def checklogindefs(self): '''report method for various distros of linux and solaris''' compliant = True debug = "" if not os.path.exists(self.logdeffile): compliant = False self.detailedresults += self.logdeffile + " file does not exist\n" elif not checkPerms(self.logdeffile, [0, 0, 0o644], self.logger): compliant = False self.detailedresults += self.logdeffile + " does not have " + \ "the correct permissions. Expected 644, found " + \ str(getOctalPerms(self.logdeffile)) + ".\n" tmpfile = self.logdeffile + ".tmp" self.editor1 = KVEditorStonix(self.statechglogger, self.logger, "conf", self.logdeffile, tmpfile, self.specs, "present", "space") if not self.editor1.report(): self.detailedresults += self.logdeffile + " does not " + \ "contain the correct contents\n" debug = self.logdeffile + " doesn't contain the correct " + \ "contents\n" self.logger.log(LogPriority.DEBUG, debug) compliant = False return compliant
def checklogindefs(self): """ Method to check the password hash algorithm settings in login.defs :return: compliant :rtype: bool """ compliant = True if os.path.exists(self.logindefs): if not checkPerms(self.logindefs, [0, 0, 0o644], self.logger): self.detailedresults += "Permissions incorrect for " + \ self.logindefs + " file\n" compliant = False data = {"MD5_CRYPT_ENAB": "no", "ENCRYPT_METHOD": "SHA512", "PASS_MAX_DAYS": "180", "PASS_MIN_DAYS": "1", "PASS_WARN_AGE": "7", "FAIL_DELAY": "4"} tmppath = self.logindefs + ".stonixtmp" self.editor2 = KVEditorStonix(self.statechglogger, self.logger, "conf", self.logindefs, tmppath, data, "present", "space") if not self.editor2.report(): debug = self.logindefs + " doesn't contain the correct " + \ "contents\n" self.detailedresults += self.logindefs + " doesn't contain " + \ "the correct contents\n" self.logger.log(LogPriority.DEBUG, debug) compliant = False return compliant
def report(self): '''The report method examines the current configuration and determines whether or not it is correct. If the config is correct then the self.compliant, self.detailedresults and self.currstate properties are updated to reflect the system status. self.rulesuccess will be updated if the rule does not succeed. Perform a check to see if PROMPT has been set to 'no' or not :returns: bool @author bemalmbe @change: dwalker ''' try: self.detailedresults = "" compliant = True self.perms = [0, 0, 420] self.helper = Pkghelper(self.logger, self.environ) if self.helper.manager == "portage": self.filepath = "/etc/conf.d/rc" keyval = {"RC_INTERACTIVE": "no"} elif self.helper.manager == "zypper": self.filepath = "/etc/sysconfig/boot" keyval = {"PROMPT_FOR_CONFIRM": "no"} elif self.helper.manager == "apt-get": self.filepath = "/etc/default/grub" keyval = {"GRUB_DISABLE_RECOVERY": '"true"'} self.restart = "/usr/sbin/update-grub" elif self.helper.manager == "yum" or self.helper.manager == "dnf": self.filepath = "/etc/sysconfig/init" keyval = {"PROMPT": "no"} tmpPath = self.filepath + ".tmp" if not os.path.exists(self.filepath): if createFile(self.filepath, self.logger): self.created = True if not checkPerms(self.filepath, self.perms, self.logger): compliant = False self.detailedresults += "Permissions are not correct on " + \ self.filepath + "\n" self.editor = KVEditorStonix(self.statechglogger, self.logger, "conf", self.filepath, tmpPath, keyval, "present", "closedeq") if os.path.exists(self.filepath): if not self.editor.report(): self.detailedresults += "Configuration for " + \ self.filepath + " is incorrect via kveditor report\n" compliant = False self.compliant = compliant except (KeyboardInterrupt, SystemExit): raise except Exception: self.rulesuccess = False self.detailedresults += "\n" + traceback.format_exc() self.logdispatch.log(LogPriority.ERROR, self.detailedresults) self.formatDetailedResults("report", self.compliant, self.detailedresults) self.logdispatch.log(LogPriority.INFO, self.detailedresults) return self.compliant
def _report_conf(self): """ :return: configured :rtype: bool """ configured = True self.time_conf_dict = { "driftfile": "/var/lib/chrony/drift", "makestep": "1.0 3", "rtcsync": "", "logdir": "/var/log/chrony", "cmddeny": "all", "server": [] } for ts in self.time_servers: self.time_conf_dict["server"].append(ts) tmpfile = self.time_conf_file + ".stonixtmp" self.time_conf_editor = KVEditorStonix(self.statechglogger, self.logger, "conf", self.time_conf_file, tmpfile, self.time_conf_dict, "present", "space") if not self.time_conf_editor.report(): configured = False self.detailedresults += "\nThe following configuration options are incorrect in " + str( self.time_conf_file) + ":\n" + "\n".join( self.time_conf_editor.fixables) return configured
