def apply(self, optionDict=None):
"""Create and replace the audit rules configuration."""
action_record = []
result, reason = self.scan(optionDict)
if result == 'Pass':
return 0, action_record
option = xml.sax.saxutils.unescape(optionDict['auditRules'])
if option[-1] != '\n':
option = option + '\n'
if os.path.exists(self.__target_file):
# Protect file
tcs_utils.protect_file(self.__target_file)
try:
out_obj = open(self.__target_file + '.new', 'w')
except IOError, err:
msg = "Unable to create temporary file (%s)." % str(err)
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
out_obj.write(option)
out_obj.close()
action_record.append(
tcs_utils.generate_diff_record(self.__target_file + '.new',
self.__target_file))
try:
shutil.copymode(self.__target_file,
self.__target_file + '.new')
shutil.copy2(self.__target_file + '.new', self.__target_file)
sb_utils.SELinux.restoreSecurityContext(self.__target_file)
os.unlink(self.__target_file + '.new')
except (IOError, OSError), err:
msg = "Unable to replace %s with new version: %s" % (
self.__target_file, err)
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
for line_nr, line in enumerate(in_obj.xreadlines()):
if line.strip().split("=")[0] == 'SYSLOGD_OPTIONS' and \
'-r' in line.strip().split("=")[1]:
out_obj.write(line.replace('-r', ''))
msg = "Removing '-r' from SYSLOGD_OPTIONS at line %d" % line_nr
self.logger.notice(self.module_name, 'Apply Performed: ' + msg)
else:
out_obj.write(line)
in_obj.close()
out_obj.close()
action_record = tcs_utils.generate_diff_record(
self.__target_file + '.new', self.__target_file)
try:
shutil.copymode(self.__target_file, self.__target_file + '.new')
shutil.copy2(self.__target_file + '.new', self.__target_file)
sb_utils.SELinux.restoreSecurityContext(self.__target_file)
os.unlink(self.__target_file + '.new')
except OSError:
msg = "Unable to replace %s with new version" % self.__target_file
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
msg = 'Remote rsyslog disabled.'
self.logger.notice(self.module_name, 'Apply Performed: ' + msg)
return 1, action_record
shutil.copymode(self.__target_file3, self.__target_file3 + '.new')
except (OSError, IOError), err:
msg = "Unable to create temporary %s.new file" % self.__target_file3
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
msg = "Removing any lines beginning with '+' from %s" % self.__target_file3
self.logger.info(self.module_name, msg)
for line in in_obj:
if not line.startswith('+'):
out_obj.write(line)
in_obj.close()
out_obj.close()
action_record = tcs_utils.generate_diff_record(
self.__target_file1 + '.new', self.__target_file1)
action_record += '\n'
action_record += tcs_utils.generate_diff_record(
self.__target_file2 + '.new', self.__target_file2)
action_record += '\n'
action_record += tcs_utils.generate_diff_record(
self.__target_file3 + '.new', self.__target_file3)
try:
shutil.copymode(self.__target_file1, self.__target_file1 + '.new')
shutil.copy2(self.__target_file1 + '.new', self.__target_file1)
sb_utils.SELinux.restoreSecurityContext(self.__target_file1)
os.unlink(self.__target_file1 + '.new')
except (IOError, OSError):
# diff record to be used to restore it during an undo
tcs_utils.protect_file(self.__target_file)
newfile = self.__target_file + '.new'
oldfile = self.__target_file
try:
out_obj = open(newfile, 'w')
out_obj.write(new_lines)
out_obj.close()
except IOError, err:
msg = "Unable to create temporary file: %s" % str(err)
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
action_record = tcs_utils.generate_diff_record(newfile, oldfile)
try:
shutil.copymode(oldfile, newfile)
shutil.copy2(newfile, oldfile)
sb_utils.SELinux.restoreSecurityContext(newfile)
os.unlink(newfile)
except (OSError, IOError), err:
msg = "Unable to replace %s with new version: %s" % (newfile,
str(err))
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
msg = '%s configuration file created' % self.__target_file
self.logger.notice(self.module_name, 'Apply Performed: ' + msg)
return 1, action_record
made_change = False
for line in lines:
if auth.search(line) and not made_change:
# Insert the new line
out_obj.write(new_line)
made_change = True
else:
out_obj.write(line)
if made_change == False:
out_obj.write('\n# Added by OS Lockdown\n')
out_obj.write(new_line)
out_obj.close()
action_record = tcs_utils.generate_diff_record(
'/tmp/.default_login.new', '/etc/default/login')
try:
shutil.copymode('/etc/default/login', '/tmp/.default_login.new')
shutil.copy2('/tmp/.default_login.new', '/etc/default/login')
os.unlink('/tmp/.default_login.new')
except OSError:
msg = "Unable to replace /etc/default/login with new version."
