def checklogindefs(self):
'''report method for various distros of linux and solaris'''
compliant = True
debug = ""
if not os.path.exists(self.logdeffile):
compliant = False
self.detailedresults += self.logdeffile + " file does not exist\n"
elif not checkPerms(self.logdeffile, [0, 0, 0o644], self.logger):
compliant = False
self.detailedresults += self.logdeffile + " does not have " + \
"the correct permissions. Expected 644, found " + \
str(getOctalPerms(self.logdeffile)) + ".\n"
tmpfile = self.logdeffile + ".tmp"
self.editor1 = KVEditorStonix(self.statechglogger, self.logger,
"conf", self.logdeffile, tmpfile,
self.specs, "present", "space")
if not self.editor1.report():
self.detailedresults += self.logdeffile + " does not " + \
"contain the correct contents\n"
debug = self.logdeffile + " doesn't contain the correct " + \
"contents\n"
self.logger.log(LogPriority.DEBUG, debug)
compliant = False
return compliant
def checklogindefs(self):
"""
Method to check the password hash algorithm settings in
login.defs
:return: compliant
:rtype: bool
"""
compliant = True
if os.path.exists(self.logindefs):
if not checkPerms(self.logindefs, [0, 0, 0o644], self.logger):
self.detailedresults += "Permissions incorrect for " + \
self.logindefs + " file\n"
compliant = False
data = {"MD5_CRYPT_ENAB": "no",
"ENCRYPT_METHOD": "SHA512",
"PASS_MAX_DAYS": "180",
"PASS_MIN_DAYS": "1",
"PASS_WARN_AGE": "7",
"FAIL_DELAY": "4"}
tmppath = self.logindefs + ".stonixtmp"
self.editor2 = KVEditorStonix(self.statechglogger, self.logger,
"conf", self.logindefs, tmppath,
data, "present", "space")
if not self.editor2.report():
debug = self.logindefs + " doesn't contain the correct " + \
"contents\n"
self.detailedresults += self.logindefs + " doesn't contain " + \
"the correct contents\n"
self.logger.log(LogPriority.DEBUG, debug)
compliant = False
return compliant
def report(self):
'''The report method examines the current configuration and determines
whether or not it is correct. If the config is correct then the
self.compliant, self.detailedresults and self.currstate properties are
updated to reflect the system status. self.rulesuccess will be updated
if the rule does not succeed.
Perform a check to see if PROMPT has been set to 'no' or not
:returns: bool
@author bemalmbe
@change: dwalker
'''
try:
self.detailedresults = ""
compliant = True
self.perms = [0, 0, 420]
self.helper = Pkghelper(self.logger, self.environ)
if self.helper.manager == "portage":
self.filepath = "/etc/conf.d/rc"
keyval = {"RC_INTERACTIVE": "no"}
elif self.helper.manager == "zypper":
self.filepath = "/etc/sysconfig/boot"
keyval = {"PROMPT_FOR_CONFIRM": "no"}
elif self.helper.manager == "apt-get":
self.filepath = "/etc/default/grub"
keyval = {"GRUB_DISABLE_RECOVERY": '"true"'}
self.restart = "/usr/sbin/update-grub"
elif self.helper.manager == "yum" or self.helper.manager == "dnf":
self.filepath = "/etc/sysconfig/init"
keyval = {"PROMPT": "no"}
tmpPath = self.filepath + ".tmp"
if not os.path.exists(self.filepath):
if createFile(self.filepath, self.logger):
self.created = True
if not checkPerms(self.filepath, self.perms, self.logger):
compliant = False
self.detailedresults += "Permissions are not correct on " + \
self.filepath + "\n"
self.editor = KVEditorStonix(self.statechglogger, self.logger,
"conf", self.filepath, tmpPath,
keyval, "present", "closedeq")
if os.path.exists(self.filepath):
if not self.editor.report():
self.detailedresults += "Configuration for " + \
self.filepath + " is incorrect via kveditor report\n"
compliant = False
self.compliant = compliant
except (KeyboardInterrupt, SystemExit):
raise
except Exception:
self.rulesuccess = False
self.detailedresults += "\n" + traceback.format_exc()
self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
self.formatDetailedResults("report", self.compliant,
self.detailedresults)
self.logdispatch.log(LogPriority.INFO, self.detailedresults)
return self.compliant
def _report_conf(self):
"""
:return: configured
:rtype: bool
"""
configured = True
self.time_conf_dict = {
"driftfile": "/var/lib/chrony/drift",
"makestep": "1.0 3",
"rtcsync": "",
"logdir": "/var/log/chrony",
"cmddeny": "all",
"server": []
}
for ts in self.time_servers:
self.time_conf_dict["server"].append(ts)
tmpfile = self.time_conf_file + ".stonixtmp"
self.time_conf_editor = KVEditorStonix(self.statechglogger,
self.logger, "conf",
self.time_conf_file, tmpfile,
self.time_conf_dict, "present",
"space")
if not self.time_conf_editor.report():
configured = False