def reportFreebsd1(self): '''Freebsd specific report method1 that ensures the items in the file exist in /etc/sysctl.conf. Sets self.compliant to True if all items exist in the file. Returns True if successful in updating the file :returns: bool ''' compliant = True if not os.path.exists(self.path): self.detailedresults += self.path + " does not exist\n" compliant = False else: ffc = {"net.inet.icmp.bmcastecho": "0", "net.inet.ip.redirect": "0", "net.inet.icmp.maskrepl": "0", "net.inet.ip.sourceroute": "0", "net.inet.ip.accept_sourceroute": "0", "net.inet.tcp.syncookies": "1"} kvtype = "conf" intent = "present" self.editor = KVEditorStonix(self.statechglogger, self.logger, kvtype, self.path, self.tmpPath, ffc, intent, "openeq") if not self.editor.report(): compliant = False if not checkPerms(self.path, [0, 0, 0o644], self.logger): self.detailedresults += "Permissions are incorrect on " + \ self.path + ": Expected 644, found " + \ str(getOctalPerms(self.path)) + "\n" compliant = False return compliant
def reportFreebsd2(self): '''Freebsd specific report method1 that ensures the items in fileContents exist in /etc/sysctl.conf. Sets self.compliant to True if all items exist in the file. Returns True if successful in updating the file :returns: bool ''' compliant = True if not os.path.exists(self.path): self.detailedresults += self.path + " does not exist\n" compliant = False else: ffc = {"net.inet.ip.forwarding": "0", "net.inet.ip.fastforwarding": "0"} if not self.networkTuning1.getcurrvalue(): kvtype = "conf" intent = "present" self.editor = KVEditorStonix(self.statechglogger, self.logger, kvtype, self.path, self.tmpPath, ffc, intent, "closedeq") else: self.editor.setData(ffc) if not self.editor.report(): compliant = False if not checkPerms(self.path, [0, 0, 0o644], self.logger): self.detailedresults += "Permissions are incorrect on " + \ self.path + ": Expected 644, found " + \ str(getOctalPerms(self.path)) + "\n" compliant = False return compliant
def reportUbuntu(self): compliant = True results = "" ldmover = "/etc/init/lightdm.override" grub = "/etc/default/grub" if os.path.exists(ldmover): lightdmText = readFile(ldmover, self.logger) if not re.search("manual", lightdmText[0], re.IGNORECASE): compliant = False results += ldmover + ' exists, but does not contain text ' + \ '"manual". GUI logon is still enabled\n' else: compliant = False results += ldmover + " does not exist; GUI logon is enabled\n" if os.path.exists(grub): tmppath = grub + ".tmp" data = {"GRUB_CMDLINE_LINUX_DEFAULT": '"quiet"'} editor = KVEditorStonix(self.statechglogger, self.logger, "conf", grub, tmppath, data, "present", "closedeq") if not editor.report(): compliant = False results += grub + " does not contain the correct values: " + \ str(data) else: compliant = False results += "Cannot find file " + grub if not compliant: results += "/etc/init does not contain proper override file " + \ "for lightdm; GUI logon is enabled\n" return compliant, results
def reportcommon(self): '''run report functionality which is common to all platforms :returns: retval :rtype: boolean @author: Breen Malmberg ''' compliant = True if not os.path.exists(self.sshdfile): self.detailedresults += "Required configuration file " + self.ssdhfile + \ " does not exist.\n" return False contents = readFile(self.sshdfile, self.logger) self.commoneditor = KVEditorStonix(self.statechglogger, self.logger, "conf", self.sshdfile, self.sshdfile + ".tmp", self.sshbannerdict, "present", "space") if not self.commoneditor.report(): compliant = False self.detailedresults += self.sshdfile + " doesn't contain correct contents\n" return compliant
def report_aide_conf(self): """ :return: compliant :rtype: bool """ compliant = True aide_conf_dict = { "/boot": "R", "/etc": "R", "/lib": "R", "/lib64": "R", "/sbin$": "R" } tmppath = self.aide_conf_file + ".stonixtmp" self.aide_conf_editor = KVEditorStonix(self.statechglogger, self.logger, "conf", self.aide_conf_file, tmppath, aide_conf_dict, "present", "space") if not self.aide_conf_editor.report(): compliant = False self.detailedresults += "\nThe following aide conf file options are incorrect:\n" + "\n".join( self.aide_conf_editor.fixables) return compliant