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
msg = 'RETRIES=3 set in /etc/default/login'
self.logger.notice(self.module_name, 'Apply Performed: ' + msg)
#
# /etc/security/policy.conf needs LOCK_AFTER_RETRIES=YES
break
except IndexError:
msg = "Apply Error: %s: malformed line %d" % \
(self.__target_file, line_count)
self.logger.error(self.module_name, msg)
break
outfile.write(line + '\n')
infile.close()
outfile.close()
action_record = tcs_utils.generate_diff_record(self.__tmp_file,
self.__target_file)
try:
shutil.copymode(self.__target_file, self.__tmp_file)
shutil.copy2(self.__tmp_file, self.__target_file)
os.unlink(self.__tmp_file)
except OSError:
msg = "Unable to replace %s with new version." % self.__target_file
self.logger.info(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
return 1, action_record
##########################################################################
def undo(self, change_record=None):
"""Undo previous change application."""
already_done[section][opt] = True
newline = opt + '=' + subkey[opt] + '\n'
msg = 'Apply Performed: Set ' + opt + ' = ' + subkey[
opt]
self.logger.info(self.module_name, msg)
else:
if already_done[section][opt] == True:
continue
already_done[section][opt] = True
out_obj.write(newline)
out_obj.close()
change_record = tcs_utils.generate_diff_record(
newfile, self.__gdm_file)
# Switch old file with new one while preserving permissions
try:
shutil.copymode(self.__gdm_file, newfile)
shutil.copy2(newfile, self.__gdm_file)
os.unlink(newfile)
except OSError, err:
msg = "Unable to replace %s with new version: %s" % \
(self.__gdm_file, err)
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
#
# X11-Server - tcp_listen property should be set to false.
#
orig_line = regex3a.sub('=', orig_line)
orig_line = regex4.sub('\"', orig_line)
orig_line = regex5.sub('=\"', orig_line)
msg = "Removed . and :: from PATH in %s" \
% rc_script
self.logger.notice(self.module_name,
'Apply Performed: ' + msg)
out_obj.write(orig_line)
in_obj.close()
out_obj.close()
change_record += tcs_utils.generate_diff_record(tmpfile, rc_script)
try:
shutil.copymode(rc_script, tmpfile)
shutil.copy2(tmpfile, rc_script)
sb_utils.SELinux.restoreSecurityContext(rc_script)
os.unlink(tmpfile)
except (OSError, IOError), err:
msg = "Unable to replace %s with new version" % (rc_script, err)
self.logger.error(self.module_name, 'Apply Error: ' + msg)
if change_record == "":
return 0, ""
else:
return 1, change_record
if int(parval) != int(option):
out_obj.write('%s: %d\n' % (param, int(option)))
continue
out_obj.write(orig_line)
if found_it1 == False:
out_obj.write('dtsession*saverTimeout: %d\n' % int(option))
if found_it2 == False:
out_obj.write('dtsession*lockTimeout: %d\n' % int(option))
in_obj.close()
out_obj.close()
action_record.append(tcs_utils.generate_diff_record(conf_file + '.new',
conf_file) + '\n')
try:
shutil.copymode(conf_file, conf_file+ '.new')
shutil.copy2(conf_file + '.new', conf_file)
os.unlink(conf_file + '.new')
except OSError:
msg = "Unable to replace %s with new version." % conf_file
self.logger.error(self.module_name, 'Apply Error: ' + msg)
failure_flag = True
if failure_flag == True:
msg = 'Unable to set CDE screen saver options'
self.logger.error(self.module_name, 'Apply Failed: ' + msg)
return 0, ''
made_changes = False
for line in infile.readlines():
if pattern.search(line.strip()):
found_it = True
outfile.write(line)
if found_it == False:
made_changes = True
outfile.write('mount * hsfs udfs ufs -o nosuid\n')