self.detailedresults += "\nThe following configuration options are incorrect in " + str(
self.time_conf_file) + ":\n" + "\n".join(
self.time_conf_editor.fixables)
return configured
def reportFreebsd1(self):
'''Freebsd specific report method1 that ensures the items in the file
exist in /etc/sysctl.conf. Sets self.compliant to True if all items
exist in the file. Returns True if successful in updating the file
:returns: bool
'''
compliant = True
if not os.path.exists(self.path):
self.detailedresults += self.path + " does not exist\n"
compliant = False
else:
ffc = {"net.inet.icmp.bmcastecho": "0",
"net.inet.ip.redirect": "0",
"net.inet.icmp.maskrepl": "0",
"net.inet.ip.sourceroute": "0",
"net.inet.ip.accept_sourceroute": "0",
"net.inet.tcp.syncookies": "1"}
kvtype = "conf"
intent = "present"
self.editor = KVEditorStonix(self.statechglogger, self.logger,
kvtype, self.path, self.tmpPath, ffc,
intent, "openeq")
if not self.editor.report():
compliant = False
if not checkPerms(self.path, [0, 0, 0o644], self.logger):
self.detailedresults += "Permissions are incorrect on " + \
self.path + ": Expected 644, found " + \
str(getOctalPerms(self.path)) + "\n"
compliant = False
return compliant
def reportFreebsd2(self):
'''Freebsd specific report method1 that ensures the items in
fileContents exist in /etc/sysctl.conf. Sets self.compliant to True
if all items exist in the file. Returns True if successful in updating
the file
:returns: bool
'''
compliant = True
if not os.path.exists(self.path):
self.detailedresults += self.path + " does not exist\n"
compliant = False
else:
ffc = {"net.inet.ip.forwarding": "0",
"net.inet.ip.fastforwarding": "0"}
if not self.networkTuning1.getcurrvalue():
kvtype = "conf"
intent = "present"
self.editor = KVEditorStonix(self.statechglogger, self.logger,
kvtype, self.path, self.tmpPath,
ffc, intent, "closedeq")
else:
self.editor.setData(ffc)
if not self.editor.report():
compliant = False
if not checkPerms(self.path, [0, 0, 0o644], self.logger):
self.detailedresults += "Permissions are incorrect on " + \
self.path + ": Expected 644, found " + \
str(getOctalPerms(self.path)) + "\n"
compliant = False
return compliant
def reportUbuntu(self):
compliant = True
results = ""
ldmover = "/etc/init/lightdm.override"
grub = "/etc/default/grub"
if os.path.exists(ldmover):
lightdmText = readFile(ldmover, self.logger)
if not re.search("manual", lightdmText[0], re.IGNORECASE):
compliant = False
results += ldmover + ' exists, but does not contain text ' + \
'"manual". GUI logon is still enabled\n'
else:
compliant = False
results += ldmover + " does not exist; GUI logon is enabled\n"
if os.path.exists(grub):
tmppath = grub + ".tmp"
data = {"GRUB_CMDLINE_LINUX_DEFAULT": '"quiet"'}
editor = KVEditorStonix(self.statechglogger, self.logger, "conf",
grub, tmppath, data, "present", "closedeq")
if not editor.report():
compliant = False
results += grub + " does not contain the correct values: " + \
str(data)
else:
compliant = False
results += "Cannot find file " + grub
if not compliant:
results += "/etc/init does not contain proper override file " + \
"for lightdm; GUI logon is enabled\n"
return compliant, results
def reportcommon(self):
'''run report functionality which is common to all platforms
:returns: retval
:rtype: boolean
@author: Breen Malmberg
'''
compliant = True
if not os.path.exists(self.sshdfile):
self.detailedresults += "Required configuration file " + self.ssdhfile + \
" does not exist.\n"
return False
contents = readFile(self.sshdfile, self.logger)
self.commoneditor = KVEditorStonix(self.statechglogger, self.logger,
"conf", self.sshdfile,
self.sshdfile + ".tmp",
self.sshbannerdict, "present",
"space")
if not self.commoneditor.report():
compliant = False
self.detailedresults += self.sshdfile + " doesn't contain correct contents\n"
return compliant
def report_aide_conf(self):
"""
:return: compliant
:rtype: bool
"""
compliant = True
aide_conf_dict = {
"/boot": "R",
"/etc": "R",
"/lib": "R",
"/lib64": "R",
"/sbin$": "R"
}
tmppath = self.aide_conf_file + ".stonixtmp"
self.aide_conf_editor = KVEditorStonix(self.statechglogger,
self.logger, "conf",
self.aide_conf_file, tmppath,
aide_conf_dict, "present",
"space")
if not self.aide_conf_editor.report():
compliant = False
self.detailedresults += "\nThe following aide conf file options are incorrect:\n" + "\n".join(
self.aide_conf_editor.fixables)
return compliant
def auditrclocal(self):
"""
check whether the rclocal configuration file contains the correct
stonixBootSecurity line entry