def auditrclocal(self): """ check whether the rclocal configuration file contains the correct stonixBootSecurity line entry :return: compliant - boolean; True if compliant, False if not """ compliant = True try: tmppath = self.rc_boot_script + ".stonixtmp" data = {"python3": self.rc_boot_script} self.rc_boot_security_editor = KVEditorStonix( self.statechglogger, self.logdispatch, "conf", self.rc_boot_script, tmppath, data, "present", "space") if not self.rc_boot_security_editor.report(): self.detailedresults += "\nThe following config line is missing or incorrect from " + str( self.rc_boot_script) + "\n" + "\n".join( self.rc_boot_security_editor.fixables) compliant = False except: raise return compliant
def reportsolaris(self): '''because solaris has to be different :returns: bool @author bemalmbe ''' # set kve arguments for reportsolaris and fixsolaris compliant = True directive = {'permitrootlogin': '******'} kvpath = '/etc/ssh/sshd_config' kvtype = 'conf' kvtmppath = self.kvpath + '.stonixtmp' kvintent = 'present' kvconftype = 'space' if not checkPerms(kvpath, [0, 3, 420], self.logger): compliant = False self.editor = KVEditorStonix(self.statechglogger, self.logger, kvtype, kvpath, kvtmppath, directive, kvintent, kvconftype) if not self.editor.report(): compliant = False return compliant
def report(self): try: self.detailedresults = "" self.ph = Pkghelper(self.logger, self.environ) self.data1 = { "ddns-update-style": "none;", "deny": ["declines;", "bootp;"] } self.data2 = [ "domain-name", "domain-name-servers", "nis-domain", "nis-servers", "ntp-servers", "routers", "time-offset" ] if self.ph.manager == "zypper": self.path = "/etc/dhcpd.conf" elif self.ph.manager == "yum" or self.ph.manager == "dnf": self.path = "/etc/dhcp/dhcpd.conf" elif self.ph.manager == "apt-get": self.path = "/etc/dhcp/dhcpd.conf" self.tmppath = self.path + ".tmp" compliant = True if os.path.exists(self.path): if not checkPerms(self.path, [0, 0, 0o644], self.logger): self.detailedresults += "The permissions on " + \ self.path + " are incorrect\n" compliant = False self.editor = KVEditorStonix(self.statechglogger, self.logger, "conf", self.path, self.tmppath, self.data1, "present", "space") if not self.editor.report(): self.detailedresults += self.path + " doesn't contain " + \ "the correct contents\n" compliant = False contents = readFile(self.path, self.logger) for line in contents: if re.match('^#', line) or re.match(r'^\s*$', line): continue if re.search("^option", line): linesplit = line.split() if len(linesplit) >= 2: for item in self.data2: if re.search(item, linesplit[1]): compliant = False self.detailedresults += "Unwanted " + \ "option found in " + self.path + \ ": " + line self.compliant = compliant except (KeyboardInterrupt, SystemExit): raise except Exception: self.rulesuccess = False self.detailedresults += "\n" + traceback.format_exc() self.logdispatch.log(LogPriority.ERROR, self.detailedresults) self.formatDetailedResults("report", self.compliant, self.detailedresults) self.logdispatch.log(LogPriority.INFO, self.detailedresults) return self.compliant
def fix(self): """set root's default PATH environment variable to vendor default :return: self.rulesucces - True if fix succeeds; False if not :rtype: bool """ try: self.detailedresults = "" if not self.ci.getcurrvalue(): return success = True if not self.vendorDefault: os.environ['PATH'] = self.defaultPath if re.search("darwin", self.myos): root = "/var/root/" else: root = "/root/" checkFiles = [root + ".profile", root + ".bashrc"] for checkFile in checkFiles: if not os.path.exists(checkFile): open(checkFile, "w") tmppath = checkFile + ".tmp" data = {"PATH": self.defaultPath} self.editor = KVEditorStonix(self.statechglogger, self.logger, "conf", checkFile, tmppath, data, "present", "closedeq") if not self.editor.report(): if self.editor.fix(): if not self.editor.commit(): success = False self.detailedresults += "Failed to commit " + \ "changes to " + checkFile + "\n" else: success = False self.detailedresults += "Error fixing file " + \ checkFile + "\n" self.rulesuccess = success except (KeyboardInterrupt, SystemExit): raise except Exception: self.rulesuccess = False self.detailedresults += "\n" + traceback.format_exc() self.logdispatch.log(LogPriority.ERROR, self.detailedresults) self.formatDetailedResults("fix", self.rulesuccess, self.detailedresults) self.logdispatch.log(LogPriority.INFO, self.detailedresults) return self.rulesuccess