infile.close()
outfile.close()
if made_changes == True:
action_record.append(tcs_utils.generate_diff_record(\
'/etc/rmmount.conf.new', '/etc/rmmount.conf'))
action_record.append('\n')
try:
shutil.copy2('/etc/rmmount.conf.new', '/etc/rmmount.conf')
os.unlink('/etc/rmmount.conf.new')
except OSError, err:
msg = 'Unable to update /etc/rmmount.conf: %s' % err
self.logger.info(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
msg = "Updated /etc/rmmount.conf"
self.logger.info(self.module_name, 'Apply Performed: ' + msg)
else:
try:
os.unlink('/etc/rmmount.conf.new')
out_obj.write(orig_line)
if found_it1 == False:
out_obj.write('*lock: true\n')
if found_it2 == False:
out_obj.write('*lockTimeout: 0:00:00\n')
if found_it3 == False:
out_obj.write('*timeout: 0:%02d:00\n' % int(option))
in_obj.close()
out_obj.close()
action_record.append(
tcs_utils.generate_diff_record(conf_file + '.new', conf_file) +
'\n')
try:
shutil.copymode(conf_file, conf_file + '.new')
shutil.copy2(conf_file + '.new', conf_file)
os.unlink(conf_file + '.new')
except OSError:
msg = "Unable to replace %s with new version." % conf_file
self.logger.error(self.module_name, 'Apply Error: ' + msg)
failure_flag = True
if failure_flag == True:
msg = 'Unable to set CDE screen saver options'
self.logger.error(self.module_name, 'Apply Failed: ' + msg)
return 0, ''
# file
##########################################################################
def generate_patch_entry(self, filename, newlines):
try:
tmpfile = open(self.__tmp_file, 'w')
except IOError, err:
msg = "Unable to create scratch file %s holding changes for %s: %s" % (
self.__tmp_file, filename, err)
self.logger.error(self.module_name, 'Apply Failed: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
tmpfile.writelines(newlines)
tmpfile.close()
change_record = tcs_utils.generate_diff_record(self.__tmp_file,
filename)
try:
shutil.copymode(filename, self.__tmp_file)
shutil.copy2(self.__tmp_file, filename)
sb_utils.SELinux.restoreSecurityContext(filename)
os.unlink(self.__tmp_file)
except (IOError), err:
msg = 'Apply Error: ' + str(err)
self.logger.error(self.module_name, msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
return change_record
##########################################################################
def apply(self, option=None):
self.logger.notice(self.module_name, "Apply Performed: " + msg)
messages['messages'].append(msg)
if key_count[key] > 1:
line = 'discard'
if line != 'discard':
out_obj.write(line+'\n')
for key in self.__opts.keys():
if key_count[key] == 0:
line = 'user_pref("' + key + '", ' + self.__opts[key] + ');'
out_obj.write(line+'\n')
out_obj.close()
change_record = tcs_utils.generate_diff_record(pref_file + '.new',
pref_file) + '\n'
action_record += change_record
try:
shutil.copymode(pref_file, pref_file + '.new')
shutil.copy2(pref_file + '.new', pref_file)
sb_utils.SELinux.restoreSecurityContext(pref_file)
os.unlink(pref_file + '.new')
except (OSError, IOError), err:
msg = "Unable to replace %s with new version: %s" % (pref_file, err)
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
msg = pref_file + ' updated'
self.logger.notice(self.module_name, 'Apply Performed: ' + msg)
class SetMesgN:
"""
SetMesgN module restricts write access to a terminal to only the owner
"""
##########################################################################
def __init__(self):
self.module_name = "SetMesgN"
self.regex = re.compile(r'^(\s*[^#]?mesg\s+-?)([nNyY])')
