def wreckFile(self, filehandle):
'''Method to ensure correct contents are NOT in file for testing
@author: dwalker
:param filehandle: string
:returns: bool
'''
self.editor = ""
kvt = "tagconf"
intent = "notpresent"
tpath = filehandle + ".tmp"
conftype = "closedeq"
self.editor = KVEditorStonix(self.statechglogger, self.logger, kvt,
filehandle, tpath, self.kdeprops, intent,
conftype)
if not self.editor.report():
if self.editor.fix():
if self.editor.commit():
return True
else:
return False
else:
return False
else:
return True
def setConditionsForRule(self):
'''
Configure system for the unit test
@param self: essential if you override this definition
@return: boolean - If successful True; If failure False
@author: Eric Ball
'''
success = True
# Run report() to get variables
self.rule.report()
ssh = {"ClientAliveInterval": "0", "ClientAliveCountMax": "900"}
if os.path.exists(self.rule.path):
kvtype = "conf"
intent = "present"
self.editor = KVEditorStonix(self.statechglogger, self.logdispatch,
kvtype, self.rule.path,
self.rule.tpath, ssh, intent, "space")
if not self.editor.report():
if self.editor.fixables:
if self.editor.fix():
if not self.editor.commit():
success = False
debug = "KVEditor commit did not succeed"
self.logdispatch.log(LogPriority.DEBUG, debug)
else:
success = False
debug = "KVEditor fix() did not succeed"
self.logdispatch.log(LogPriority.DEBUG, debug)
self.rule.iditerator = 0
myid = iterate(self.rule.iditerator, self.rule.rulenumber)
if not setPerms(self.rule.path, [99, 99, 0770], self.logdispatch,
self.statechglogger, myid):
success = False
debug = "Could not set permissions"
self.logdispatch.log(LogPriority.DEBUG, debug)
def messFile(self, filehandle):
success = True
self.editor = ""
garbagevalue = ""
while True:
garbagevalue = randint(0, 200)
if garbagevalue != self.timeoutci:
break
kvt = "tagconf"
intent = "present"
tpath = filehandle + ".tmp"
conftype = "closedeq"
if self.kdesddm:
self.kdecheck = ".config/kdeglobals"
self.rcpath = ".config/kscreenlockerrc"
self.kdeprops = {"ScreenSaver": {"Timeout": str(garbagevalue)}}
else:
self.kdecheck = ".kde"
self.rcpath = ".kde/share/config/kscreensaverrc"
self.kdeprops = {
"ScreenSaver": {
"AutoLogout": "true",
"AutoLogoutTimeout": str(garbagevalue)
}
}
self.editor = KVEditorStonix(self.statechglogger, self.logger, kvt,
filehandle, tpath, self.kdeprops, intent,
conftype)
self.editor.report()
if not self.editor.fix():
success = False
elif not self.editor.commit():
success = False
return success
def messupInterfaceFile(self):
success = True
interface = {"IPV6INIT": '"yes"', "NETWORKING_IPV6": '"yes"'}
# Check for existence of interface and network files to be configured
if self.ph.manager == "yum":
ifacefile = "/etc/sysconfig/network-scripts/"
if not os.path.exists(ifacefile):
ifacefile = ""
netwrkfile = "/etc/sysconfig/network"
if not os.path.exists(netwrkfile):
netwrkfile = ""
elif self.ph.manager == "zypper":
ifacefile = "/etc/sysconfig/network/"
if not os.path.exists(ifacefile):
ifacefile = ""
if ifacefile:
dirs = glob.glob(ifacefile + "*")
for loc in dirs:
contents = []
if re.search('^' + ifacefile + 'ifcfg', loc):
tmpfile = loc + ".tmp"
editor = KVEditorStonix(self.statechglogger, self.logger,
"conf", loc, tmpfile, interface,
"present", "closedeq")
if not editor.report():
if not editor.fix():
success = False
debug = "Unable to mess up " + loc + " file for preconditions"
self.logger.log(LogPriority.DEBUG, debug)
elif not editor.commit():
success = False
debug = "Unable to mess up " + loc + " file for preconditions"
self.logger.log(LogPriority.DEBUG, debug)
return success
def setConditionsForRule(self):
'''
Configure system for the unit test
@param self: essential if you override this definition
@return: boolean - If successful True; If failure False
@author: Eric Ball
'''
success = True
# Enable CIs
self.rule.ci1.updatecurrvalue(True)
self.rule.ci2.updatecurrvalue(True)