:return: compliant - boolean; True if compliant, False if not
"""
compliant = True
try:
tmppath = self.rc_boot_script + ".stonixtmp"
data = {"python3": self.rc_boot_script}
self.rc_boot_security_editor = KVEditorStonix(
self.statechglogger, self.logdispatch, "conf",
self.rc_boot_script, tmppath, data, "present", "space")
if not self.rc_boot_security_editor.report():
self.detailedresults += "\nThe following config line is missing or incorrect from " + str(
self.rc_boot_script) + "\n" + "\n".join(
self.rc_boot_security_editor.fixables)
compliant = False
except:
raise
return compliant
def reportsolaris(self):
'''because solaris has to be different
:returns: bool
@author bemalmbe
'''
# set kve arguments for reportsolaris and fixsolaris
compliant = True
directive = {'permitrootlogin': '******'}
kvpath = '/etc/ssh/sshd_config'
kvtype = 'conf'
kvtmppath = self.kvpath + '.stonixtmp'
kvintent = 'present'
kvconftype = 'space'
if not checkPerms(kvpath, [0, 3, 420], self.logger):
compliant = False
self.editor = KVEditorStonix(self.statechglogger, self.logger,
kvtype, kvpath, kvtmppath, directive,
kvintent, kvconftype)
if not self.editor.report():
compliant = False
return compliant
def report(self):
try:
self.detailedresults = ""
self.ph = Pkghelper(self.logger, self.environ)
self.data1 = {
"ddns-update-style": "none;",
"deny": ["declines;", "bootp;"]
}
self.data2 = [
"domain-name", "domain-name-servers", "nis-domain",
"nis-servers", "ntp-servers", "routers", "time-offset"
]
if self.ph.manager == "zypper":
self.path = "/etc/dhcpd.conf"
elif self.ph.manager == "yum" or self.ph.manager == "dnf":
self.path = "/etc/dhcp/dhcpd.conf"
elif self.ph.manager == "apt-get":
self.path = "/etc/dhcp/dhcpd.conf"
self.tmppath = self.path + ".tmp"
compliant = True
if os.path.exists(self.path):
if not checkPerms(self.path, [0, 0, 0o644], self.logger):
self.detailedresults += "The permissions on " + \
self.path + " are incorrect\n"
compliant = False
self.editor = KVEditorStonix(self.statechglogger, self.logger,
"conf", self.path, self.tmppath,
self.data1, "present", "space")
if not self.editor.report():
self.detailedresults += self.path + " doesn't contain " + \
"the correct contents\n"
compliant = False
contents = readFile(self.path, self.logger)
for line in contents:
if re.match('^#', line) or re.match(r'^\s*$', line):
continue
if re.search("^option", line):
linesplit = line.split()
if len(linesplit) >= 2:
for item in self.data2:
if re.search(item, linesplit[1]):
compliant = False
self.detailedresults += "Unwanted " + \
"option found in " + self.path + \
": " + line
self.compliant = compliant
except (KeyboardInterrupt, SystemExit):
raise
except Exception:
self.rulesuccess = False
self.detailedresults += "\n" + traceback.format_exc()
self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
self.formatDetailedResults("report", self.compliant,
self.detailedresults)
self.logdispatch.log(LogPriority.INFO, self.detailedresults)
return self.compliant
def fix(self):
"""set root's default PATH environment variable to vendor default
:return: self.rulesucces - True if fix succeeds; False if not
:rtype: bool
"""
try:
self.detailedresults = ""
if not self.ci.getcurrvalue():
return
success = True
if not self.vendorDefault:
os.environ['PATH'] = self.defaultPath
if re.search("darwin", self.myos):
root = "/var/root/"
else:
root = "/root/"
checkFiles = [root + ".profile", root + ".bashrc"]
for checkFile in checkFiles:
if not os.path.exists(checkFile):
open(checkFile, "w")
tmppath = checkFile + ".tmp"
data = {"PATH": self.defaultPath}
self.editor = KVEditorStonix(self.statechglogger,
self.logger, "conf",
checkFile, tmppath, data,
"present", "closedeq")
if not self.editor.report():
if self.editor.fix():
if not self.editor.commit():
success = False
self.detailedresults += "Failed to commit " + \
"changes to " + checkFile + "\n"
else:
success = False
self.detailedresults += "Error fixing file " + \
checkFile + "\n"
self.rulesuccess = success
except (KeyboardInterrupt, SystemExit):
raise
except Exception:
self.rulesuccess = False
self.detailedresults += "\n" + traceback.format_exc()
self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
self.formatDetailedResults("fix", self.rulesuccess, self.detailedresults)
self.logdispatch.log(LogPriority.INFO, self.detailedresults)
return self.rulesuccess
def reportLinux1(self):
'''Linux specific report method that ensures the items in fileContents
exist in /etc/sysctl.conf. Sets self.compliant to True if all items