def reportLinux1(self): '''Linux specific report method that ensures the items in fileContents exist in /etc/sysctl.conf. Sets self.compliant to True if all items exist in the file. Returns True if successful in updating the file :returns: bool ''' compliant = True if not os.path.exists(self.path): self.detailedresults += self.path + " does not exist\n" compliant = False else: lfc = {"net.ipv4.conf.all.secure_redirects": "0", "net.ipv4.conf.all.accept_redirects": "0", "net.ipv4.conf.all.rp_filter": "1", "net.ipv4.conf.all.log_martians": "1", "net.ipv4.conf.all.accept_source_route": "0", "net.ipv4.conf.default.accept_redirects": "0", "net.ipv4.conf.default.secure_redirects": "0", "net.ipv4.conf.default.rp_filter": "1", "net.ipv4.conf.default.accept_source_route": "0", "net.ipv4.tcp_syncookies": "1", "net.ipv4.icmp_echo_ignore_broadcasts": "1", "net.ipv4.tcp_max_syn_backlog": "4096"} editor = KVEditorStonix(self.statechglogger, self.logger, "conf", self.path, self.tmpPath, lfc, "present", "openeq") if not editor.report(): self.detailedresults += self.path + " is not configured " + \ "correctly for configuration item 1\n" compliant = False if not checkPerms(self.path, [0, 0, 0o644], self.logger): self.detailedresults += "Permissions are incorrect on " + \ self.path + "\n" compliant = False for key in lfc: self.ch.executeCommand("/sbin/sysctl " + key) retcode = self.ch.getReturnCode() if retcode != 0: self.detailedresults += "Failed to get value of core dumps configuration with sysctl command\n" errmsg = self.ch.getErrorString() self.logger.log(LogPriority.DEBUG, errmsg) compliant = False else: output = self.ch.getOutputString() if output.strip() != key + " = " + lfc[key]: compliant = False self.detailedresults += "sysctl output has incorrect value: " + \ output + "\n" return compliant
def setpwquality(self): """ :return: """ success = True created = False pwqfile = "/etc/security/pwquality.conf" if not os.path.exists(pwqfile): createFile(pwqfile, self.logger) self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {'eventtype': 'creation', 'filepath': pwqfile} self.statechglogger.recordchgevent(myid, event) created = True tmpfile = pwqfile + ".stonixtmp" if self.environ.getsystemfismacat() == "high": data = {"difok": "7", "minlen": "14", "dcredit": "0", "ucredit": "0", "lcredit": "0", "ocredit": "0", "maxrepeat": "3", "minclass": "4"} else: data = {"difok": "7", "minlen": "8", "dcredit": "0", "ucredit": "0", "lcredit": "0", "ocredit": "0", "maxrepeat": "3", "minclass": "3"} self.pwqeditor = KVEditorStonix(self.statechglogger, self.logger, "conf", pwqfile, tmpfile, data, "present", "openeq") self.pwqeditor.report() if self.pwqeditor.fixables: if self.pwqeditor.fix(): if not created: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) self.pwqeditor.setEventID(myid) if not self.pwqeditor.commit(): success = False self.detailedresults += "Unable to correct " + pwqfile + "\n" else: success = False self.detailedresults += "Unable to correct " + pwqfile + "\n" return success
def report(self): try: if self.isDebian: path = "/etc/default/prelink" else: path = "/etc/sysconfig/prelink" self.path = path prelink = "/usr/sbin/prelink" self.compliant = True self.detailedresults = "" if os.path.exists(path): tmppath = path + ".tmp" data = {"PRELINKING": "no"} self.editor = KVEditorStonix(self.statechglogger, self.logger, "conf", path, tmppath, data, "present", "closedeq") if not self.editor.report(): self.compliant = False self.detailedresults += path + " does not have the " + \ "correct settings.\n" else: self.compliant = False self.detailedresults += path + " does not exist.\n" if os.path.exists(prelink): self.ch.executeCommand([prelink, "-p"]) output = self.ch.getOutputString() splitout = output.split() try: if len(splitout) > 0: numPrelinks = int(splitout[0]) # Potential ValueError if numPrelinks > 0: self.compliant = False self.detailedresults += "There are currently " + \ str(numPrelinks) + " prelinked binaries.\n" except ValueError: debug = "Unexpected result from " + prelink + ". This " + \ "does not affect compliance." self.logger.log(LogPriority.DEBUG, debug) self.detailedresults += debug + "\n" except (KeyboardInterrupt, SystemExit): raise except Exception: self.rulesuccess = False self.detailedresults += "\n" + traceback.format_exc() self.logdispatch.log(LogPriority.ERROR, self.detailedresults) self.formatDetailedResults("report", self.compliant, self.detailedresults) self.logdispatch.log(LogPriority.INFO, self.detailedresults) return self.compliant
