMedia: cmd = [self.gconftool, "--direct", "--config-source", "xml:readwrite:/etc/gconf/gconf.xml.mandatory", "--type", "bool", "--set", "/desktop/gnome/volume_manager/automount_media", "false"] self.ch.executeCommand(cmd) returnCode = self.ch.getReturnCode() if not returnCode: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "comm", "command": [self.gconftool, "--direct", "--config-source", "xml:readwrite:" + "/etc/gconf/gconf.xml.mandatory", "--type", "bool", "--set", "/desktop/gnome/volume_manager/" + "automount_media", "true"]} self.statechglogger.recordchgevent(myid, event) if self.automountDrives: cmd = [self.gconftool, "--direct", "--config-source", "xml:readwrite:/etc/gconf/gconf.xml.mandatory", "--type", "bool", "--set", "/desktop/gnome/volume_manager/automount_drives", "false"] self.ch.executeCommand(cmd) returnCode += self.ch.getReturnCode() if not self.ch.getReturnCode(): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "comm", "command": [self.gconftool, "--direct", "--config-source", "xml:readwrite:" + "/etc/gconf/gconf.xml.mandatory", "--type", "bool", "--set", "/desktop/gnome/volume_manager/" + "automount_drives", "true"]} self.statechglogger.recordchgevent(myid, event) if returnCode: success = False self.detailedresults += "Fix failed to disable GNOME automounting\n" # reset these directories to be owned by their respective users dirs = '' if os.path.exists('/run/user'): dirs = os.listdir('/run/user') if dirs: for d in dirs: # check if the directory is an integer representing a uid if re.search('^([+-]?[1-9]\d*|0)$', d, re.IGNORECASE): self.logger.log(LogPriority.DEBUG, "Found UID directory") try: os.chown('/run/user/' + d + '/dconf/user', int(d), int(d)) except Exception as errmsg: self.logger.log(LogPriority.DEBUG, str(errmsg)) continue else: self.logger.log(LogPriority.DEBUG, "no directories in /run/user") self.rulesuccess = success except (KeyboardInterrupt, SystemExit): raise except Exception: self.rulesuccess = False self.detailedresults += "\n" + traceback.format_exc() self.logdispatch.log(LogPriority.ERROR, self.detailedresults) self.formatDetailedResults("fix", self.rulesuccess, self.detailedresults) self.logdispatch.log(LogPriority.INFO, self.detailedresults) return self.rulesuccess
def fix(self): try: if not self.ci.getcurrvalue(): return True config = "" if os.path.exists(self.path): config = readFile(self.path, self.logger) tmpconfig = self.path + ".tmp" config2 = [] configstring = "" if config: for line in config: splitline = line.split() if len(splitline) >= 1: if search("^\*timeout:", splitline[0]): continue elif search("^\*lockTimeout:", splitline[0]): continue elif search("^\*grabDesktopImages:", splitline[0]): continue elif search("^\*chooseRandomImages:", splitline[0]): continue elif search("^\*lock:", line): continue elif len(splitline) == 1 and splitline[0] not in \ self.badsavers: config2.append(line) elif len(splitline) == 2 and splitline[0] not in \ self.badsavers and splitline[1] not in self.badsavers: config2.append(line) elif len(splitline) > 2 and splitline[0] not in \ self.badsavers and splitline[1] not in \ self.badsavers and splitline[2] not in \ self.badsavers: config2.append(line) else: config2.append(line) else: config2.append(line) for line in config2: configstring += line configstring += "timeout: 0:10:00\nlockTimeout: 0:05:00\n\ grabDesktopImages: False\nchooseRandomImages: True\n\ lock: True\n" if writeFile(tmpconfig, configstring, self.logger): os.rename(tmpconfig, self.path) os.chown(self.path, 0, 0) os.chmod(self.path, 420) resetsecon(self.path) else: self.rulesuccess = False for saver in self.badsavers: for k, v in list(self.paths.items()): try: if os.path.exists(k + saver): os.remove(k + saver) elif os.path.exists(k + saver + v): os.remove(k + saver + v) except (OSError): self.detailedresults += "The following file had " + \ "issues being removed:" + saver + "\n" self.rulesuccess = False for saver in self.badkss: try: if os.path.exists("/usr/bin/" + saver): os.remove("/usr/bin/" + saver) except (OSError): self.detailedresults += "The following file had " + \ "issues being removed" + saver + "\n" self.rulesuccess = False except (KeyboardInterrupt, SystemExit): # User initiated exit raise except Exception: self.rulesuccess = False self.detailedresults += "\n" + traceback.format_exc() self.logdispatch.log(LogPriority.ERROR, self.detailedresults) self.formatDetailedResults("fix", self.rulesuccess, self.detailedresults) self.logdispatch.log(LogPriority.INFO, self.detailedresults) return self.rulesuccess
def fixLogin(self): success = True tempstring = "" debug = "" if not os.path.exists(self.loginfile): self.detailedresults = self.loginfile + "does not exist. \ Will not perform fix on useradd file\n" return False if not checkPerms(self.loginfile, [0, 0, 0o644], self.logger): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) if not setPerms(self.loginfile, [0, 0, 0o644], self.logger, self.statechglogger, myid): success = False contents = readFile(self.loginfile, self.logger) iterator1 = 0 for line in contents: if re.search("^#", line) or re.match('^\s*$', line): iterator1 += 1 elif re.search('^default:\\\\$', line.strip()): contents1 = contents[:iterator1 + 1] temp = contents[iterator1 + 1:] length2 = len(temp) - 1 iterator2 = 0 for line2 in temp: if re.search('^[^:][^:]*:\\\\$', line2): contents3 = temp[iterator2:] contents2 = temp[:iterator2] break elif iterator2 < length2: iterator2 += 1 elif iterator2 == length2: contents2 = temp[:iterator2] break else: iterator1 += 1 if contents2: for key in self.Fspecs: iterator = 0 found = False for line in contents2: if re.search("^#", line) or re.match('^\s*$', line): iterator += 1 continue elif re.search('^:' + key, line.strip()): if re.search('=', line): temp = line.split('=') if re.search(str(self.Fspecs[key]) + '(:\\\\|:|\\\\|\s)', temp[1]): iterator += 1 found = True else: contents2.pop(iterator) else: iterator += 1 if not found: contents2.append('\t' + key + '=' + str(self.Fspecs[key]) + ':\\\\\n') final = [] for line in contents1: final.append(line) for line in contents2: final.append(line) for line in contents3: final.append(line) for line in final: tempstring += line debug += "tempstring to be written to: " + self.loginfile + "\n" self.logger.log(LogPriority.DEBUG, debug) tmpfile = self.loginfile + ".tmp" if writeFile(tmpfile, tempstring, self.logger): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {'eventtype': 'conf', 'filepath': self.loginfile} self.statechglogger.recordchgevent(myid, event) self.statechglogger.recordfilechange(self.loginfile, tmpfile, myid) shutil.move(tmpfile, self.loginfile) os.chown(self.loginfile, 0, 0) os.chmod(self.loginfile, 0o644) resetsecon(self.loginfile) else: success = False return success
def fixLinux(self): ''' @change: dkennel removed extraneous arg from setperms call on 864 ''' universal = "#The following lines were added by stonix\n" debug = "" success = True ifacefile = "" netwrkfile = "" sysctl = "/etc/sysctl.conf" blacklistfile = "/etc/modprobe.d/stonix-blacklist.conf" # STIG portion, correct netconfig file if self.ph.manager == "apt-get": nfspkg = "nfs-common" else: nfspkg = "nfs-utils.x86_64" # if package not installed, no need to configure it if self.ph.check(nfspkg): if os.path.exists("/etc/netconfig"): filestring = "" # we want to make sure the following two lines don't # appear in the netconfig file item1 = "udp6 tpi_clts v inet6 udp - -" item2 = "tcp6 tpi_cots_ord v inet6 tcp - -" contents = readFile("/etc/netconfig", self.logger) for line in contents: templine = re.sub("\s+", " ", line.strip()) # if we find the lines, skip them thus leaving them out of # of the rewrite if re.search(item1, templine) or re.search( item2, templine): continue else: filestring += line tmpfile = "/etc/netconfig.tmp" if not writeFile(tmpfile, filestring, self.logger): success = False else: # record event, rename file, set perms self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "conf", "filepath": "/etc/netconfig"} self.statechglogger.recordchgevent(myid, event) self.statechglogger.recordfilechange( "/etc/netconfig", tmpfile, myid) os.rename(tmpfile, "/etc/netconfig") os.chown("/etc/netconfig", 0, 0) os.chmod("/etc/netconfig", 420) resetsecon("/etc/netconfig") # remove any ipv6 addresses from /etc/hosts file if os.path.exists("/etc/hosts"): contents = readFile("/etc/hosts", self.logger) tempstring = "" tmpfile = "/etc/hosts.tmp" for line in contents: if re.search("^#", line) or re.match("^\s*$", line): tempstring += line continue elif re.search(":", line): tempstring += "#" + line else: tempstring += line if writeFile(tmpfile, tempstring, self.logger): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "conf", "filepath": "/etc/hosts"} self.statechglogger.recordchgevent(myid, event) self.statechglogger.recordfilechange("/etc/hosts", tmpfile, myid) os.rename(tmpfile, "/etc/hosts") os.chown("/etc/hosts", 0, 0) os.chmod("/etc/hosts", 420) resetsecon("/etc/hosts") else: success = False debug = "Unable to write to file /etc/hosts\n" self.logger.log(LogPriority.DEBUG, debug) # fix sysctl / tuning kernel parameters # manually write key value pairs to /etc/sysctl.conf created = False if not os.path.exists(sysctl): if createFile(sysctl, self.logger): created = True setPerms(sysctl, [0, 0, 0o644], self.logger) self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "creation", "filepath": sysctl} self.statechglogger.recordchgevent(myid, event) else: success = False debug = "Unable to create " + sysctl + "\n" self.logger.log(LogPriority.DEBUG, debug) if os.path.exists(sysctl): if not checkPerms(sysctl, [0, 0, 0o644], self.logger): if not created: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) if not setPerms(sysctl, [0, 0, 0o644], self.logger, self.statechglogger, myid): success = False tmpfile = sysctl + ".tmp" self.editor1 = KVEditorStonix(self.statechglogger, self.logger, "conf", sysctl, tmpfile, self.sysctls, "present", "openeq") if not self.editor1.report(): if self.editor1.fixables: # If we did not create the file, set an event ID for the # KVEditor's undo event if not created: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) self.editor1.setEventID(myid) if not self.editor1.fix(): success = False debug = "Unable to complete kveditor fix method" + \ "for /etc/sysctl.conf file\n" self.logger.log(LogPriority.DEBUG, debug) elif not self.editor1.commit(): success = False debug = "Unable to complete kveditor