exist in the file. Returns True if successful in updating the file
:returns: bool
'''
compliant = True
if not os.path.exists(self.path):
self.detailedresults += self.path + " does not exist\n"
compliant = False
else:
lfc = {"net.ipv4.conf.all.secure_redirects": "0",
"net.ipv4.conf.all.accept_redirects": "0",
"net.ipv4.conf.all.rp_filter": "1",
"net.ipv4.conf.all.log_martians": "1",
"net.ipv4.conf.all.accept_source_route": "0",
"net.ipv4.conf.default.accept_redirects": "0",
"net.ipv4.conf.default.secure_redirects": "0",
"net.ipv4.conf.default.rp_filter": "1",
"net.ipv4.conf.default.accept_source_route": "0",
"net.ipv4.tcp_syncookies": "1",
"net.ipv4.icmp_echo_ignore_broadcasts": "1",
"net.ipv4.tcp_max_syn_backlog": "4096"}
editor = KVEditorStonix(self.statechglogger, self.logger,
"conf", self.path, self.tmpPath, lfc,
"present", "openeq")
if not editor.report():
self.detailedresults += self.path + " is not configured " + \
"correctly for configuration item 1\n"
compliant = False
if not checkPerms(self.path, [0, 0, 0o644], self.logger):
self.detailedresults += "Permissions are incorrect on " + \
self.path + "\n"
compliant = False
for key in lfc:
self.ch.executeCommand("/sbin/sysctl " + key)
retcode = self.ch.getReturnCode()
if retcode != 0:
self.detailedresults += "Failed to get value of core dumps configuration with sysctl command\n"
errmsg = self.ch.getErrorString()
self.logger.log(LogPriority.DEBUG, errmsg)
compliant = False
else:
output = self.ch.getOutputString()
if output.strip() != key + " = " + lfc[key]:
compliant = False
self.detailedresults += "sysctl output has incorrect value: " + \
output + "\n"
return compliant
def setpwquality(self):
"""
:return:
"""
success = True
created = False
pwqfile = "/etc/security/pwquality.conf"
if not os.path.exists(pwqfile):
createFile(pwqfile, self.logger)
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
event = {'eventtype': 'creation',
'filepath': pwqfile}
self.statechglogger.recordchgevent(myid, event)
created = True
tmpfile = pwqfile + ".stonixtmp"
if self.environ.getsystemfismacat() == "high":
data = {"difok": "7",
"minlen": "14",
"dcredit": "0",
"ucredit": "0",
"lcredit": "0",
"ocredit": "0",
"maxrepeat": "3",
"minclass": "4"}
else:
data = {"difok": "7",
"minlen": "8",
"dcredit": "0",
"ucredit": "0",
"lcredit": "0",
"ocredit": "0",
"maxrepeat": "3",
"minclass": "3"}
self.pwqeditor = KVEditorStonix(self.statechglogger, self.logger,
"conf", pwqfile, tmpfile, data,
"present", "openeq")
self.pwqeditor.report()
if self.pwqeditor.fixables:
if self.pwqeditor.fix():
if not created:
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
self.pwqeditor.setEventID(myid)
if not self.pwqeditor.commit():
success = False
self.detailedresults += "Unable to correct " + pwqfile + "\n"
else:
success = False
self.detailedresults += "Unable to correct " + pwqfile + "\n"
return success
def report(self):
try:
if self.isDebian:
path = "/etc/default/prelink"
else:
path = "/etc/sysconfig/prelink"
self.path = path
prelink = "/usr/sbin/prelink"
self.compliant = True
self.detailedresults = ""
if os.path.exists(path):
tmppath = path + ".tmp"
data = {"PRELINKING": "no"}
self.editor = KVEditorStonix(self.statechglogger, self.logger,
"conf", path, tmppath, data,
"present", "closedeq")
if not self.editor.report():
self.compliant = False
self.detailedresults += path + " does not have the " + \
"correct settings.\n"
else:
self.compliant = False
self.detailedresults += path + " does not exist.\n"
if os.path.exists(prelink):
self.ch.executeCommand([prelink, "-p"])
output = self.ch.getOutputString()
splitout = output.split()
try:
if len(splitout) > 0:
numPrelinks = int(splitout[0]) # Potential ValueError
if numPrelinks > 0:
self.compliant = False
self.detailedresults += "There are currently " + \
str(numPrelinks) + " prelinked binaries.\n"
except ValueError:
debug = "Unexpected result from " + prelink + ". This " + \
"does not affect compliance."
self.logger.log(LogPriority.DEBUG, debug)
self.detailedresults += debug + "\n"
except (KeyboardInterrupt, SystemExit):
raise
except Exception:
self.rulesuccess = False
self.detailedresults += "\n" + traceback.format_exc()
self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
self.formatDetailedResults("report", self.compliant,
self.detailedresults)
self.logdispatch.log(LogPriority.INFO, self.detailedresults)
return self.compliant
def report(self):
"""
ConfigureScreenLocking.report() method to report whether system is
configured with a sudoers group.