# CI 3 is REMOVEX, which will remove X Windows entirely. STONIX unit
# tests should generally only be run in virtual environments anyway,
# but due to the severity of the changes caused by this rule, it is
# disabled by default. To enable, uncomment the line below.
#self.rule.ci3.updatecurrvalue(True)
# Ensure GUI logon is enabled
self.myos = self.environ.getostype().lower()
self.logdispatch.log(LogPriority.DEBUG, self.myos)
if os.path.exists("/bin/systemctl"):
cmd = ["systemctl", "set-default", "graphical.target"]
if not self.ch.executeCommand(cmd):
success = False
elif re.search("debian", self.myos):
if not self.sh.enableservice("gdm3"):
if not self.sh.enableservice("gdm"):
if not self.sh.enableservice("kdm"):
if not self.sh.enableservice("xdm"):
if not self.sh.enableservice("lightdm"):
success = False
elif re.search("ubuntu", self.myos):
ldmover = "/etc/init/lightdm.override"
grub = "/etc/default/grub"
if os.path.exists(ldmover):
if not os.remove(ldmover):
success = False
if os.path.exists(grub):
tmppath = grub + ".tmp"
data = {"GRUB_CMDLINE_LINUX_DEFAULT": '"quiet splash"'}
editor = KVEditorStonix(self.statechglogger, self.logdispatch,
"conf", grub, tmppath, data,
"present", "closedeq")
editor.report()
if editor.fixables:
if editor.fix():
if not editor.commit():
success = False
else:
success = False
else:
inittab = "/etc/inittab"
if not os.path.exists(inittab):
self.logdispatch.log(LogPriority.ERROR, inittab +
" not found, init system unknown")
success = False
return success
class zzzTestRuleSSHTimeout(RuleTest):
def setUp(self):
RuleTest.setUp(self)
self.rule = SSHTimeout(self.config,
self.environ,
self.logdispatch,
self.statechglogger)
self.rulename = self.rule.rulename
self.rulenumber = self.rule.rulenumber
self.ch = CommandHelper(self.logdispatch)
def tearDown(self):
pass
def runTest(self):
self.simpleRuleTest()
def setConditionsForRule(self):
'''
Configure system for the unit test
@param self: essential if you override this definition
@return: boolean - If successful True; If failure False
@author: Eric Ball
'''
success = True
# Run report() to get variables
self.rule.report()
ssh = {"ClientAliveInterval": "0",
"ClientAliveCountMax": "900"}
if os.path.exists(self.rule.path):
kvtype = "conf"
intent = "present"
self.editor = KVEditorStonix(self.statechglogger, self.logdispatch,
kvtype, self.rule.path,
self.rule.tpath, ssh, intent, "space")
if not self.editor.report():
if self.editor.fixables:
if self.editor.fix():
if not self.editor.commit():
success = False
debug = "KVEditor commit did not succeed"
self.logdispatch.log(LogPriority.DEBUG, debug)
else:
success = False
debug = "KVEditor fix() did not succeed"
self.logdispatch.log(LogPriority.DEBUG, debug)
self.rule.iditerator = 0
myid = iterate(self.rule.iditerator, self.rule.rulenumber)
if not setPerms(self.rule.path, [99, 99, 0770], self.logdispatch,
self.statechglogger, myid):
success = False
debug = "Could not set permissions"
self.logdispatch.log(LogPriority.DEBUG, debug)
return success
def messupSysctl(self):
success = True
sysctlcmd = ""
sysctl = "/etc/sysctl.conf"
directives = [
"net.ipv6.conf.all.disable_ipv6=0",
"net.ipv6.conf.default.disable_ipv6=0"
]
filedirectives = {
"net.ipv6.conf.all.disable_ipv6": "0",
"net.ipv6.conf.default.disable_ipv6": "0"
}
tmpfile = sysctl + ".tmp"
if os.path.exists(sysctl):
editor = KVEditorStonix(self.statechglogger, self.logger, "conf",
sysctl, tmpfile, filedirectives, "present",
"openeq")
if not editor.report():
if not editor.fix():
success = False
debug = "Unable to mess up " + sysctl + " file for preconditions"
self.logger.log(LogPriority.DEBUG, debug)
elif not editor.commit():
success = False
debug = "Unable to mess up " + sysctl + " file for preconditions"
self.logger.log(LogPriority.DEBUG, debug)
sysctllocs = ["/sbin/sysctl", "/usr/sbin/sysctl"]
for loc in sysctllocs:
if os.path.exists(loc):
sysctlcmd = loc
if sysctlcmd:
for d in directives:
setbadopt = sysctlcmd + " -w " + d
self.ch.executeCommand(setbadopt)