commit " + \ "method for /etc/sysctl.conf file\n" self.logger.log(LogPriority.DEBUG, debug) if not checkPerms(sysctl, [0, 0, 0o644], self.logger): if not setPerms(self.path, [0, 0, 0o644], self.logger): self.detailedresults += "Could not set permissions on " + \ self.path + "\n" success = False resetsecon(sysctl) # here we also check the output of the sysctl command for each key # to cover all bases for key in self.sysctls: if self.ch.executeCommand("/sbin/sysctl " + key): output = self.ch.getOutputString().strip() errmsg = output + self.ch.getErrorString() if re.search("unknown key", errmsg): continue if not re.search(self.sysctls[key] + "$", output): undovalue = output[-1] self.ch.executeCommand("/sbin/sysctl -q -e -w " + key + "=" + self.sysctls[key]) retcode = self.ch.getReturnCode() if retcode != 0: success = False self.detailedresults += "Failed to set " + key + " = " + self.sysctls[ key] + "\n" errmsg = self.ch.getErrorString() self.logger.log(LogPriority.DEBUG, errmsg) else: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) command = "/sbin/sysctl -q -e -w " + key + "=" + undovalue event = { "eventtype": "commandstring", "command": command } self.statechglogger.recordchgevent(myid, event) else: self.detailedresults += "Unable to get value for " + key + "\n" success = False # at the end do a print and ignore any key errors to ensure # the new values are read into the kernel self.ch.executeCommand("/sbin/sysctl -q -e -p") retcode2 = self.ch.getReturnCode() if retcode2 != 0: success = False self.detailedresults += "Failed to load new sysctl configuration from config file\n" errmsg2 = self.ch.getErrorString() self.logger.log(LogPriority.DEBUG, errmsg2) # We never found the correct contents in any of the modprobe.d files # so we're going to created the stonix-blacklist file # this file is used in other rules if not self.modprobeOK: created = False tmpfile = blacklistfile + ".tmp" modprobekveditor = KVEditorStonix(self.statechglogger, self.logger, "conf", blacklistfile, tmpfile, self.modprobes, "notpresent", "space") if not os.path.exists(blacklistfile): # create the file and record the event as file creation if createFile(blacklistfile, self.logger): created = True self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = { "eventtype": "creation", "filepath": blacklistfile } self.statechglogger.recordchgevent(myid, event) if os.path.exists(blacklistfile): if not modprobekveditor.report(): if not modprobekveditor.fix(): success = False self.detailedresults += "Unable to correct contents in " + \ blacklistfile + "\n" else: # if the file was created, then we already recorded an event # for that, so this step would get skipped if not created: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) modprobekveditor.setEventID(myid) if not modprobekveditor.commit(): success = False self.detailedresults += "Unable to correct contents in " + \ blacklistfile + "\n" # fix ifcfg (interface) files if self.ph.manager == "yum": ifacefile = "/etc/sysconfig/network-scripts/" netwrkfile = "/etc/sysconfig/network" elif self.ph.manager == "zypper": ifacefile = "/etc/sysconfig/network/" if ifacefile: if os.path.exists(ifacefile): dirs = glob.glob(ifacefile + "*") if dirs: for loc in dirs: interface = {"IPV6INIT": "no", "NETWORKING_IPV6": "no"} interface2 = { "IPV6INIT": "no", "NETWORKING_IPV6": "no" } found = False tempstring = "" if re.search('^' + ifacefile + 'ifcfg', loc): filename = loc tmpfile = filename + ".tmp" contents = readFile(filename, self.logger) if not checkPerms(filename, [0, 0, 420], self.logger): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) if not setPerms(filename, [0, 0, 420], self.logger, self.statechglogger, myid): debug = "Unable to set permissions on " + \ filename + "\n" self.logger.log(LogPriority.DEBUG, debug) success = False for key in interface: found = False for line in contents: if re.search("^#", line) or \ re.match("^\s*$", line): continue if re.search("^" + key, line): if re.search("=", line): temp = line.split("=") if temp[1].strip( ) == interface[key]: if found: continue found = True else: contents.remove(line) if found: del interface2[key] for line in contents: tempstring += line tempstring += universal for key in interface2: tempstring += key + "=" + interface2[key] + \ "\n" if not writeFile(tmpfile, tempstring, self.logger): success = False debug = "Unable to write to file " + loc + "\n" self.logger.log(LogPriority.DEBUG, debug) self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {'eventtype': 'conf', 'filepath': filename} self.statechglogger.recordchgevent(myid, event) self.statechglogger.recordfilechange( filename, tmpfile, myid) os.rename(tmpfile, filename) os.chown(filename, 0, 0) os.chmod(filename, 420) resetsecon(filename) elif not os.path.exists(ifacefile) and ifacefile != "": # will not attempt to create the interface files debug = "interface directory which holds interface \ files, doesn't exist, stonix will not attempt to make this \ directory or the files contained therein" success = False self.logger.log(LogPriority.DEBUG, debug) # fix network file if it exists if netwrkfile: if not os.path.exists(netwrkfile): if not createFile(netwrkfile, self.logger): debug = "Unable to create " + netwrkfile + "file\n" self.logger.log(LogPriority.DEBUG, debug) success = False else: if not checkPerms(netwrkfile, [0, 0, 420], self.logger): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) if not setPerms(netwrkfile, [0, 0, 420], self.logger, self.statechglogger, myid): debug = "Unable to set permissions on " + \ netwrkfile + "\n" self.logger.log(LogPriority.DEBUG, debug) success = False tmpfile = netwrkfile + ".tmp" self.editor2 = KVEditorStonix(self.statechglogger, self.logger, "conf", netwrkfile, tmpfile, self.interface, "present", "closedeq") if not self.editor2.report(): self.detailedresults += netwrkfile + " doesn't contain \ the correct contents\n" if self.editor2: if self.editor2.fixables: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) self.editor2.setEventID(myid) if not self.editor2.fix(): success = False debug = "Unable to complete kveditor fix method" + \ "for " + netwrkfile + "\n" self.logger.log(LogPriority.DEBUG, debug) elif not self.editor2.commit(): success = False debug = "Unable to complete kveditor commit " + \ "method for " + netwrkfile + "\n" self.logger.log(LogPriority.DEBUG, debug) os.chown(netwrkfile, 0, 0) os.chmod(netwrkfile, 420) resetsecon(netwrkfile) # fix sshd_config file for apt-get systems if ssh is installed if self.ph.manager == "apt-get": if not os.path.exists("/etc/ssh/sshd_config"): msg = "/etc/ssh/ssd_config doesn\'t exist. This could mean ssh \ is not installed or the file has been inadvertantly deleted. Due to the \ complexity of this file stonix will not attempt to create this file" self.logger.log(LogPriority.DEBUG, msg) success = False else: if not checkPerms("/etc/ssh/sshd_config", [0, 0, 420], self.logger): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) if not setPerms("/etc/ssh/sshd_config", [0, 0, 420], self.logger, self.statechglogger, myid): success = False debug = "Unable to set permissions on " + \ "/etc/ssh/sshd_config\n" self.logger.log(LogPriority.DEBUG, debug) if self.editor3: if self.editor3.fixables: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) self.editor3.setEventID(myid) if not self.editor3.fix(): success = False debug = "Unable to complete kveditor fix method" + \ "for /etc/ssh/sshd_config file\n" self.logger.log(LogPriority.DEBUG, debug) elif not self.editor3.commit(): success = False debug = "Unable to complete kveditor commit " + \ "method for /etc/ssh/sshd_config file\n" self.logger.log(LogPriority.DEBUG, debug) os.chown("/etc/ssh/sshd_config", 0, 0) os.chmod("/etc/ssh/sshd_config", 420) resetsecon("/etc/ssh/sshd_config") return success
def fixDebianSys(self): """ :return: success :rtype: bool """ success = True if not checkPerms(self.tftpFile, [0, 0, 420], self.logger): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) if not setPerms(self.tftpFile, [0, 0, 420], self.logger, self.statechglogger, myid): self.detailedresults += "Unable to set " + \ "permissions on " + self.tftpFile + "\n" success = False contents = readFile(self.tftpFile, self.logger) found1 = False found2 = False tempstring = "" for line in contents: if re.search("TFTP_OPTIONS", line): if found1: continue if re.search("=", line): tmp = line.strip() tmp = tmp.split("=") try: #remove beginning and ending spaces of the part #after = if necessary opts = tmp[1].strip() #opts = "\" sdfads \"" #replace actual quotes with nothing opts = re.sub("\"", "", opts) #opts = " sdfads " #once again replace any whitespace with just one space opts = re.sub("/s+", " ", opts.strip()) #split by single whitespace opts = opts.split(" ") if "--secure" not in opts: continue else: tempstring += line found1 = True except IndexError: continue else: continue elif re.search("TFTP_DIRECTORY", line): if found2: continue if re.search("=", line): tmp = line.strip() tmp = tmp.split("=") try: opts = tmp[1].strip() opts = re.sub("\"", "", opts) if not re.search("^/var/lib/tftpboot$", opts): continue else: tempstring += line found2 = True except IndexError: continue else: tempstring += line if not found1: tempstring += "TFTP_OPTIONS=\"--secure\"\n" if not found2: tempstring += "TFTP_DIRECTORY=\"/var/lib/tftpboot\"\n" tmpfile = self.tftpFile + ".tmp" if writeFile(tmpfile, tempstring, self.logger): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "conf", "filepath": self.tftpFile} self.statechglogger.recordchgevent(myid, event) self.statechglogger.recordfilechange(self.tftpFile, tmpfile, myid) os.rename(tmpfile, self.tftpFile) os.chown(self.tftpFile, 0, 0) os.chmod(self.tftpFile, 420) resetsecon(self.tftpFile) else: self.detailedresults += "Unable to write new contents " + \ "to " + self.tftpFile + " file.\n" success = False return success