@author: dwalker
:param self: essential if you override this definition
:returns: bool - True if system is compliant, False if it isn't
"""
try:
self.detailedresults = ""
self.compliant = True
if not self.sudoers_file:
self.detailedresults += "\nCan't find sudoers file!"
self.compliant = False
elif not os.path.isfile(self.sudoers_file):
self.detailedresults += "\nCan't find sudoers file!"
self.compliant = False
else:
self.sudoers_backup = self.sudoers_file + ".stonixbak"
tmppath = self.sudoers_file + ".stonixtmp"
self.sudoers_editor = KVEditorStonix(self.statechglogger,
self.logger, "conf",
self.sudoers_file,
tmppath,
self.sudoers_opts,
"present", "space")
if not self.sudoers_editor.report():
if self.sudoers_editor.fixables:
self.detailedresults += "\nThe following configuration options are missing or incorrect in the sudoers file:\n" + "\n".join(
self.sudoers_editor.fixables)
self.compliant = False
else:
self.detailedresults += "\nOne or more configuration options are missing or incorrect in the sudoers file"
self.compliant = False
except (KeyboardInterrupt, SystemExit):
raise
except Exception:
self.compliant = False
self.detailedresults += "\n" + traceback.format_exc()
self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
self.formatDetailedResults("report", self.compliant,
self.detailedresults)
self.logdispatch.log(LogPriority.INFO, self.detailedresults)
return self.compliant
def chkosx(self):
''' '''
globalprefs = "/Library/Preferences/.GlobalPreferences.plist"
globalprefstemp = globalprefs + ".stonixtmp"
timeout = self.timeoutci.getcurrvalue() * 60
data = {
"com.apple.autologout.AutoLogOutDelay":
[str(timeout), "-int " + str(timeout)]
}
self.editor = KVEditorStonix(self.statechglogger, self.logger,
"defaults", globalprefs, globalprefstemp,
data, "present")
return self.editor.report()
def checklibuser(self):
'''Private method to check the password hash algorithm settings in
libuser.conf.
@author: dwalker
:returns: bool
'''
compliant = True
'''check if libuser is intalled'''
if not self.ph.check("libuser"):
'''if not, check if available'''
if self.ph.checkAvailable("libuser"):
self.detailedresults += "libuser available but not installed\n"
return False
else:
'''not available, not a problem'''
return True
'''create a kveditor for file if it exists, if not, we do it in
the setlibuser method inside the fix'''
if os.path.exists(self.libuserfile):
data = {"userdefaults": {"LU_SHADOWMAX": "",
"LU_SHADOWMIN": "",
"LU_SHADOWWARNING": "",
"LU_UIDNUMBER": "",
"LU_SHADOWINACTIVE": "",
"LU_SHADOWEXPIRE": ""}}
datatype = "tagconf"
intent = "notpresent"
tmppath = self.libuserfile + ".tmp"
self.editor2 = KVEditorStonix(self.statechglogger, self.logger,
datatype, self.libuserfile,
tmppath, data, intent, "openeq")
if not self.editor2.report():
debug = "/etc/libuser.conf doesn't contain the correct " + \
"contents\n"
self.detailedresults += "/etc/libuser.conf doesn't " + \
"contain the correct contents\n"
self.logger.log(LogPriority.DEBUG, debug)
compliant = False
if not checkPerms(self.libuserfile, [0, 0, 0o644], self.logger):
self.detailedresults += "Permissions are incorrect on " + \
self.libuserfile + "\n"
compliant = False
else:
self.detailedresults += "Libuser installed but libuser " + \
"file doesn't exist\n"
compliant = False
return compliant
def reportSSHFile(self, sshfile, directives):
"""
Report configuration options of config files
:param: sshfile - filepath string
:param: directives - dictionary of desired directives
:return: compliant
:rtype: bool
"""
compliant = True
debug = ""
directives = dict(directives)
tpath = sshfile + ".tmp"
if os.path.exists(sshfile):
if re.search("Ubuntu", self.environ.getostype()):
if sshfile == "/etc/ssh/sshd_config":
del (directives["GSSAPIAuthentication"])
del (directives["KerberosAuthentication"])
elif sshfile == "/etc/ssh/ssh_config":
del (directives["GSSAPIAuthentication"])
elif self.environ.getostype() == "Mac OS X" and self.mac_piv_auth_CI.getcurrvalue():
if sshfile == "/private/etc/ssh/sshd_config":
directives["PasswordAuthentication"] = "no"
self.server = directives
editor = KVEditorStonix(self.statechglogger,
self.logger, "conf",
sshfile, tpath,
directives, "present",
"space")
if not editor.report():
self.detailedresults += "Did not find the correct " + \