retcode = self.ch.getReturnCode()
if retcode != 0:
success = False
debug = "Failed to write configuration change: " + d + "\n"
self.logger.log(LogPriority.DEBUG, debug)
else:
debug = "sysctl command not found on system\n"
self.logger.log(LogPriority.DEBUG, debug)
success = False
return success
def setConditionsForRule(self):
'''
Configure system for the unit test
@param self: essential if you override this definition
@return: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.detailedresults = ""
self.path = "/private/etc/sshd_config"
self.tmppath = "/private/etc/sshd_config.tmp"
ssh = {"DenyGroups":"admin"}
self.editor = KVEditorStonix(self.statechglogger, self.logdispatch,
"conf", self.path, self.tmppath, ssh, "notpresent", "space")
self.editor.report()
self.editor.fix()
setPerms(self.path, [0, 0, 511], self.logdispatch)
success = True
return success
def setConditionsForRule(self):
'''Configure system for the unit test
:param self: essential if you override this definition
:returns: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
success = True
if self.ph.check("prelink"):
self.prelinkInstalled = True
elif self.ph.checkAvailable("prelink"):
self.ph.install("prelink")
else:
return True
path = "/usr/sbin/prelink"
cmd = [path, "/bin/ls"]
if os.path.exists(path):
self.ch.executeCommand(cmd)
if re.search("debian|ubuntu", self.environ.getostype().lower()):
path = "/etc/default/prelink"
else:
path = "/etc/sysconfig/prelink"
if os.path.exists(path):
tmppath = path + ".tmp"
data = {"PRELINKING": "yes"}
self.editor = KVEditorStonix(self.statechglogger, self.logdispatch,
"conf", path, tmppath,
data, "present", "closedeq")
if not self.editor.report():
if self.editor.fix():
if not self.editor.commit():
success = False
self.logdispatch.log(LogPriority.ERROR,
"KVEditor failed to commit.")
else:
success = False
self.logdispatch.log(LogPriority.ERROR,
"KVEditor failed to fix.")
else:
writeFile(path, "PRELINKING=yes", self.logdispatch)
return success
def messupSSHDFile(self):
success = True
sshfile = "/etc/ssh/sshd_config"
if os.path.exists(sshfile):
tmpfile = sshfile + ".tmp"
data = {"AddressFamily": "inet"}
editor = KVEditorStonix(self.statechglogger, self.logger, "conf",
sshfile, tmpfile, data, "notpresent",
"space")
if not editor.report():
if not editor.fix():
success = False
debug = "Unable to mess up " + sshfile + " file for preconditions"
self.logger.log(LogPriority.DEBUG, debug)
elif not editor.commit():
success = False
debug = "Unable to mess up " + sshfile + " file for preconditions"
self.logger.log(LogPriority.DEBUG, debug)
return success
def searchFile(self, filehandle):
'''temporary method to separate the code to find directives from the
rest of the code. Will put back all in one method eventually
@author: dwalker
@return: bool
@param filehandle: string
'''
self.editor = ""
kvt = "tagconf"
intent = "present"
tpath = filehandle + ".tmp"
conftype = "closedeq"
self.editor = KVEditorStonix(self.statechglogger, self.logger, kvt,
filehandle, tpath, self.kdeprops, intent,
conftype)
if not self.editor.report():
return False
else:
return True
def setCommonConditions(self, sshfile, directives):
'''Common system pre condition setting
:param self: essential if you override this definition
:param sshfile: ssh file to be fuzzed
:param directives: intentionally incorrect directives to fuzz file with
:returns: boolean - If successful True; If failure False
@author: dwalker
'''
# In this method, unlike the methods inside the rule, we don't
# need a portion for Ubuntu to make sure directives aren't present
# because we can put those directives in the file(s) to fuzz them
success = True
directives = dict(directives)
tpath = sshfile + ".tmp"
if not os.path.exists(sshfile):
if not createFile(sshfile, self.logger):
success = False
debug = "Unable to create " + sshfile + " for setting " + \
"pre-conditions"
self.logger.log(LogPriority.DEBUG, debug)
return False
editor = KVEditorStonix(self.statechglogger, self.logger, "conf",