def fixBootMode(self): success = True if self.initver == "systemd": cmd = ["/bin/systemctl", "set-default", "multi-user.target"] if not self.ch.executeCommand(cmd): success = False self.detailedresults += '"systemctl set-default ' \ + 'multi-user.target" did not succeed\n' else: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) commandstring = "/bin/systemctl set-default " + \ "graphical.target" event = {"eventtype": "commandstring", "command": commandstring} self.statechglogger.recordchgevent(myid, event) elif self.initver == "debian": dmlist = ["gdm", "gdm3", "lightdm", "xdm", "kdm"] for dm in dmlist: cmd = ["update-rc.d", "-f", dm, "disable"] if not self.ch.executeCommand(cmd): self.detailedresults += "Failed to disable desktop " + \ "manager " + dm else: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "servicehelper", "servicename": dm, "startstate": "enabled", "endstate": "disabled"} self.statechglogger.recordchgevent(myid, event) elif self.initver == "ubuntu": ldmover = "/etc/init/lightdm.override" tmpfile = ldmover + ".tmp" created = False if not os.path.exists(ldmover): createFile(ldmover, self.logger) self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "creation", "filepath": ldmover} self.statechglogger.recordchgevent(myid, event) created = True writeFile(tmpfile, "manual\n", self.logger) if not created: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "conf", "filepath": ldmover} self.statechglogger.recordchgevent(myid, event) self.statechglogger.recordfilechange(ldmover, tmpfile, myid) os.rename(tmpfile, ldmover) resetsecon(ldmover) grub = "/etc/default/grub" if not os.path.exists(grub): createFile(grub, self.logger) self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "creation", "filepath": grub} self.statechglogger.recordchgevent(myid, event) tmppath = grub + ".tmp" data = {"GRUB_CMDLINE_LINUX_DEFAULT": '"quiet"'} editor = KVEditorStonix(self.statechglogger, self.logger, "conf", grub, tmppath, data, "present", "closedeq") editor.report() if editor.fixables: if editor.fix(): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) editor.setEventID(myid) debug = "kveditor fix ran successfully\n" self.logger.log(LogPriority.DEBUG, debug) if editor.commit(): debug = "kveditor commit ran successfully\n" self.logger.log(LogPriority.DEBUG, debug) else: error = "kveditor commit did not run " + \ "successfully\n" self.logger.log(LogPriority.ERROR, error) success = False else: error = "kveditor fix did not run successfully\n" self.logger.log(LogPriority.ERROR, error) success = False cmd = "update-grub" self.ch.executeCommand(cmd) else: inittab = "/etc/inittab" tmpfile = inittab + ".tmp" if os.path.exists(inittab): initText = open(inittab, "r").read() initre = r"id:\d:initdefault:" if re.search(initre, initText): initText = re.sub(initre, "id:3:initdefault:", initText) writeFile(tmpfile, initText, self.logger) self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "conf", "filepath": inittab} self.statechglogger.recordchgevent(myid, event) self.statechglogger.recordfilechange(inittab, tmpfile, myid) os.rename(tmpfile, inittab) resetsecon(inittab) else: initText += "\nid:3:initdefault:\n" writeFile(tmpfile, initText, self.logger) self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "conf", "filepath": inittab} self.statechglogger.recordchgevent(myid, event) self.statechglogger.recordfilechange(inittab, tmpfile, myid) os.rename(tmpfile, inittab) resetsecon(inittab) else: self.detailedresults += inittab + " not found, no other " + \ "init system found. If you are using a supported " + \ "Linux OS, please report this as a bug\n" return success
def setpasswordsetup(self, regex1, pkglist = None): """ configure password requirements in pam, install necessary packages :param regex1: string; regular expression :param pkglist: list; string names of packages to install :return: success :rtype: bool """ regex2 = "^password[ \t]+sufficient[ \t]+pam_unix.so sha512 shadow " + \ "try_first_pass use_authtok remember=10" success = True pamfiles = [] installed = False if pkglist: for pkg in pkglist: if self.ph.check(pkg): installed = True break else: installed = True if not installed: for pkg in pkglist: if self.ph.checkAvailable(pkg): if not self.ph.install(pkg): self.detailedresults += "Unable to install pkg " + pkg + "\n" return False else: installed = True if self.usingpwquality: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) comm = self.ph.getRemove() + pkg event = {"eventtype": "commandstring", "command": comm} self.statechglogger.recordchgevent(myid, event) pwqfile = "/etc/security/pwquality.conf" tmpfile = pwqfile + ".stonixtmp" if self.environ.getsystemfismacat() == "high": data = {"difok": "7", "minlen": "14", "dcredit": "0", "ucredit": "0", "lcredit": "0", "ocredit": "0", "maxrepeat": "3", "minclass": "4"} else: data = {"difok": "7", "minlen": "8", "dcredit": "0", "ucredit": "0", "lcredit": "0", "ocredit": "0", "maxrepeat": "3", "minclass": "3"} self.pwqeditor = KVEditorStonix(self.statechglogger, self.logger, "conf", pwqfile, tmpfile, data, "present", "openeq") self.pwqeditor.report() break if not installed: self.detailedresults += "No password checking program available\n" return False if self.usingpwquality: if not self.setpwquality(): success = False if self.ph.manager in ("yum", "dnf"): writecontents = self.auth + "\n" + self.acct + "\n" + \ self.password + "\n" + self.session pamfiles.append(self.pamauthfile) pamfiles.append(self.pampassfile) else: writecontents = self.password pamfiles.append(self.pampassfile) for pamfile in pamfiles: if not os.path.exists(pamfile): self.detailedresults += pamfile + " doesn't exist.\n" + \ "Stonix will not attempt to create this file " + \ "and the fix for the this rule will not continue\n" return False # """Check permissions on pam file(s)""" for pamfile in pamfiles: if not checkPerms(pamfile, [0, 0, 0o644], self.logger): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) if not setPerms(pamfile, [0, 0, 0o644], self.logger, self.statechglogger, myid): success = False self.detailedresults += "Unable to set correct permissions on " + pamfile + "\n" contents = readFile(pamfile, self.logger) found1, found2 = False, False for line in contents: if re.search(regex1, line.strip()): found1 = True if re.search(regex2, line.strip()): found2 = True if not found1 or not found2: tmpfile = pamfile + ".stonixtmp" if writeFile(tmpfile, writecontents, self.logger): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {'eventtype': 'conf', 'filepath': pamfile} self.statechglogger.recordchgevent(myid, event) self.statechglogger.recordfilechange(pamfile, tmpfile, myid) os.rename(tmpfile, pamfile) os.chown(pamfile, 0, 0) os.chmod(pamfile, 0o644) resetsecon(pamfile) else: self.detailedresults += "Unable to write to " + pamfile + "\n" success = False return success
def fix(self): '''Enable the firewall services and establish basic rules if needed. @author: D. Kennel ''' try: if not self.clfci.getcurrvalue(): return self.iditerator = 0 self.detailedresults = "" success = True # delete past state change records from previous fix eventlist = self.statechglogger.findrulechanges(self.rulenumber) for event in eventlist: self.statechglogger.deleteentry(event) #firewall-cmd portion if self.checkFirewalld(): if self.servicehelper.enableService('firewalld.service', serviceTarget=self.serviceTarget): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) cmd = "/usr/bin/systemctl disable firewalld.service" event = {"eventtype": "commandstring", "command": cmd} self.statechglogger.recordchgevent(myid, event) self.detailedresults += "Firewall configured.\n " else: success = False self.detailedresults += "Unable to enable firewall\n" debug = "Unable to enable firewall\n" self.logger.log(LogPriority.DEBUG, debug) #ufw command portion elif self.checkUFW(): self.logger.log(LogPriority.DEBUG, "System uses ufw. Running ufw commands...") cmdufw = '/usr/sbin/ufw status' if not self.cmdhelper.executeCommand(cmdufw): self.detailedresults += "Unable to run " + \ "ufw status command\n" success = False else: outputufw = self.cmdhelper.getOutputString() if re.search('Status: inactive', outputufw): ufwcmd = '/usr/sbin/ufw --force enable' if not self.cmdhelper.executeCommand(ufwcmd): self.detailedresults += "Unable to run " + \ "ufw enable command\n" success = False else: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) undocmd = "/usr/sbin/ufw --force disable" event = {"eventtype": "commandstring", "command": undocmd} self.statechglogger.recordchgevent(myid, event) cmdufw = "/usr/sbin/ufw status verbose" if not self.cmdhelper.executeCommand(cmdufw): self.detailedresults += "Unable to retrieve firewall rules\n" success = False else: outputfw = self.cmdhelper.getOutputString() if not re.search("Default\:\ deny\ \(incoming\)", outputfw): ufwcmd = "/usr/sbin/ufw default deny incoming" if not self.cmdhelper.executeCommand(ufwcmd): self.detailedresults += "Unable to set default " + \ "rule for incoming unspecified packets\n" success = False else: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) undocmd = "/usr/sbin/ufw default allow incoming" event = {"eventtype": "commandstring", "command": undocmd} self.statechglogger.recordchgevent(myid, event) elif re.search('Status: active', outputufw): cmdufw = "/usr/sbin/ufw status verbose" if not self.cmdhelper.executeCommand(cmdufw): self.detailedresults += "Cannot retrieve firewall rules\n" success = False else: outputufw = self.cmdhelper.getOutputString() if not re.search("Default\:\ deny\ \(incoming\)", outputufw): ufwcmd = "/usr/sbin/ufw default deny incoming" if not self.cmdhelper.executeCommand(ufwcmd): self.detailedresults += "Unable to set default " + \ "rule for incoming unspecified packets\n" success = False else: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) undocmd = "/usr/sbin/ufw default allow incoming" event = {"eventtype": "commandstring", "command": undocmd} self.statechglogger.recordchgevent(myid, event) else: #following portion is mainly for debian and opensuse systems only if os.path.exists("/etc/network/if-pre-up.d"): self.iptScriptPath = "/etc/network/if-pre-up.d/iptables" self.scriptType = "debian" servicename = "networking" elif os.path.exists("/etc/sysconfig/scripts"): self.iptScriptPath = "/etc/sysconfig/scripts/SuSEfirewall2-custom" self.scriptType = "suse" servicename = "network" #this script will ensure that iptables gets configured #each time the network restarts iptables = self.getScriptValues("iptables") ip6tables = self.getScriptValues("ip6tables") iptScript = "" created = False if self.iptScriptPath: if self.scriptType == "debian": if self.iprestore and self.ip6restore: iptScript = '#!