def report(self): """ ConfigureScreenLocking.report() method to report whether system is configured with a sudoers group. @author: dwalker :param self: essential if you override this definition :returns: bool - True if system is compliant, False if it isn't """ try: self.detailedresults = "" self.compliant = True if not self.sudoers_file: self.detailedresults += "\nCan't find sudoers file!" self.compliant = False elif not os.path.isfile(self.sudoers_file): self.detailedresults += "\nCan't find sudoers file!" self.compliant = False else: self.sudoers_backup = self.sudoers_file + ".stonixbak" tmppath = self.sudoers_file + ".stonixtmp" self.sudoers_editor = KVEditorStonix(self.statechglogger, self.logger, "conf", self.sudoers_file, tmppath, self.sudoers_opts, "present", "space") if not self.sudoers_editor.report(): if self.sudoers_editor.fixables: self.detailedresults += "\nThe following configuration options are missing or incorrect in the sudoers file:\n" + "\n".join( self.sudoers_editor.fixables) self.compliant = False else: self.detailedresults += "\nOne or more configuration options are missing or incorrect in the sudoers file" self.compliant = False except (KeyboardInterrupt, SystemExit): raise except Exception: self.compliant = False self.detailedresults += "\n" + traceback.format_exc() self.logdispatch.log(LogPriority.ERROR, self.detailedresults) self.formatDetailedResults("report", self.compliant, self.detailedresults) self.logdispatch.log(LogPriority.INFO, self.detailedresults) return self.compliant
def chkosx(self): ''' ''' globalprefs = "/Library/Preferences/.GlobalPreferences.plist" globalprefstemp = globalprefs + ".stonixtmp" timeout = self.timeoutci.getcurrvalue() * 60 data = { "com.apple.autologout.AutoLogOutDelay": [str(timeout), "-int " + str(timeout)] } self.editor = KVEditorStonix(self.statechglogger, self.logger, "defaults", globalprefs, globalprefstemp, data, "present") return self.editor.report()
def checklibuser(self): '''Private method to check the password hash algorithm settings in libuser.conf. @author: dwalker :returns: bool ''' compliant = True '''check if libuser is intalled''' if not self.ph.check("libuser"): '''if not, check if available''' if self.ph.checkAvailable("libuser"): self.detailedresults += "libuser available but not installed\n" return False else: '''not available, not a problem''' return True '''create a kveditor for file if it exists, if not, we do it in the setlibuser method inside the fix''' if os.path.exists(self.libuserfile): data = {"userdefaults": {"LU_SHADOWMAX": "", "LU_SHADOWMIN": "", "LU_SHADOWWARNING": "", "LU_UIDNUMBER": "", "LU_SHADOWINACTIVE": "", "LU_SHADOWEXPIRE": ""}} datatype = "tagconf" intent = "notpresent" tmppath = self.libuserfile + ".tmp" self.editor2 = KVEditorStonix(self.statechglogger, self.logger, datatype, self.libuserfile, tmppath, data, intent, "openeq") if not self.editor2.report(): debug = "/etc/libuser.conf doesn't contain the correct " + \ "contents\n" self.detailedresults += "/etc/libuser.conf doesn't " + \ "contain the correct contents\n" self.logger.log(LogPriority.DEBUG, debug) compliant = False if not checkPerms(self.libuserfile, [0, 0, 0o644], self.logger): self.detailedresults += "Permissions are incorrect on " + \ self.libuserfile + "\n" compliant = False else: self.detailedresults += "Libuser installed but libuser " + \ "file doesn't exist\n" compliant = False return compliant
def reportSSHFile(self, sshfile, directives): """ Report configuration options of config files :param: sshfile - filepath string :param: directives - dictionary of desired directives :return: compliant :rtype: bool """ compliant = True debug = "" directives = dict(directives) tpath = sshfile + ".tmp" if os.path.exists(sshfile): if re.search("Ubuntu", self.environ.getostype()): if sshfile == "/etc/ssh/sshd_config": del (directives["GSSAPIAuthentication"]) del (directives["KerberosAuthentication"]) elif sshfile == "/etc/ssh/ssh_config": del (directives["GSSAPIAuthentication"]) elif self.environ.getostype() == "Mac OS X" and self.mac_piv_auth_CI.getcurrvalue(): if sshfile == "/private/etc/ssh/sshd_config": directives["PasswordAuthentication"] = "no" self.server = directives editor = KVEditorStonix(self.statechglogger, self.logger, "conf", sshfile, tpath, directives, "present", "space") if not editor.report(): self.detailedresults += "Did not find the correct " + \ "contents in sshd_config\n" compliant = False # for ubuntu systems we want to make sure the following two # directives don't exist in the server file if re.search("Ubuntu", self.environ.getostype()): if sshfile == "/etc/ssh/sshd_config": directives = {"GSSAPIAuthentication": "", "KerberosAuthentication": ""} elif sshfile == "/etc/ssh/ssh_config": directives = {"GSSAPIAuthentication": ""} editor.setIntent("notpresent") editor.setData(directives) if not editor.report(): self.detailedresults += "didn't find the correct" + \ " contents in sshd_config\n" self.logger.log(LogPriority.DEBUG, debug) compliant = False if not checkPerms(sshfile, [0, 0, 0o644], self.logger): self.detailedresults += "Incorrect permissions for " + \ "file " + self.serverfile + "\n" compliant = False else: self.detailedresults += sshfile + " does not exist\n" compliant = False return compliant
def report(self): '''check for the existence of the AppleCameraInterface driver in the output of kexstat. Report non-compliant if found. Report compliant if not found. :returns: self.compliant :rtype: bool @author: Breen Malmberg @change: dwalker - ??? - ??? @change: Breen Malmberg - 1/19/2017 - minor doc string edit; minor refactor @change: dwalker 10/3/2017 updated to check for a profile value ''' try: self.detailedresults = "" self.compliant = True if not self.camprofile: self.detailedresults += "Could not locate the appropriate camera disablement profile for your system.\n" self.compliant = False self.formatDetailedResults("report", self.compliant, self.detailedresults) self.logdispatch.log(LogPriority.INFO, self.detailedresults) return self.compliant if os.path.exists(self.camprofile): cameradict = {"com.apple.applicationaccess": {"allowCamera": {"val": "0", "type": "bool", "accept": "", "result": False}}} self.cameditor = KVEditorStonix(self.statechglogger, self.logger, "profiles", self.camprofile, "", cameradict, "", "") if not self.cameditor.report(): self.detailedresults += "iSight camera is not disabled\n" self.compliant = False else: self.detailedresults += self.camprofile + " doesn't exist\n" self.compliant = False self.detailedresults += "Due to a Mac OS issue, having multiple camera profiles " + \ "installed with conflicting values may allow any camera, " + \ "internal or external to still function. If a rule is coming " + \ "back compliant but your camera is still working, check your " + \ "installed profiles and remove any other restriction based profiles.\n" except (KeyboardInterrupt, SystemExit): raise except Exception as err: self.rulesuccess = False self.detailedresults = self.detailedresults + "\n" + str(err) + \ " - " + str(traceback.format_exc()) self.logdispatch.log(LogPriority.ERROR, self.detailedresults) self.formatDetailedResults("report", self.compliant, self.detailedresults) self.logdispatch.log(LogPriority.INFO, self.detailedresults) return self.compliant
def _report_configuration(self): """ :return: compliant :rtype: bool """ compliant = True if self.ostype == "Mac OS X": self.conf_file = "" conf_files = ["/etc/rc.conf", "/etc/rc.common"] for cf in conf_files: if os.path.isfile(cf): self.conf_file = cf break tmpfile = self.conf_file + ".stonixtmp" config_data = {"accounting_enable": "YES"} self.conf_editor = KVEditorStonix(self.statechglogger, self.logger, "conf", self.conf_file, tmpfile, config_data, "present", "closedeq") if not self.conf_editor.report(): compliant = False else: if not os.path.isfile(self.sysstat_service_file): compliant = False self.detailedresults += "\nSystem accounting service file is missing" else: f = open(self.sysstat_service_file, "r") contents = f.read() f.close() if self.sysstat_service_file != "/etc/init.d/sysstat": if contents != self.sysstat_service_contents: compliant = False self.detailedresults += "\nSystem accounting service file has incorrect contents" if os.path.isfile("/etc/default/sysstat"): f = open("/etc/default/sysstat", "r") contents = f.read() f.close() if not re.search('ENABLED="true"', contents): compliant = False self.detailedresults += "\n/etc/default/sysstat file has incorrect contents" return compliant