"contents in sshd_config\n"
compliant = False
# for ubuntu systems we want to make sure the following two
# directives don't exist in the server file
if re.search("Ubuntu", self.environ.getostype()):
if sshfile == "/etc/ssh/sshd_config":
directives = {"GSSAPIAuthentication": "",
"KerberosAuthentication": ""}
elif sshfile == "/etc/ssh/ssh_config":
directives = {"GSSAPIAuthentication": ""}
editor.setIntent("notpresent")
editor.setData(directives)
if not editor.report():
self.detailedresults += "didn't find the correct" + \
" contents in sshd_config\n"
self.logger.log(LogPriority.DEBUG, debug)
compliant = False
if not checkPerms(sshfile, [0, 0, 0o644],
self.logger):
self.detailedresults += "Incorrect permissions for " + \
"file " + self.serverfile + "\n"
compliant = False
else:
self.detailedresults += sshfile + " does not exist\n"
compliant = False
return compliant
def report(self):
'''check for the existence of the AppleCameraInterface driver in the
output of kexstat. Report non-compliant if found. Report compliant
if not found.
:returns: self.compliant
:rtype: bool
@author: Breen Malmberg
@change: dwalker - ??? - ???
@change: Breen Malmberg - 1/19/2017 - minor doc string edit; minor refactor
@change: dwalker 10/3/2017 updated to check for a profile value
'''
try:
self.detailedresults = ""
self.compliant = True
if not self.camprofile:
self.detailedresults += "Could not locate the appropriate camera disablement profile for your system.\n"
self.compliant = False
self.formatDetailedResults("report", self.compliant, self.detailedresults)
self.logdispatch.log(LogPriority.INFO, self.detailedresults)
return self.compliant
if os.path.exists(self.camprofile):
cameradict = {"com.apple.applicationaccess": {"allowCamera": {"val": "0",
"type": "bool",
"accept": "",
"result": False}}}
self.cameditor = KVEditorStonix(self.statechglogger, self.logger,
"profiles", self.camprofile, "",
cameradict, "", "")
if not self.cameditor.report():
self.detailedresults += "iSight camera is not disabled\n"
self.compliant = False
else:
self.detailedresults += self.camprofile + " doesn't exist\n"
self.compliant = False
self.detailedresults += "Due to a Mac OS issue, having multiple camera profiles " + \
"installed with conflicting values may allow any camera, " + \
"internal or external to still function. If a rule is coming " + \
"back compliant but your camera is still working, check your " + \
"installed profiles and remove any other restriction based profiles.\n"
except (KeyboardInterrupt, SystemExit):
raise
except Exception as err:
self.rulesuccess = False
self.detailedresults = self.detailedresults + "\n" + str(err) + \
" - " + str(traceback.format_exc())
self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
self.formatDetailedResults("report", self.compliant, self.detailedresults)
self.logdispatch.log(LogPriority.INFO, self.detailedresults)
return self.compliant
def _report_configuration(self):
"""
:return: compliant
:rtype: bool
"""
compliant = True
if self.ostype == "Mac OS X":
self.conf_file = ""
conf_files = ["/etc/rc.conf", "/etc/rc.common"]
for cf in conf_files:
if os.path.isfile(cf):
self.conf_file = cf
break
tmpfile = self.conf_file + ".stonixtmp"
config_data = {"accounting_enable": "YES"}
self.conf_editor = KVEditorStonix(self.statechglogger, self.logger,
"conf", self.conf_file, tmpfile,
config_data, "present",
"closedeq")
if not self.conf_editor.report():
compliant = False
else:
if not os.path.isfile(self.sysstat_service_file):
compliant = False
self.detailedresults += "\nSystem accounting service file is missing"
else:
f = open(self.sysstat_service_file, "r")
contents = f.read()
f.close()
if self.sysstat_service_file != "/etc/init.d/sysstat":
if contents != self.sysstat_service_contents:
compliant = False
self.detailedresults += "\nSystem accounting service file has incorrect contents"
if os.path.isfile("/etc/default/sysstat"):
f = open("/etc/default/sysstat", "r")
contents = f.read()
f.close()
if not re.search('ENABLED="true"', contents):
compliant = False
self.detailedresults += "\n/etc/default/sysstat file has incorrect contents"
return compliant
def reportMac(self):
'''Mac specific report method1 that ensures the items in fileContents
exist in /etc/sysctl.conf. Sets self.compliant to True if all items
exist in the file.