/bin/bash\n' + self.iprestore + \ ' <<< "' + iptables + '"\n' + self.ip6restore + \ ' <<< "' + ip6tables + '"' else: iptScript = self.getScriptValues("iptscript") if iptScript: if not os.path.exists(self.iptScriptPath): if not createFile(self.iptScriptPath, self.logger): success = False self.detailedresults += "Unable to create file " + self.iptScriptPath + "\n" else: created = True self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "creation", "filepath": self.iptScriptPath} self.statechglogger.recordchgevent(myid, event) if os.path.exists(self.iptScriptPath): if not checkPerms(self.iptScriptPath, [0, 0, 0o755], self.logger): if not created: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) if not setPerms(self.iptScriptPath, [0, 0, 0o755], self.logger, self.statechglogger, myid): success = False self.detailedresults += "Unable to set permissions on " + self.iptScriptPath + "\n" contents = readFile(self.iptScriptPath, self.logger) if contents != iptScript: tempfile = self.iptScriptPath + ".tmp" if not writeFile(tempfile, iptScript, self.logger): success = False self.detailedresults += "Unable to write contents to " + self.iptScriptPath + "\n" else: if not created: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "conf", "filepath": self.iptScriptPath} self.statechglogger.recordchgevent(myid, event) self.statechglogger.recordfilechange(self.iptScriptPath, tempfile, myid) os.rename(tempfile, self.iptScriptPath) os.chown(self.iptScriptPath, 0, 0) os.chmod(self.iptScriptPath, 0o755) resetsecon(self.iptScriptPath) stonixfilepath = "/var/db/stonix/" savecmd = "/sbin/iptables-save > " + stonixfilepath + "user-firewall-pre-stonix" if not self.cmdhelper.executeCommand(savecmd): success = False self.detailedresults += "Unable to save current ipv4 " + \ "firewall rules for revert\n" debug = "Unable to save current ipv4 " + \ "firewall rules for revert\n" self.logger.log(LogPriority.DEBUG, debug) save6cmd = "/sbin/ip6tables-save > " + stonixfilepath + "user-firewall6-pre-stonix" if not self.cmdhelper.executeCommand(save6cmd): success = False self.detailedresults += "Unable to save current ipv6 " + \ "firewall rules for revert\n" debug = "Unable to save current ipv6 " + \ "firewall rules for revert\n" self.logger.log(LogPriority.DEBUG, debug) self.servicehelper.stopService(servicename) if not self.servicehelper.startService(servicename): success = False self.detailedresults += "Unable to restart networking\n" debug = "Unable to restart networking\n" self.logger.log(LogPriority.DEBUG, debug) else: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) cmd = "/sbin/iptables-restore < " + stonixfilepath + "user-firewall-pre-stonix" event = {"eventtype": "commandstring", "command": cmd} self.statechglogger.recordchgevent(myid, event) self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) cmd = "/sbin/ip6tables-restore < " + stonixfilepath + "user-firewall6-pre-stonix" event = {"eventtype": "commandstring", "command": cmd} self.statechglogger.recordchgevent(myid, event) else: success = False self.detailedresults += "There is no iptables startup script\n" debug = "There is no iptables startup script\n" self.logger.log(LogPriority.DEBUG, debug) #this portion mostly applies to RHEL6 and Centos6 if os.path.exists('/usr/bin/system-config-firewall') or \ os.path.exists('/usr/bin/system-config-firewall-tui'): systemconfigfirewall = self.getScriptValues("systemconfigfirewall") sysconfigiptables = self.getScriptValues("sysconfigiptables") sysconfigip6tables = self.getScriptValues("sysconfigip6tables") fwpath = '/etc/sysconfig/system-config-firewall' iptpath = '/etc/sysconfig/iptables' ip6tpath = '/etc/sysconfig/ip6tables' #portion to handle the system-config-firewall file created = False if not os.path.exists(fwpath): if not createFile(fwpath, self.logger): success = False self.detailedresults += "Unable to create file " + fwpath + "\n" else: created = True self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "creation", "filepath": fwpath} self.statechglogger.recordchgevent(myid, event) if os.path.exists(fwpath): if not checkPerms(fwpath, [0, 0, 0o600], self.logger): if not created: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) if not setPerms(fwpath, [0, 0, 0o600], self.logger, self.statechglogger, myid): success = False self.detailedresults += "Unable to set permissions on " + fwpath + "\n" contents = readFile(fwpath, self.logger) if contents != systemconfigfirewall: print("contents don't equal systemconfigurefirewall contents\n") tempfile = fwpath + ".tmp" if not writeFile(tempfile, systemconfigfirewall, self.logger): success = False self.detailedresults += "Unable to write contents to " + fwpath + "\n" else: if not created: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "conf", "filepath": fwpath} self.statechglogger.recordchgevent(myid, event) self.statechglogger.recordfilechange(fwpath, tempfile, myid) os.rename(tempfile, fwpath) os.chown(fwpath, 0, 0) os.chmod(fwpath, 0o600) resetsecon(fwpath) created = False #portion to handle the iptables rules file if not os.path.exists(iptpath): if not createFile(iptpath, self.logger): success = False self.detailedresults += "Unable to create file " + iptpath + "\n" else: created = True self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "creation", "filepath": iptpath} self.statechglogger.recordchgevent(myid, event) if os.path.exists(iptpath): if not checkPerms(iptpath, [0, 0, 0o644], self.logger): if not created: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) if not setPerms(iptpath, [0, 0, 0o644], self.logger, self.statechglogger, myid): success = False self.detailedresults += "Unable to set permissions on " + iptpath + "\n" contents = readFile(iptpath, self.logger) if contents != sysconfigiptables: tempfile = iptpath + ".tmp" if not writeFile(tempfile, sysconfigiptables, self.logger): success = False self.detailedresults += "Unable to write contents to " + iptpath + "\n" else: if not created: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "conf", "filepath": iptpath} self.statechglogger.recordchgevent(myid, event) self.statechglogger.recordfilechange(iptpath, tempfile, myid) os.rename(tempfile, iptpath) os.chown(iptpath, 0, 0) os.chmod(iptpath, 0o644) resetsecon(iptpath) created = False #portion to handle ip6tables rules file if not os.path.exists(ip6tpath): if not createFile(ip6tpath, self.logger): success = False self.detailedresults += "Unable to create file " + ip6tpath + "\n" else: created = True self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "creation", "filepath": ip6tpath} self.statechglogger.recordchgevent(myid, event) if os.path.exists(ip6tpath): if not checkPerms(ip6tpath, [0, 0, 0o644], self.logger): if not created: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) if not setPerms(ip6tpath, [0, 0, 0o644], self.logger, self.statechglogger, myid): success = False self.detailedresults += "Unable to set permissions on " + ip6tpath + "\n" contents = readFile(ip6tpath, self.logger) if contents != sysconfigip6tables: tempfile = ip6tpath + ".tmp" if not writeFile(tempfile, sysconfigip6tables, self.logger): success = False self.detailedresults += "Unable to write contents to " + ip6tpath + "\n" else: if not created: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "conf", "filepath": ip6tpath} self.statechglogger.recordchgevent(myid, event) self.statechglogger.recordfilechange(ip6tpath, tempfile, myid) os.rename(tempfile, ip6tpath) os.chown(ip6tpath, 0, 0) os.chmod(ip6tpath, 0o644) resetsecon(ip6tpath) # check if iptables is enabled to run at start if not self.servicehelper.auditService('iptables'): # enable service to run at start if not if not self.servicehelper.enableService('iptables'): self.detailedresults += "Unable to enable iptables service\n" debug = "Unable to enable iptables service\n" self.logger.log(LogPriority.DEBUG, debug) success = False else: # record event if successful self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) cmd = self.servicehelper.getDisableCommand('iptables') event = {"eventtype": "commandstring", "command": cmd} self.statechglogger.recordchgevent(myid, event) self.servicehelper.stopService('iptables') # start iptables if not if not self.servicehelper.startService('iptables'): self.detailedresults += "Unable to start iptables service\n" debug = "Unable to start iptables service\n" self.logger.log(LogPriority.DEBUG, debug) success = False else: stonixfilepath = "/var/db/stonix/" savecmd = "/sbin/iptables-save > " + stonixfilepath + "user-firewall-pre-stonix" if not self.cmdhelper.executeCommand(savecmd): success = False self.detailedresults += "Unable to save current ipv4 " + \ "firewall rules for revert\n" debug = "Unable to save current ipv4 " + \ "firewall rules for revert\n" self.logger.log(LogPriority.DEBUG, debug) else: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) cmd = "/sbin/iptables-restore < " + stonixfilepath + "user-firewall-pre-stonix" event = {"eventtype": "commandstring", "command": cmd} self.statechglogger.recordchgevent(myid, event) savecmd = "/sbin/ip6tables-save > " + stonixfilepath + "user-firewall6-pre-stonix" if not self.cmdhelper.executeCommand(savecmd): success = False self.detailedresults += "Unable to save current ipv6 " + \ "firewall rules for revert\n" debug = "Unable to save current ipv6 " + \ "firewall rules for revert\n" self.logger.log(LogPriority.DEBUG, debug) else: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) cmd = "/sbin/ip6tables-restore < " + stonixfilepath + "user-firewall6-pre-stonix" event = {"eventtype": "commandstring", "command": cmd} self.statechglogger.recordchgevent(myid, event) # check if ip6tables is enabled to run at start if not self.servicehelper.auditService('ip6tables'): # enable service to run at start if not if not self.servicehelper.enableService('ip6tables'): self.detailedresults += "Unable to enable ip6tables service\n" debug = "Unable to enable ip6tables service\n" self.logger.log(LogPriority.DEBUG, debug) success = False else: # record event if successful self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) cmd = self.servicehelper.getDisableCommand('ip6tables') event = {"eventtype": "commandstring", "command": cmd} self.statechglogger.recordchgevent(myid, event) self.servicehelper.stopService('ip6tables') # start ip6tables if not if not self.servicehelper.startService('ip6tables'): self.detailedresults += "Unable to start ip6tables service\n" debug = "Unable to start ip6tables service\n" self.logger.log(LogPriority.DEBUG, debug) success = False # Sleep for a bit to let the restarts occur time.sleep(10) self.rulesuccess = success except (KeyboardInterrupt, SystemExit): # User initiated exit raise except Exception: self.rulesuccess = False self.detailedresults += "\n" + traceback.format_exc() self.logdispatch.log(LogPriority.ERROR, self.detailedresults) self.formatDetailedResults("fix", self.rulesuccess, self.detailedresults) self.logdispatch.log(LogPriority.INFO, self.detailedresults) return self.rulesuccess