def reportMac(self): '''Mac specific report method1 that ensures the items in fileContents exist in /etc/sysctl.conf. Sets self.compliant to True if all items exist in the file. :returns: compliant :rtype: bool @author: dwalker @change: Breen Malmberg - 1/10/2017 - minor doc string adjustments; fixed permissions on file /etc/sysctl.conf (needs to be 0o600; was 0o644); try/except ''' compliant = True try: self.editor = None if not os.path.exists(self.path): self.detailedresults += self.path + " does not exist\n" compliant = False else: mfc = {"net.inet.ip.forwarding": "0", "net.inet.ip.redirect": "0"} kvtype = "conf" intent = "present" self.editor = KVEditorStonix(self.statechglogger, self.logger, kvtype, self.path, self.tmpPath, mfc, intent, "closedeq") if not self.editor.report(): self.detailedresults += self.path + " is not " + \ "configured correctly\n" compliant = False else: self.detailedresults += self.path + " is " + \ "configured correctly\n" if not checkPerms(self.path, [0, 0, 0o600], self.logger): self.detailedresults += "Permissions are incorrect on " + \ self.path + ": Expected 644, found " + \ str(getOctalPerms(self.path)) + "\n" compliant = False except Exception: raise return compliant
def report_yum(self): """ :return: """ compliant = True tmppath = self.yum_conf_file + ".stonixtmp" self.yum_conf_editor = KVEditorStonix(self.statechglogger, self.logger, "conf", self.yum_conf_file, tmppath, self.yum_conf_dict, "present", "closedeq") if not self.yum_conf_editor.report(): compliant = False self.detailedresults += "\nThe following configuration options are incorrect in " + str(self.yum_conf_file) + ":\n" + "\n".join(self.yum_conf_editor.fixables) return compliant
def report(self): try: results = "" compliant = True path1 = "/private/etc/sshd_config" path2 = "/private/etc/ssh/sshd_config" if self.usesSip(): if os.path.exists(path2): self.path = path2 elif os.path.exists(path1): self.path = path1 else: compliant = False results += "Could not find path to sshd_config file\n" else: if os.path.exists(path1): self.path = path1 elif os.path.exists(path2): self.path = path2 else: compliant = False results += "Could not find path to sshd_config file\n" self.tmppath = self.path + ".tmp" if os.path.exists(self.path): self.editor = KVEditorStonix(self.statechglogger, self.logger, "conf", self.path, self.tmppath, self.ssh, "present", "space") if not self.editor.report(): compliant = False results += "Settings in " + self.path + " are not " + \ "correct\n" if not checkPerms(self.path, [0, 0, 0o644], self.logger): compliant = False results += self.path + " permissions are incorrect\n" self.detailedresults = results self.compliant = compliant except (KeyboardInterrupt, SystemExit): # User initiated exit raise except Exception: self.rulesuccess = False self.detailedresults += "\n" + traceback.format_exc() self.logdispatch.log(LogPriority.ERROR, self.detailedresults) self.formatDetailedResults("report", self.compliant, self.detailedresults) self.logdispatch.log(LogPriority.INFO, self.detailedresults) return self.compliant
def fixLogDef(self, specs): success = True debug = "" if not os.path.exists(self.logdeffile): if createFile(self.logdeffile, self.logger): self.logindefcreate = True setPerms(self.logdeffile, [0, 0, 0o644], self.logger) tmpfile = self.logdeffile + ".tmp" self.editor1 = KVEditorStonix(self.statechglogger, self.logger, "conf", self.logdeffile, tmpfile, specs, "present", "space") else: self.detailedresults += "Was not able to create " + \ self.logdeffile + " file\n" success = False if self.logindefcreate: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) event = {"eventtype": "creation", "filepath": self.logdeffile} self.statechglogger.recordchgevent(myid, event) elif not checkPerms(self.logdeffile, [0, 0, 0o644], self.logger): self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) if not setPerms(self.logdeffile, [0, 0, 0o644], self.logger, self.statechglogger, myid): debug += "permissions not correct on: " + \ self.logdeffile + "\n" success = False if self.editor1.fixables or self.editor1.removeables: if not self.logindefcreate: self.iditerator += 1 myid = iterate(self.iditerator, self.rulenumber) self.editor1.setEventID(myid) if not self.editor1.fix(): debug += "fixLogDef editor.fix did not complete successfully\n" success = False elif not self.editor1.commit(): debug += "fixLogDef editor.commit did not complete successfully\n" success = False os.chown(self.logdeffile, 0, 0) os.chmod(self.logdeffile, 0o644) resetsecon(self.logdeffile) if debug: self.logger.log(LogPriority.DEBUG, debug) return success