self.logger = TCSLogger.TCSLogger.getInstance()
##########################################################################
def validate_input(self, option):
if option and option != 'None':
return 1
return 0
##########################################################################
def _change_one_file(self, action, fileName):
# generate exclusion list *early* to avoid cluttering log
sb_utils.file.exclusion.exlist()
# Protect file
tcs_utils.protect_file(fileName)
action_record = ""
madeChange = False
mesg_found = False
actionName = action[0].upper() + action[1:]
msg = "%s: Examining '%s' " % (actionName, fileName)
self.logger.debug(self.module_name, msg)
lines = []
try:
lines = open(fileName, 'r').readlines()
except Exception, err:
msg = "Unable to open file %s (%s)." % (fileName, str(err))
self.logger.error(self.module_name,
'%s Error: %s' % (actionName, msg))
numLines = len(lines)
for lr in range(numLines):
match = self.regex.search(lines[lr])
if match:
# print >>sys.stderr,"Found match at line %s:%d" % (fileName,lr)
mesg_found = True
newline = self.regex.sub(r'\1n', lines[lr])
mesg_found = True
if newline != lines[lr]:
msg = " found '%s' instead of '%s' at line %d of '%s'" % (
lines[lr].strip(), newline.strip(), lr + 1, fileName)
self.logger.notice(self.module_name,
"Scan Failure: %s" % msg)
madeChange = True
lines[lr] = newline
else:
msg = "%s: found '%s' at line %d of '%s'" % (
actionName, lines[lr].strip(), lr + 1, fileName)
self.logger.debug(self.module_name, msg)
# self.logger.info(self.module_name, 'Read %d lines from %s, mesg_found = %s' % (len(lines), fileName, mesg_found))
if mesg_found != True:
if numLines > 0 and not lines[-1].endswith("\n"):
lines.append("\n")
lines.append("mesg n\n")
madeChange = True
msg = "Error: Did not find any 'mesg' commands in '%s'" % (
fileName)
self.logger.notice(self.module_name, 'Scan Error: %s' % (msg))
if action == 'apply':
msg = "Added 'mesg n' to '%s'" % (fileName)
self.logger.notice(self.module_name, 'Apply: %s' % (msg))
if madeChange:
if action == 'apply':
try:
out_obj = open(fileName + '.new', 'w').writelines(lines)
except Exception, err:
msg = "Unable to create/write to temporary file (%s)." % str(
err)
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' %
(self.module_name, msg))
action_record = tcs_utils.generate_diff_record(
fileName + '.new', fileName)
try:
shutil.copymode(fileName, fileName + '.new')
shutil.copy2(fileName + '.new', fileName)
sb_utils.SELinux.restoreSecurityContext(fileName)
os.unlink(fileName + '.new')
except OSError:
msg = "Unable to replace %s with new version." % fileName
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' %
(self.module_name, msg))
else:
action_record = "Changed"
for line in in_obj:
linelist = line.split()
try:
if search_pattern.search(linelist[2]):
continue
if search_pattern.search(linelist[3]):
continue
except IndexError:
pass
out_obj.write(line)
in_obj.close()
out_obj.close()
action_record += tcs_utils.generate_diff_record(
pamfile + '.new', pamfile)
try:
shutil.copymode(pamfile, pamfile + '.new')
shutil.copy2(pamfile + '.new', pamfile)
sb_utils.SELinux.restoreSecurityContext(pamfile)
os.unlink(pamfile + '.new')
except (IOError, OSError):
msg = "Unable to replace %s with new version" % pamfile
self.logger.error(self.module_name, 'Apply Error: ' + msg)
raise tcs_utils.ActionError('%s %s' % (self.module_name, msg))
msg = 'Disabled rhosts support.'
self.logger.notice(self.module_name, 'Apply Performed: ' + msg)
return 1, action_record