def fixLinux(self): '''sub method for linux portion of compliance fixing @author: dwalker :returns: success :rtype: boolean ''' success = True created1, created2 = False, False changed = False tempstring = "" grubfilefound = False for grub in self.grubfiles: if os.path.exists(grub): grubfilefound = True if self.grubperms: if not checkPerms(grub, self.grubperms, self.logger): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) if not setPerms(grub, self.grubperms, self.logger, self.statechglogger, myid): success = False contents = readFile(grub, self.logger) kernellinefound = False if contents: for line in contents: if re.search("^kernel", line.strip()) or re.search("^linux", line.strip()) \ or re.search("^linux16", line.strip()): kernellinefound = True if not re.search("\s+nousb\s*", line): changed = True tempstring += line.strip() + " nousb" if not re.search( "\s+usbcore\.authorized_default=0\s+", line): changed = True tempstring += line.strip( ) + " usbcore.authorized_default=0" tempstring += "\n" elif re.search("^set default_kernelopts", line.strip()): # Fedora 31 has changed it's kernel option line format kernellinefound = True kernelline = line.strip() if not re.search("\s+nousb\s*", kernelline): changed = True kernelline = re.sub("\"$", " nousb\"", kernelline) if not re.search( "\s+usbcore\.authorized_default=0\s+", kernelline): changed = True kernelline = re.sub( "\"$", " usbcore.authorized_default=0\"", kernelline) tempstring += kernelline + "\n" else: tempstring += line if not kernellinefound: changed = False self.detailedresults += "The grub file doesn't contain kernel line\n" + \ "Unable to fully implement fixes in this rule\n" success = False if changed: tmpfile = grub + ".tmp" if writeFile(tmpfile, tempstring, self.logger): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "conf", "filepath": grub} self.statechglogger.recordchgevent(myid, event) self.statechglogger.recordfilechange( grub, tmpfile, myid) os.rename(tmpfile, grub) if not setPerms(grub, self.grubperms, self.logger): success = False self.detailedresults += "Unable to set permissions on " + \ grub + " file\n" else: success = False if not grubfilefound: self.detailedresults += "No grub configuration file found\n" + \ "Unable to fully fix system for this rule\n" success = False blacklistf = "/etc/modprobe.d/stonix-blacklist.conf" tempstring = "" # Check if self.blacklist still contains values, if it # does, then we didn't find all the blacklist values # in report if self.blacklist: # didn't find one or more directives in the files # inside modprobe.d so we now check an alternate file # we create stonixblacklist file if it doesn't # exist and put remaining unfound blacklist # items there if not os.path.exists(blacklistf): created1 = True createFile(blacklistf, self.logger) self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "creation", "filepath": blacklistf} self.statechglogger.recordchgevent(myid, event) # file was already present and we need contents already # inside file to remain in newly written file if not created1: contents = readFile(blacklistf, self.logger) for item in contents: tempstring += item for item in self.blacklist: tempstring += item + "\n" tmpfile = blacklistf + ".tmp" if writeFile(tmpfile, tempstring, self.logger): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "conf", "filepath": blacklistf} self.statechglogger.recordchgevent(myid, event) self.statechglogger.recordfilechange(blacklistf, tmpfile, myid) os.rename(tmpfile, blacklistf) os.chown(blacklistf, 0, 0) os.chmod(blacklistf, 420) resetsecon(blacklistf) if not checkPerms(blacklistf, [0, 0, 420], self.logger): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) if not setPerms(blacklistf, [0, 0, 420], self.logger, self.statechglogger, myid): success = False if self.ph.manager == "apt-get": cmd = ["/usr/sbin/update-initramfs", "-u"] if not self.ch.executeCommand(cmd): success = False self.detailedresults += "Unable to run update-initramfs command\n" for item in self.pcmcialist: if self.ph.check(item): self.ph.remove(item) self.pkgremovedlist.append(item) if not os.path.exists(self.udevfile): if not createFile(self.udevfile, self.logger): self.detailedresults += "Unable to create " + \ self.udevfile + " file\n" success = False else: created2 = True if os.path.exists(self.udevfile): if not checkPerms(self.udevfile, [0, 0, 0o644], self.logger): if created2: if not setPerms(self.udevfile, [0, 0, 0o644], self.logger): success = False self.detailedresults += "Unable to set " + \ "permissions on " + self.udevfile + "\n" else: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) if not setPerms(self.udevfile, [0, 0, 0o644], self.logger, self.statechglogger, myid): success = False self.detailedresults += "Unable to set " + \ "permissions on " + self.udevfile + "\n" found = False contents = readFile(self.udevfile, self.logger) tempstring = "" for line in contents: if re.search( "ACTION==\"add\"\, SUBSYSTEMS==\"usb\"\, RUN+=\"/bin/sh -c \'for host in /sys/bus/usb/devices/usb\*\; do echo 0 > \$host/authorized_default; done\'\"", line.strip()): found = True tempstring += line if not found: tempstring += "ACTION==\"add\", SUBSYSTEMS==\"usb\", RUN+=\"/bin/sh -c \'for host in /sys/bus/usb/devices/usb*; do echo 0 > $host/authorized_default; done\'\"" tmpfile = self.udevfile + ".tmp" if writeFile(tmpfile, tempstring, self.logger): if not created2: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = { "eventtype": "conf", "filepath": self.udevfile } self.statechglogger.recordchgevent(myid, event) self.statechglogger.recordfilechange( self.udevfile, tmpfile, myid) os.rename(tmpfile, self.udevfile) os.chown(self.udevfile, 0, 0) os.chmod(self.udevfile, 0o644) resetsecon(self.udevfile) else: success = False self.detailedresults += "Unable to write changes " + \ "to " + self.udevfile + "\n" return success
def fix(self): try: if not self.ci.getcurrvalue(): return success = True # Clean out old undo events self.iditerator = 0 eventlist = self.statechglogger.findrulechanges(self.rulenumber) for event in eventlist: self.statechglogger.deleteentry(event) self.detailedresults = "" if not os.path.exists(self.path): createFile(self.path, self.logger) self.created = True self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "creation", "filepath": self.path} self.statechglogger.recordchgevent(myid, event) self.editor = KVEditorStonix(self.statechglogger, self.logger, "conf", self.path, self.tmppath, self.data1, "present", "space") self.editor.report() tempstring = "" tmpfile = self.path + ".tmp" contents = readFile(self.path, self.logger) changes = False for line in contents: found = False if re.match('^#', line) or re.match(r'^\s*$', line): tempstring += line continue if re.search("^option", line): temp = line.split() if len(temp) >= 2: for item in self.data2: if re.search(item, temp[1]): found = True changes = True break if found: continue else: tempstring += line else: tempstring += line if changes: debug = "Writing changes to " + tmpfile self.logger.log(LogPriority.DEBUG, debug) if not writeFile(tmpfile, tempstring, self.logger): debug = "Unable to write changes to " + tmpfile self.detailedresults += debug self.logger.log(LogPriority.DEBUG, debug) success = False else: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "conf", "filepath": self.path} self.statechglogger.recordchgevent(myid, event) self.statechglogger.recordfilechange( self.path, tmpfile, myid) os.rename(tmpfile, self.path) self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) setPerms(self.path, [0, 0, 0o644], self.logger, self.statechglogger, myid) resetsecon(self.path) if self.editor.fixables: if not self.created: if not checkPerms(self.path, [0, 0, 0o644], self.logger): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) if not setPerms(self.path, [0, 0, 0o644], self.logger, self.statechglogger, myid): success = False self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) self.editor.setEventID(myid) if self.editor.fix(): if self.editor.commit(): debug = self.path + "'s contents have been " + \ "corrected\n" self.logger.log(LogPriority.DEBUG, debug) os.chown(self.path, 0, 0) os.chmod(self.path, 0o644) resetsecon(self.path) else: debug = "kveditor commit not successful\n" self.logger.log(LogPriority.DEBUG, debug) success = False else: debug = "kveditor fix not successful\n" self.logger.log(LogPriority.DEBUG, debug) success = False self.rulesuccess = success except (KeyboardInterrupt, SystemExit): # User initiated exit raise except Exception: self.rulesuccess = False self.detailedresults += "\n" + traceback.format_exc() self.logdispatch.log(LogPriority.ERROR, self.detailedresults) self.formatDetailedResults("fix", self.rulesuccess, self.detailedresults) self.logdispatch.log(LogPriority.INFO, self.detailedresults) return self.rulesuccess
def fix(self): '''The report method examines the current configuration and determines whether or not it is correct. If the config is correct then the self.compliant, self.detailedresults and self.currstate properties are updated to reflect the system status. self.rulesuccess will be updated if the rule does not succeed. :returns: self.rulesuccess :rtype: bool @author bgonz12 ''' try: self.iditerator = 0 self.detailedresults = "" if not self.ci.getcurrvalue(): return success = True if not os.path.exists(self.securettypath): if not createFile(self.securettypath, self.logger): success = False self.detailedresults += "Unable to create " + \ self.securettypath + "\n" else: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "creation", "filepath": self.securettypath} self.statechglogger.recordchgevent(myid, event) if not setPerms(self.securettypath, [0, 0, 0o600], self.logger): success = False self.detailedresults += "Unable to correct permissions on " + \ self.securettypath + "\n" elif not self.isblank: tempfile = self.securettypath + ".tmp" if not checkPerms(self.securettypath, [0, 0, 0o600], self.logger): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) if not setPerms(self.securettypath, [0, 0, 0o600], self.logger, self.statechglogger, myid): success = False self.detailedresults += "Unable to correct permissions on " + \ self.securettypath + "\n" if not writeFile(tempfile, "", self.logger): success = False self.detailedresults += "Unable to write blank contents " + \ "to " + self.securettypath + "\n" else: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "conf", "filepath": self.securettypath} self.statechglogger.recordchgevent(myid, event) self.statechglogger.recordfilechange(self.securettypath, tempfile, myid) os.rename(tempfile, self.securettypath) os.chmod(self.securettypath, 0o600) os.chown(self.securettypath, 0, 0) resetsecon(self.securettypath) else: if not checkPerms(self.securettypath, [0, 0, 0o600], self.logger): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) if not setPerms(self.securettypath, [0, 0, 0o600], self.logger, self.statechglogger, myid): success = False self.detailedresults += "Unable to correct permissions on " + \ self.securettypath + "\n" self.rulesuccess = success except (KeyboardInterrupt, SystemExit): # User initiated exit raise except Exception: self.rulesuccess = False self.detailedresults += "\n" + traceback.format_exc() self.logdispatch.log(LogPriority.ERROR, self.detailedresults) self.formatDetailedResults("fix", self.rulesuccess, self.detailedresults) self.logdispatch.log(LogPriority.INFO, self.detailedresults) return self.rulesuccess