def report(self): """ :return: self.compliant :rtype: bool """ self.detailedresults = "" self.compliant = True basedir = "/etc/gdm/" try: # if there is no gdm folder then there is likely no reason to configure it if not os.path.isdir(basedir): self.logger.log(LogPriority.DEBUG, "Rule does not apply to this system in its current state") return self.compliant kvtype = "tagconf" path = basedir + "custom.conf" tmppath = path + ".stonixtmp" data = {"daemon": {"AutomaticLoginEnable": "False", "TimedLoginEnable": "False"}} intent = "present" delimiter = "closedeq" self.gdm_editor = KVEditorStonix(self.statechglogger, self.logger, kvtype, path, tmppath, data, intent, delimiter) if not self.gdm_editor.report(): self.compliant = False try: self.detailedresults += "\nThe following config options in " + str(path) + " are incorrect:\n" + "\n".join(self.gdm_editor.fixables) except: self.detailedresults += "\nOne or more config options in " + str(path) + " are incorrect" except (KeyboardInterrupt, SystemExit): raise except Exception: self.compliant = False self.detailedresults += "\n" + traceback.format_exc() self.logdispatch.log(LogPriority.ERROR, self.detailedresults) self.formatDetailedResults("report", self.compliant, self.detailedresults) self.logdispatch.log(LogPriority.INFO, self.detailedresults) return self.compliant
def check_showfailed_logins(self): """ config file: /etc/pam.d/postlogin-ac config option: session required pam_lastlog.so showfailed :return: """ configured = True search_line = {"session": "required pam_lastlog.so showfailed"} config_file = "/etc/pam.d/postlogin-ac" tmpfile = config_file + ".stonixtmp" self.lastlog_editor = KVEditorStonix(self.statechglogger, self.logger, "conf", config_file, tmpfile, search_line, "present", "space") if not self.lastlog_editor.report(): configured = False self.detailedresults += "\nShow failed logins option is not configured correctly in PAM" return configured
def checklibuser(self): """ Private method to check the password hash algorithm settings in libuser.conf @author: Derek Walker :return: compliant :rtype: bool """ compliant = True # """check if libuser is intalled""" if not self.ph.check("libuser"): # """if not, check if available""" if self.ph.checkAvailable("libuser"): self.detailedresults += "libuser available but not installed\n" return False else: # """not available, not a problem""" return True # """create a kveditor for file if it exists, if not, we do it in # the setlibuser method inside the fix""" if os.path.exists(self.libuserfile): data = {"defaults": {"crypt_style": "sha512"}} datatype = "tagconf" intent = "present" tmppath = self.libuserfile + ".stonixtmp" self.editor1 = KVEditorStonix(self.statechglogger, self.logger, datatype, self.libuserfile, tmppath, data, intent, "openeq") if not self.editor1.report(): debug = "/etc/libuser.conf doesn't contain the correct contents\n" self.detailedresults += "/etc/libuser.conf doesn't contain the correct contents\n" self.logger.log(LogPriority.DEBUG, debug) compliant = False if not checkPerms(self.libuserfile, [0, 0, 0o644], self.logger): self.detailedresults += "Permissions are incorrect on " + self.libuserfile + "\n" compliant = False else: self.detailedresults += "Libuser installed but libuser file doesn't exist\n" compliant = False return compliant
def report(self): '''DisableNobodyAccess.report() method to report on whether system is compliant or not. If the key-value pair ENABLE_NOBODY_KEYS=NO is present, the system is compliant, if not, system is not compliant @author: dwalker :param self: essential if you override this definition :returns: bool - False if the method died during execution ''' try: compliant = True keys = {"ENABLE_NOBODY_KEYS": "NO"} if os.path.exists(self.path): tmpPath = self.path + ".tmp" self.editor = KVEditorStonix(self.statechglogger, self.logger, "conf", self.path, tmpPath, keys, "present", "closedeq") if not self.editor.report(): compliant = False if not checkPerms(self.path, [0, 0, 292], self.logger): compliant = False else: self.createFile(self.path) self.created = True tmpPath = self.path + ".tmp" self.editor = KVEditorStonix(self.statechglogger, self.logger, "conf", self.path, tmpPath, keys, "present", "closedeq") self.editor.fixables = keys compliant = False self.compliant = compliant return compliant except (KeyboardInterrupt, SystemExit): # User initiated exit raise except Exception: self.rulesuccess = False self.detailedresults += "\n" + traceback.format_exc() self.logdispatch.log(LogPriority.ERROR, self.detailedresults) self.formatDetailedResults("report", self.compliant, self.detailedresults) self.logdispatch.log(LogPriority.INFO, self.detailedresults) return self.compliant