:returns: compliant
:rtype: bool
@author: dwalker
@change: Breen Malmberg - 1/10/2017 - minor doc string adjustments; fixed
permissions on file /etc/sysctl.conf (needs to be 0o600; was 0o644);
try/except
'''
compliant = True
try:
self.editor = None
if not os.path.exists(self.path):
self.detailedresults += self.path + " does not exist\n"
compliant = False
else:
mfc = {"net.inet.ip.forwarding": "0",
"net.inet.ip.redirect": "0"}
kvtype = "conf"
intent = "present"
self.editor = KVEditorStonix(self.statechglogger, self.logger,
kvtype, self.path, self.tmpPath, mfc,
intent, "closedeq")
if not self.editor.report():
self.detailedresults += self.path + " is not " + \
"configured correctly\n"
compliant = False
else:
self.detailedresults += self.path + " is " + \
"configured correctly\n"
if not checkPerms(self.path, [0, 0, 0o600], self.logger):
self.detailedresults += "Permissions are incorrect on " + \
self.path + ": Expected 644, found " + \
str(getOctalPerms(self.path)) + "\n"
compliant = False
except Exception:
raise
return compliant
def report_yum(self):
"""
:return:
"""
compliant = True
tmppath = self.yum_conf_file + ".stonixtmp"
self.yum_conf_editor = KVEditorStonix(self.statechglogger, self.logger, "conf", self.yum_conf_file, tmppath, self.yum_conf_dict, "present", "closedeq")
if not self.yum_conf_editor.report():
compliant = False
self.detailedresults += "\nThe following configuration options are incorrect in " + str(self.yum_conf_file) + ":\n" + "\n".join(self.yum_conf_editor.fixables)
return compliant
def report(self):
try:
results = ""
compliant = True
path1 = "/private/etc/sshd_config"
path2 = "/private/etc/ssh/sshd_config"
if self.usesSip():
if os.path.exists(path2):
self.path = path2
elif os.path.exists(path1):
self.path = path1
else:
compliant = False
results += "Could not find path to sshd_config file\n"
else:
if os.path.exists(path1):
self.path = path1
elif os.path.exists(path2):
self.path = path2
else:
compliant = False
results += "Could not find path to sshd_config file\n"
self.tmppath = self.path + ".tmp"
if os.path.exists(self.path):
self.editor = KVEditorStonix(self.statechglogger, self.logger,
"conf", self.path, self.tmppath,
self.ssh, "present", "space")
if not self.editor.report():
compliant = False
results += "Settings in " + self.path + " are not " + \
"correct\n"
if not checkPerms(self.path, [0, 0, 0o644], self.logger):
compliant = False
results += self.path + " permissions are incorrect\n"
self.detailedresults = results
self.compliant = compliant
except (KeyboardInterrupt, SystemExit):
# User initiated exit
raise
except Exception:
self.rulesuccess = False
self.detailedresults += "\n" + traceback.format_exc()
self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
self.formatDetailedResults("report", self.compliant,
self.detailedresults)
self.logdispatch.log(LogPriority.INFO, self.detailedresults)
return self.compliant
def fixLogDef(self, specs):
success = True
debug = ""
if not os.path.exists(self.logdeffile):
if createFile(self.logdeffile, self.logger):
self.logindefcreate = True
setPerms(self.logdeffile, [0, 0, 0o644], self.logger)
tmpfile = self.logdeffile + ".tmp"
self.editor1 = KVEditorStonix(self.statechglogger, self.logger,
"conf", self.logdeffile, tmpfile,
specs, "present", "space")
else:
self.detailedresults += "Was not able to create " + \
self.logdeffile + " file\n"
success = False
if self.logindefcreate:
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
event = {"eventtype": "creation",
"filepath": self.logdeffile}
self.statechglogger.recordchgevent(myid, event)
elif not checkPerms(self.logdeffile, [0, 0, 0o644], self.logger):
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
if not setPerms(self.logdeffile, [0, 0, 0o644], self.logger,
self.statechglogger, myid):
debug += "permissions not correct on: " + \
self.logdeffile + "\n"
success = False
if self.editor1.fixables or self.editor1.removeables:
if not self.logindefcreate:
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
self.editor1.setEventID(myid)
if not self.editor1.fix():
debug += "fixLogDef editor.fix did not complete successfully\n"
success = False
elif not self.editor1.commit():
debug += "fixLogDef editor.commit did not complete successfully\n"
success = False
os.chown(self.logdeffile, 0, 0)
os.chmod(self.logdeffile, 0o644)
resetsecon(self.logdeffile)
if debug:
self.logger.log(LogPriority.DEBUG, debug)
return success
def report(self):
"""
:return: self.compliant
:rtype: bool
"""
self.detailedresults = ""
self.compliant = True
basedir = "/etc/gdm/"
try:
# if there is no gdm folder then there is likely no reason to configure it
if not os.path.isdir(basedir):
self.logger.log(LogPriority.DEBUG, "Rule does not apply to this system in its current state")
return self.compliant
kvtype = "tagconf"
path = basedir + "custom.conf"
tmppath = path + ".stonixtmp"
data = {"daemon": {"AutomaticLoginEnable": "False",
"TimedLoginEnable": "False"}}
intent = "present"
delimiter = "closedeq"
self.gdm_editor = KVEditorStonix(self.statechglogger, self.logger, kvtype, path, tmppath, data, intent, delimiter)
if not self.gdm_editor.report():
self.compliant = False
try:
self.detailedresults += "\nThe following config options in " + str(path) + " are incorrect:\n" + "\n".join(self.gdm_editor.fixables)
except:
self.detailedresults += "\nOne or more config options in " + str(path) + " are incorrect"
except (KeyboardInterrupt, SystemExit):
raise
except Exception:
self.compliant = False
self.detailedresults += "\n" + traceback.format_exc()
self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
self.formatDetailedResults("report", self.compliant, self.detailedresults)
self.logdispatch.log(LogPriority.INFO, self.detailedresults)
return self.compliant
def check_showfailed_logins(self):
"""
config file: /etc/pam.d/postlogin-ac
config option: session required pam_lastlog.so showfailed
:return:
"""
configured = True
search_line = {"session": "required pam_lastlog.so showfailed"}
config_file = "/etc/pam.d/postlogin-ac"
tmpfile = config_file + ".stonixtmp"
self.lastlog_editor = KVEditorStonix(self.statechglogger, self.logger, "conf", config_file, tmpfile, search_line, "present", "space")
if not self.lastlog_editor.report():
configured = False
self.detailedresults += "\nShow failed logins option is not configured correctly in PAM"
return configured
def checklibuser(self):
"""
Private method to check the password hash algorithm settings in
libuser.conf
@author: Derek Walker
:return: compliant
:rtype: bool
"""
compliant = True
# """check if libuser is intalled"""
if not self.ph.check("libuser"):
# """if not, check if available"""
if self.ph.checkAvailable("libuser"):
self.detailedresults += "libuser available but not installed\n"
return False
else:
# """not available, not a problem"""
return True
# """create a kveditor for file if it exists, if not, we do it in
# the setlibuser method inside the fix"""
if os.path.exists(self.libuserfile):
data = {"defaults": {"crypt_style": "sha512"}}
datatype = "tagconf"
intent = "present"
tmppath = self.libuserfile + ".stonixtmp"
self.editor1 = KVEditorStonix(self.statechglogger, self.logger,
datatype, self.libuserfile,
tmppath, data, intent, "openeq")
if not self.editor1.report():
debug = "/etc/libuser.conf doesn't contain the correct contents\n"
self.detailedresults += "/etc/libuser.conf doesn't contain the correct contents\n"
self.logger.log(LogPriority.DEBUG, debug)
compliant = False
if not checkPerms(self.libuserfile, [0, 0, 0o644], self.logger):
self.detailedresults += "Permissions are incorrect on " + self.libuserfile + "\n"
compliant = False
else:
self.detailedresults += "Libuser installed but libuser file doesn't exist\n"
compliant = False
return compliant
def report(self):
'''DisableNobodyAccess.report() method to report on whether system is
compliant or not. If the key-value pair ENABLE_NOBODY_KEYS=NO
is present, the system is compliant, if not, system is not compliant
@author: dwalker
:param self: essential if you override this definition
:returns: bool - False if the method died during execution
'''
try:
compliant = True
keys = {"ENABLE_NOBODY_KEYS": "NO"}
if os.path.exists(self.path):
tmpPath = self.path + ".tmp"
self.editor = KVEditorStonix(self.statechglogger, self.logger,
"conf", self.path, tmpPath, keys, "present", "closedeq")
if not self.editor.report():
compliant = False
if not checkPerms(self.path, [0, 0, 292], self.logger):
compliant = False
else:
self.createFile(self.path)
self.created = True
tmpPath = self.path + ".tmp"
self.editor = KVEditorStonix(self.statechglogger, self.logger,
"conf", self.path, tmpPath, keys, "present", "closedeq")
self.editor.fixables = keys
compliant = False
self.compliant = compliant
return compliant
except (KeyboardInterrupt, SystemExit):
# User initiated exit
raise
except Exception:
self.rulesuccess = False
self.detailedresults += "\n" + traceback.format_exc()
self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
self.formatDetailedResults("report", self.compliant,
self.detailedresults)
self.logdispatch.log(LogPriority.INFO, self.detailedresults)
return self.compliant