def fix(self): try: if not self.ci.getcurrvalue(): self.detailedresults += "CI not enabled\n" else: success = True self.detailedresults = "" self.iditerator = 0 eventlist = self.statechglogger.findrulechanges(self.rulenumber) for event in eventlist: self.statechglogger.deleteentry(event) if not os.path.exists(self.path1): createFile(self.path1, self.logger) self.created = True self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "creation", "filepath": self.path1} self.statechglogger.recordchgevent(myid, event) self.tmppath = self.path1 + ".tmp" self.editor1 = KVEditorStonix(self.statechglogger, self.logger, "conf", self.path1, self.tmppath, self.data1, "present", "closedeq") self.editor1.report() self.editor2 = KVEditorStonix(self.statechglogger, self.logger, "conf", self.path1, self.tmppath, self.data2, "present", "space") self.editor2.report() if self.editor1.fixables or self.editor2.fixables: if self.editor1.fix(): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) self.editor1.setEventID(myid) if self.editor1.commit(): debug = self.path1 + "'s contents have been " + \ "corrected\n" self.logger.log(LogPriority.DEBUG, debug) resetsecon(self.path1) else: debug = "kveditor commit not successful\n" self.logger.log(LogPriority.DEBUG, debug) success = False self.detailedresults += self.path1 + \ " properties could not be set\n" else: debug = "kveditor fix not successful\n" self.logger.log(LogPriority.DEBUG, debug) success = False self.detailedresults += self.path1 + \ " properties could not be set\n" if self.editor2.fix(): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) self.editor2.setEventID(myid) if self.editor2.commit(): debug = self.path1 + "'s contents have been " + \ "corrected\n" self.logger.log(LogPriority.DEBUG, debug) resetsecon(self.path1) else: debug = "kveditor commit not successful\n" self.logger.log(LogPriority.DEBUG, debug) success = False self.detailedresults += self.path1 + \ " properties could not be set\n" else: debug = "kveditor fix not successful\n" self.logger.log(LogPriority.DEBUG, debug) success = False self.detailedresults += self.path1 + \ " properties could not be set\n" if not checkPerms(self.path1, [0, 0, 0o755], self.logger) and \ not checkPerms(self.path1, [0, 0, 0o644], self.logger): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) if not setPerms(self.path1, [0, 0, 0o644], self.logger, self.statechglogger, myid): success = False self.detailedresults += "Could not set permissions " + \ "for " + self.path1 + "\n" if not os.path.exists(self.path2): createFile(self.path2, self.logger) self.created = True self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "creation", "filepath": self.path2} self.statechglogger.recordchgevent(myid, event) writeFile(self.path2, self.cshData, self.logger) if not checkPerms(self.path2, [0, 0, 0o755], self.logger) and \ not checkPerms(self.path2, [0, 0, 0o644], self.logger): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) if not setPerms(self.path2, [0, 0, 0o644], self.logger, self.statechglogger, myid): success = False self.detailedresults += "Could not set permissions " + \ "for " + self.path2 + "\n" self.rulesuccess = success except (KeyboardInterrupt, SystemExit): # User initiated exit raise except Exception: self.rulesuccess = False self.detailedresults += "\n" + traceback.format_exc() self.logdispatch.log(LogPriority.ERROR, self.detailedresults) self.formatDetailedResults("fix", self.rulesuccess, self.detailedresults) self.logdispatch.log(LogPriority.INFO, self.detailedresults) return self.rulesuccess
def fix(self): try: if not self.ci.getcurrvalue(): return success = True path = self.path tmppath = path + ".tmp" prelinkCache = "/etc/prelink.cache" self.detailedresults = "" self.iditerator = 0 eventlist = self.statechglogger.findrulechanges(self.rulenumber) for event in eventlist: self.statechglogger.deleteentry(event) if not os.path.exists(path): if createFile(path, self.logger): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "creation", "filepath": path} self.statechglogger.recordchgevent(myid, event) else: success = False self.detailedresults += "Failed to create file: " + \ path + "\n" if writeFile(tmppath, "PRELINKING=no", self.logger): os.rename(tmppath, path) resetsecon(path) else: success = False self.detailedresults += "Failed to write settings " + \ "to file: " + path + "\n" elif not self.editor.report(): if self.editor.fix(): if self.editor.commit(): self.detailedresults += "Changes successfully " + \ "committed to " + path + "\n" else: success = False self.detailedresults += "Changes could not be " + \ "committed to " + path + "\n" else: success = False self.detailedresults += "Could not fix file " + path + "\n" # Although the guidance and documentation recommends using "prelink # -ua" command, testing has shown this command to be completely # unreliable. Instead, the prelink cache will be removed entirely. if os.path.exists(prelinkCache): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) self.statechglogger.recordfiledelete(prelinkCache, myid) os.remove(prelinkCache) self.rulesuccess = success except (KeyboardInterrupt, SystemExit): # User initiated exit raise except Exception: self.rulesuccess = False self.detailedresults += "\n" + traceback.format_exc() self.logdispatch.log(LogPriority.ERROR, self.detailedresults) self.formatDetailedResults("fix", self.rulesuccess, self.detailedresults) self.logdispatch.log(LogPriority.INFO, self.detailedresults) return self.rulesuccess
def fix(self): '''will check if the shadow, passwd, or group file is present and if so remove the plus(+) account located in the file ''' try: if not self.ci.getcurrvalue(): return self.detailedresults = "" #clear out event history so only the latest fix is recorded self.iditerator = 0 eventlist = self.statechglogger.findrulechanges(self.rulenumber) for event in eventlist: self.statechglogger.deleteentry(event) for path in self.badfiles: path = path.strip() if os.path.exists(path): tempstring = "" contents = readFile(path, self.logger) if not contents: continue for line in contents: if not re.search('^\+', line.strip()): tempstring += line if path == "/etc/master.passwd": if not checkPerms(path, [0, 0, 384], self.logger): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) setPerms(path, [0, 0, 384], self.logger, self.statechglogger, myid) elif path == "/etc/shadow": #put in code to handle apt-get systems /etc/shadow file later #for this file, the owner is root, but the group is shadow #by default this group is 42 but may not always be that if self.ph.manager == "apt-get": retval = getUserGroupName("/etc/shadow") if retval[0] != "root" or retval[1] != "shadow": uid = pwd.getpwnam("root").pw_uid gid = grp.getgrnam("shadow").gr_gid self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) setPerms(path, [uid, gid, 420], self.logger, self.statechglogger, myid) else: if not checkPerms(path, [0, 0, 256], self.logger) and \ not checkPerms(path, [0, 0, 0], self.logger): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) setPerms(path, [0, 0, 256], self.logger, self.statechglogger, myid) else: if not checkPerms(path, [0, 0, 420], self.logger): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) setPerms(path, [0, 0, 420], self.logger, self.statechglogger, myid) tmpfile = path + ".tmp" if not writeFile(tmpfile, tempstring, self.logger): self.rulesuccess = False return self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {'eventtype': 'conf', 'filepath': path} self.statechglogger.recordchgevent(myid, event) self.statechglogger.recordfilechange(path, tmpfile, myid) os.rename(tmpfile, path) if path == "/etc/master.passwd": os.chown(path, 0, 0) os.chmod(path, 384) elif path == "/etc/shadow": if self.ph.manager == "apt-get": os.chown(path, uid, gid) os.chmod(path, 420) else: os.chown(path, 0, 0) os.chmod(path, 256) else: os.chmod(path, 420) resetsecon(path) except (KeyboardInterrupt, SystemExit): # User initiated exit raise except Exception: self.rulesuccess = False self.detailedresults += "\n" + traceback.format_exc() self.logdispatch.log(LogPriority.ERROR, self.detailedresults) self.formatDetailedResults("fix", self.rulesuccess, self.detailedresults) self.logdispatch.log(LogPriority.INFO, self.detailedresults) return self.rulesuccess
def fixOtherSys(self): """ :return: success :rtype: bool """ success = True if not checkPerms(self.tftpFile, [0, 0, 420], self.logger): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) if not setPerms(self.tftpFile, [0, 0, 420], self.logger, self.statechglogger, myid): self.detailedresults += "Unable to set " + \ "permissions on " + self.tftpFile + "\n" success = False try: contents2 = [] contents = readFile(self.tftpFile, self.logger) found = False tempstring = "" i = 0 tftplinefound = False for line in contents: if re.search("service tftp", line.strip()): tempstring += line tftplinefound = True contents2 = contents[i + 1:] break else: tempstring += line i += 1 if not tftplinefound: self.detailedresults += "tftp file doesn't contain " + \ "\"service tftp\" line. Stonix will not attempt to " + \ "fix this. This will require a manual fix\n" return False if contents2: if contents2[0].strip() == "{": tempstring += contents2[0] del (contents2[0]) if contents2: for line in contents2: if re.search("server_args", line): found = True if re.search("=", line): tmp = line.split("=") val = re.sub("/s+", " ", tmp[1].strip()) if re.search("-s", val) or re.search( "--secure", val): if not re.search( "-s /var/lib/tftpboot", val ) and not re.search( "--secure /var/lib/tftpboot", val): val = re.sub( "-s\s{0,1}/{0,1}.*\s{0,1}", "-s /var/lib/tftpboot", tmp[1]) tempstring += "\tserver_args \t\t= " + val + "\n" else: tempstring += line else: tempstring += line + " -s /var/lib/tftpboot\n" else: tempstring += "\tserver_args\t\t= -s /var/lib/tftpboot\n" elif re.search("}", line.strip()): if not found: tempstring += "\tserver_args\t\t= -s /var/lib/tftpboot\n" tempstring += "}" break else: tempstring = "" break else: tempstring += line except IndexError: self.detailedresults += "The tftp file is in bad format\n " + \ "Will not attempt to correct this file. Exiting\n" return False if not tempstring: return True tmpfile = self.tftpFile + ".tmp" if writeFile(tmpfile, tempstring, self.logger): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "conf", "filepath": self.tftpFile} self.statechglogger.recordchgevent(myid, event) self.statechglogger.recordfilechange(self.tftpFile, tmpfile, myid) os.rename(tmpfile, self.tftpFile) os.chown(self.tftpFile, 0, 0) os.chmod(self.tftpFile, 420) resetsecon(self.tftpFile) else: self.detailedresults += "Unable to write new contents " + \ "to " + self.tftpFile + " file.\n" success = False return success
def fix(self): '''The fix method will apply the required settings to the system. self.rulesuccess will be updated if the rule does not succeed. @author bemalmbe ''' try: if not self.ci.getcurrvalue(): return success = True self.detailedresults = "" debug = "" # clear out event history so only the latest fix is recorded self.iditerator = 0 eventlist = self.statechglogger.findrulechanges(self.rulenumber) for event in eventlist: self.statechglogger.deleteentry(event) if os.path.exists(self.grp): if not self.wheel: ch = CommandHelper(self.logger) if self.ph.manager == "apt-get": cmd = ["/usr/sbin/groupadd", "sudo"] else: cmd = ["/usr/sbin/groupadd", "wheel"] ch.executeCommand(cmd) if ch.getReturnCode() != 0: debug += "unable to create the wheel group, \ unable to continue with the rest of the rule\n" self.logger.log(LogPriority.DEBUG, debug) return False else: if not checkPerms(self.grp, [0, 0, 420], self.logger): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) if not setPerms(self.grp, [0, 0, 420], self.logger, self.statechglogger, myid): success = False else: self.detailedresults += "/etc/group file doesn\'t exist! \ Stonix will not attempt to create this file and will skip to next stage \ of the fix method\n" self.logger.log(LogPriority.DEBUG, self.detailedresults) success = False if not self.pamwheel: if os.path.exists(self.pam): if not checkPerms(self.pam, [0, 0, 420], self.logger): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) if not setPerms(self.pam, [0, 0, 420], self.logger, self.statechglogger, myid): success = False tempstring = "" contents = readFile(self.pam, self.logger) for line in contents: if re.search("pam_wheel.so", line): continue else: tempstring += line if self.ph.manager == "apt-get": tempstring += "auth required " + \ "pam_wheel.so group=sudo\n" else: tempstring += "auth required " + \ "pam_wheel.so use_uid\n" tmpfile = self.pam + ".tmp" if writeFile(tmpfile, tempstring, self.logger): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "conf", "filepath": self.pam} self.statechglogger.recordchgevent(myid, event) self.statechglogger.recordfilechange( self.pam, tmpfile, myid) os.rename(tmpfile, self.pam) os.chown(self.pam, 0, 0) os.chmod(self.pam, 420) resetsecon(self.pam) else: success = False self.rulessuccess = success except (KeyboardInterrupt, SystemExit): # User initiated exit raise except Exception: self.rulesuccess = False self.detailedresults += "\n" + traceback.format_exc() self.logdispatch.log(LogPriority.ERROR, self.detailedresults) self.formatDetailedResults("fix", self.rulesuccess, self.detailedresults) self.logdispatch.log(LogPriority.INFO, self.detailedresults) return self.rulesuccess
def fixGnome(self): """ensures gnome is configured to automatically screen lock after 15 minutes of inactivity, if gnome is installed @author: dwalker :param self: essential if you override this definition :returns: bool - True if gnome is successfully configured, False if it isn't """ info = "" success = True gconf = "/usr/bin/gconftool-2" gsettings = "/usr/bin/gsettings" if os.path.exists(gconf): #variable self.setcmds still has items left in its dictionary #which was set in the reportGnome method, meaning some values #either were incorrect or didn't have values. Go through and #set each remaining value that isn't correct cmd = "" if self.setcmds: for item in self.setcmds: if item == "/apps/gnome-screensaver/idle_activation_enabled": cmd = gconf + " --type bool --set /apps/gnome-screensaver/idle_activation_enabled true" elif item == "/apps/gnome-screensaver/lock_enabled": cmd = gconf + " --type bool --set /apps/gnome-screensaver/lock_enabled true" elif item == "/apps/gnome-screensaver/mode": cmd = gconf + ' --type string --set /apps/gnome-screensaver/mode "blank-only"' elif item == "/desktop/gnome/session/idle_delay": if self.gconfidletime: cmd = gconf + " --type int --set /desktop/gnome/session/idle_delay " + \ self.gconfidletime else: cmd = gconf + " --type int --set /desktop/gnome/session/idle_delay 15" if self.cmdhelper.executeCommand(cmd): if self.cmdhelper.getReturnCode() != 0: info += "Unable to set value for " + cmd + "\n" success = False else: info += "Unable to set value for " + cmd + "\n" success = False if os.path.exists(gsettings): setcmds = [ "org.gnome.desktop.screensaver idle-activation-enabled true", "org.gnome.desktop.screensaver lock-enabled true", "org.gnome.desktop.screensaver lock-delay 0", "org.gnome.desktop.screensaver picture-opacity 100", "org.gnome.desktop.screensaver picture-uri ''", "org.gnome.desktop.session idle-delay 900" ] # " set org.gnome.desktop.session idle-delay " + self.gsettingsidletime] for cmd in setcmds: cmd2 = gsettings + " set " + cmd self.cmdhelper.executeCommand(cmd2) if self.cmdhelper.getReturnCode() != 0: success = False info += "Unable to set value for " + cmd + \ " using gsettings\n" # Set gsettings with dconf # Unlock dconf settings # Create dconf settings lock file if self.environ.geteuid() == 0: if not os.path.exists(self.dconfsettingslock): if not createFile(self.dconfsettingslock, self.logger): self.rulesuccess = False self.detailedresults += "Unable to create stonix-settings file\n" self.formatDetailedResults("fix", self.rulesuccess, self.detailedresults) return False #write correct contents to dconf lock file if os.path.exists(self.dconfsettingslock): # Write to the lock file if self.dconflockdata: contents = "" tmpfile = self.dconfsettingslock + ".tmp" for line in self.dconflockdata: contents += line + "\n" if not writeFile(tmpfile, contents, self.logger): self.rulesuccess = False self.detailedresults += "Unable to write contents to " + \ "stonix-settings file\n" else: os.rename(tmpfile, self.dconfsettingslock) os.chown(self.dconfsettingslock, 0, 0) os.chmod(self.dconfsettingslock, 0o644) resetsecon(self.dconfsettingslock) # Create dconf user profile file if not os.path.exists(self.dconfuserprofile): if not createFile(self.dconfuserprofile, self.logger): self.rulesuccess = False self.detailedresults += "Unable to create dconf " + \ "user profile file\n" self.formatDetailedResults("fix", self.rulesuccess, self.detailedresults) return False # Write dconf user profile if os.path.exists(self.dconfuserprofile): tmpfile = self.dconfuserprofile + ".tmp" if not writeFile(tmpfile, self.userprofilecontent, self.logger): self.rulesuccess = False self.detailedresults += "Unabled to write to dconf user" + \ " profile file\n" self.formatDetailedResults("fix", self.rulesuccess, self.detailedresults) return False else: os.rename(tmpfile, self.dconfuserprofile) os.chown(self.dconfuserprofile, 0, 0) os.chmod(self.dconfuserprofile, 0o644) resetsecon(self.dconfuserprofile) # Fix dconf settings if not os.path.exists(self.dconfsettings): if not createFile(self.dconfsettings, self.logger): self.rulesuccess = False self.detailedresults += "Unable to create " + self.dconfsettings + " file \n" self.formatDetailedResults("fix", self.rulesuccess, self.detailedresults) return False self.dconfdata = { "org/gnome/desktop/screensaver": { "idle-activation-enabled": "true", "lock-enabled": "true", "lock-delay": "0", "picture-opacity": "100", "picture-uri": "\'\'" }, "org/gnome/desktop/session": { "idle-delay": "uint32 900" } } self.kveditordconf = KVEditorStonix( self.statechglogger, self.logger, "tagconf", self.dconfsettings, self.dconfsettings + ".tmp", self.dconfdata, "present", "closedeq") self.kveditordconf.report() if self.kveditordconf.fixables: if not self.kveditordconf.fix(): success = False self.detailedresults += "Unable to put correct settings inside " + \ self.dconfsettings + "\n" elif not self.kveditordconf.commit(): success = False self.detailedresults += "Unable to put correct settings inside " + \ self.dconfsettings + "\n" #run dconf update command to make dconf changes take effect if os.path.exists("/bin/dconf"): cmd = "/bin/dconf update" self.cmdhelper.executeCommand(cmd) elif os.path.exists("/usr/bin/dconf"): cmd = "/usr/bin/dconf update" self.cmdhelper.executeCommand(cmd) self.detailedresults += info return success
def fix(self): '''DisableWeakAuthentication.fix() Public method to fix any issues that were found in the report method. @author: dwalker :returns: bool - False if the method died during execution ''' try: self.detailedresults = "" if not self.ci.getcurrvalue(): return success = True for item in self.rsh: if self.helper.check(item): if not self.helper.remove(item): success = False if self.incorrects: for item in self.incorrects: tempstring = "" contents = readFile(item, self.logger) if not contents: continue for line in contents: if re.match('^#', line) or re.match(r'^\s*$', line): tempstring += line elif re.search("pam_rhosts", line): continue else: tempstring += line if not checkPerms(item, [0, 0, 420], self.logger): if not setPerms(item, [0, 0, 420], self.logger): success = False tmpfile = item + ".tmp" if writeFile(tmpfile, tempstring, self.logger): os.rename(tmpfile, item) os.chown(item, 0, 0) os.chmod(item, 420) resetsecon(item) else: success = False for item in self.pams: if os.path.exists(item): if not checkPerms(item, [0, 0, 420], self.logger): if not setPerms(item, [0, 0, 420], self.logger): success = False if os.path.exists("/etc/pam.d/"): fileItems = glob.glob("/etc/pam.d/*") for item in fileItems: if not checkPerms(item, [0, 0, 420], self.logger): if not setPerms(item, [0, 0, 420], self.logger): success = False return success except (KeyboardInterrupt, SystemExit): raise except Exception: self.rulesuccess = False self.detailedresults += "\n" + traceback.format_exc() self.logdispatch.log(LogPriority.ERROR, self.detailedresults) self.formatDetailedResults("fix", self.rulesuccess, self.detailedresults) self.logdispatch.log(LogPriority.INFO, self.detailedresults) return self.rulesuccess
def fixLinux(self): universal = "#The following lines were added by stonix\n" debug = "" success = True ifacefile = "" netwrkfile = "" sysctl = "/etc/sysctl.conf" interface = {"IPV6_AUTOCONF": "no"} interface2 = {"IPV6_PRIVACY": "rfc3041"} # "IPV6_DEFAULTGW": self.gateway, # "IPV6ADDR":self.ipaddr} if self.ph.manager == "yum": ifacefile = "/etc/sysconfig/network-scripts/" netwrkfile = "/etc/sysconfig/network" elif self.ph.manager == "zypper": ifacefile = "/etc/sysconfig/network/" created = False # fix sysctl / tuning kernel parameters # manually write key value pairs to /etc/sysctl.conf if not os.path.exists(sysctl): if createFile(sysctl, self.logger): created = True setPerms(sysctl, [0, 0, 0o644], self.logger) self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "creation", "filepath": sysctl} self.statechglogger.recordchgevent(myid, event) else: self.detailedresults += "Could not create file " + sysctl + \ "\n" success = False if os.path.exists(sysctl): if not checkPerms(sysctl, [0, 0, 0o644], self.logger): if not created: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) if not setPerms(sysctl, [0, 0, 0o644], self.logger, self.statechglogger, myid): success = False tmpfile = sysctl + ".tmp" self.editor1 = KVEditorStonix(self.statechglogger, self.logger, "conf", sysctl, tmpfile, self.sysctls, "present", "openeq") if not self.editor1.report(): if self.editor1.fixables: # If we did not create the file, set an event ID for the # KVEditor's undo event to record the file write if not created: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) self.editor1.setEventID(myid) if not self.editor1.fix(): success = False debug = "Unable to complete kveditor fix method" + \ "for /etc/sysctl.conf file\n" self.logger.log(LogPriority.DEBUG, debug) elif not self.editor1.commit(): success = False debug = "Unable to complete kveditor commit " + \ "method for /etc/sysctl.conf file\n" self.logger.log(LogPriority.DEBUG, debug) # permissions on file are incorrect if not checkPerms(sysctl, [0, 0, 0o644], self.logger): if not setPerms(sysctl, [0, 0, 0o644], self.logger): self.detailedresults += "Could not set permissions on " + \ sysctl + "\n" success = False resetsecon(sysctl) # here we also check the output of the sysctl command for each key # to cover all bases for key in self.sysctls: if self.ch.executeCommand("/sbin/sysctl " + key): output = self.ch.getOutputString().strip() errmsg = output + self.ch.getErrorString() if re.search("unknown key", errmsg): continue if not re.search(self.sysctls[key] + "$", output): undovalue = output[-1] self.ch.executeCommand("/sbin/sysctl -q -e -w " + key + "=" + self.sysctls[key]) retcode = self.ch.getReturnCode() if retcode != 0: success = False self.detailedresults += "Failed to set " + key + " = " + self.sysctls[key] + "\n" errmsg = self.ch.getErrorString() self.logger.log(LogPriority.DEBUG, errmsg) else: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) command = "/sbin/sysctl -q -e -w " + key + "=" + undovalue event = {"eventtype": "commandstring", "command": command} self.statechglogger.recordchgevent(myid, event) else: self.detailedresults += "Unable to get value for " + key + "\n" success = False # at the end do a print and ignore any key errors to ensure # the new values are read into the kernel self.ch.executeCommand("/sbin/sysctl -q -e -p") retcode2 = self.ch.getReturnCode() if retcode2 != 0: success = False self.detailedresults += "Failed to load new sysctl configuration from config file\n" errmsg2 = self.ch.getErrorString() self.logger.log(LogPriority.DEBUG, errmsg2) # correct the network file if it exists if netwrkfile: created = False if not os.path.exists(netwrkfile): if not createFile(netwrkfile, self.logger): success = False debug = "Unable to create " + netwrkfile + " file\n" self.logger.log(LogPriority.DEBUG, debug) else: created = True self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "creation", "filepath": netwrkfile} self.statechglogger.recordchgevent(myid, event) tmpfile = netwrkfile + ".tmp" self.editor2 = KVEditorStonix(self.statechglogger, self.logger, "conf", netwrkfile, tmpfile, self.interface1, "present", "closedeq") self.editor2.report() if os.path.exists(netwrkfile): if not checkPerms(netwrkfile, [0, 0, 0o644], self.logger): if not created: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) if not setPerms(netwrkfile, [0, 0, 0o644], self.logger, self.statechglogger, myid): success = False if self.editor2: if self.editor2.fixables: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) self.editor2.setEventID(myid) if not self.editor2.fix(): success = False elif not self.editor2.commit(): success = False os.chown(netwrkfile, 0, 0) os.chmod(netwrkfile, 0o644) resetsecon(netwrkfile) if ifacefile: if os.path.exists(ifacefile): dirs = glob.glob(ifacefile + "*") if dirs: for loc in dirs: interface2 = {"IPV6_PRIVACY": "rfc3041"} # "IPV6_DEFAULTGW": self.gateway, # "IPV6ADDR":self.ipaddr} interface3 = {"IPV6_PRIVACY": "rfc3041"} # "IPV6_DEFAULTGW": self.gateway, # "IPV6ADDR":self.ipaddr} found = False tempstring = "" if re.search('^' + ifacefile + 'ifcfg', loc): filename = loc tmpfile = filename + ".tmp" contents = readFile(filename, self.logger) if not checkPerms(filename, [0, 0, 0o644], self.logger): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) if not setPerms(filename, [0, 0, 0o644], self.logger, self.statechglogger, myid): return False for key in interface2: found = False for line in contents: if re.search("^#", line) or \ re.match("^\s*$", line): continue if re.search("^" + key, line): if re.search("=", line): temp = line.split("=") if temp[1].strip() == \ interface2[key]: if found: continue found = True else: contents.remove(line) if found: del interface3[key] for line in contents: tempstring += line tempstring += universal for key in interface3: tempstring += key + "=" + interface3[key] + \ "\n" if not writeFile(tmpfile, tempstring, self.logger): return False self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {'eventtype': 'conf', 'filepath': filename} self.statechglogger.recordchgevent(myid, event) self.statechglogger.recordfilechange(filename, tmpfile, myid) os.rename(tmpfile, filename) os.chown(filename, 0, 0) os.chmod(filename, 0o644) resetsecon(filename) elif not os.path.exists(ifacefile) and ifacefile != "": # will not attempt to create the interface files self.detailedresults += "Interface directory which holds interface \ files, doesn't exist. Stonix will not attempt to make this \ directory or the files contained therein." success = False return success
def fix_security_limits(self): '''ensure the limits.conf file contains the configuration setting * hard core 0 :returns: succcess :rtype: bool @author: ??? ''' success = True path1 = "/etc/security/limits.conf" lookfor1 = "(^\*)\s+hard\s+core\s+0?" created = False if not os.path.exists(path1): if not createFile(path1, self.logger): success = False self.detailedresults += "Unable to create " + path1 + " file\n" else: created = True self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "creation", "filepath": "path1"} self.statechglogger.recordchgevent(myid, event) if os.path.exists(path1): if not checkPerms(path1, [0, 0, 0o644], self.logger): if not created: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) if not setPerms(path1, [0, 0, 0o644], self.logger, self.statechglogger, myid): success = False self.detailedresults += "Unable to correct permissions on " + path1 + "\n" contents = readFile(path1, self.logger) found = False tempstring = "" if contents: for line in contents: if re.search(lookfor1, line.strip()): found = True else: tempstring += line else: found = False if not found: tempstring += "* hard core 0\n" tempfile = path1 + ".stonixtmp" if not writeFile(tempfile, tempstring, self.logger): success = False self.detailedresults += "Unable to write contents to " + path1 + "\n" else: if not created: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "conf", "filepath": path1} self.statechglogger.recordchgevent(myid, event) self.statechglogger.recordfilechange( path1, tempfile, myid) os.rename(tempfile, path1) setPerms(path1, [0, 0, 0o644], self.logger) resetsecon(path1) return success
def fixOther(self): config = "" success = True permswrong = False debug = "" if not os.path.exists(self.shadow): debug += "shadow or master.passwd file not present, \ cannot perform fix" self.logger.log(LogPriority.DEBUG, debug) return False statdata = os.stat(self.shadow) owner = statdata.st_uid group = statdata.st_gid mode = stat.S_IMODE(statdata.st_mode) if not checkPerms(self.shadow, [0, 0, 256], self.logger) or \ not checkPerms(self.shadow, [0, 0, 0], self.logger): permswrong = True if not setPerms(self.shadow, [0, 0, 256], self.logger): success = False contents = readFile(self.shadow, self.logger) if not contents: return False if self.empty: try: for line in contents: for user in self.empty: if re.search(":", line): temp = line.split(':') if temp[0] == user: tempstring = "" if temp[1].strip() == "": temp[1] = "!" tempstring = ":".join(temp) config += tempstring break else: config += line else: config += line continue except IndexError: raise except Exception: self.detailedresults += traceback.format_exc() + "\n" self.detailedresults += "Index out of range\n, stonix will \ not continue to complete fix" self.logger.log(LogPriority.DEBUG, self.detailedresults) return False tempfile = self.shadow + ".tmp" if not writeFile(tempfile, config, self.logger): success = False os.rename(tempfile, self.shadow) if permswrong: os.chown(self.shadow, 0, 0) os.chmod(self.shadow, 256) else: os.chown(self.shadow, owner, group) os.chmod(self.shadow, mode) return success