sshfile, tpath, directives, "present", "space")
if not editor.report():
if not editor.fix():
success = False
debug = "Kveditor fix for file " + sshfile + " not successful"
self.logger.log(LogPriority.DEBUG, debug)
elif not editor.commit():
success = False
debug = "Kveditor commit for file " + sshfile + " not successful"
self.logger.log(LogPriority.DEBUG, debug)
if checkPerms(sshfile, [0, 0, 0o755], self.logger):
if not setPerms(sshfile, [0, 0, 0o755], self.logger):
success = False
debug = "Unable to set incorrect permissions on " + \
sshfile + " for setting pre-conditions"
self.logger.log(LogPriority.DEBUG, debug)
return success
def setConditionsForRule(self):
'''
Configure system for the unit test
@param self: essential if you override this definition
@return: boolean - If successful True; If failure False
@author: Eric Ball
'''
success = True
# Enable CIs
self.rule.ci1.updatecurrvalue(True)
self.rule.ci2.updatecurrvalue(True)
# CI 3 is REMOVEX, which will remove X Windows entirely. STONIX unit
# tests should generally only be run in virtual environments anyway,
# but due to the severity of the changes caused by this rule, it is
# disabled by default. To enable, uncomment the line below.
#self.rule.ci3.updatecurrvalue(True)
# Ensure GUI logon is enabled
self.myos = self.environ.getostype().lower()
self.logdispatch.log(LogPriority.DEBUG, self.myos)
if os.path.exists("/bin/systemctl"):
cmd = ["systemctl", "set-default", "graphical.target"]
if not self.ch.executeCommand(cmd):
success = False
elif re.search("debian", self.myos):
if not self.sh.enableservice("gdm3"):
if not self.sh.enableservice("gdm"):
if not self.sh.enableservice("kdm"):
if not self.sh.enableservice("xdm"):
if not self.sh.enableservice("lightdm"):
success = False
elif re.search("ubuntu", self.myos):
ldmover = "/etc/init/lightdm.override"
grub = "/etc/default/grub"
if os.path.exists(ldmover):
if not os.remove(ldmover):
success = False
if os.path.exists(grub):
tmppath = grub + ".tmp"
data = {"GRUB_CMDLINE_LINUX_DEFAULT": '"quiet splash"'}
editor = KVEditorStonix(self.statechglogger, self.logdispatch,
"conf", grub, tmppath, data, "present",
"closedeq")
editor.report()
if editor.fixables:
if editor.fix():
if not editor.commit():
success = False
else:
success = False
else:
inittab = "/etc/inittab"
if not os.path.exists(inittab):
self.logdispatch.log(
LogPriority.ERROR,
inittab + " not found, init system unknown")
success = False
return success
def messupModprobeFiles(self):
success = True
modprobes = {
"options": "ipv6 disable=1",
"install": "ipv6 /bin/true",
"helloworld": ""
}
if os.path.exists("/etc/modprobe.d/"):
modprobefiles = glob.glob("/etc/modprobe.d/*")
for modfile in modprobefiles:
tmpfile = modfile + ".tmp"
editor = KVEditorStonix(self.statechglogger, self.logger,
"conf", modfile, tmpfile, modprobes,
"notpresent", "space")
if not editor.report():
if not editor.fix():
success = False
debug = "Unable to mess up " + modfile + " file for preconditions"
self.logger.log(LogPriority.DEBUG, debug)
elif not editor.commit():
success = False
debug = "Unable to mess up " + modfile + " file for preconditions"
self.logger.log(LogPriority.DEBUG, debug)
return success
def setConditionsForRule(self):
'''
Configure system for the unit test
@param self: essential if you override this definition
@return: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.detailedresults = ""
self.path = "/private/etc/sshd_config"
self.tmppath = "/private/etc/sshd_config.tmp"
ssh = {"DenyGroups":"admin"}
self.editor = KVEditorStonix(self.statechglogger, self.logdispatch,
"conf", self.path, self.tmppath, ssh, "notpresent", "space")
self.editor.report()
self.editor.fix()
setPerms(self.path, [0, 0, 511], self.logdispatch)
success = True
return success
def setConditionsForRule(self):
'''
Configure system for the unit test
@param self: essential if you override this definition
@return: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
success = True
if self.ph.check("prelink"):
self.prelinkInstalled = True
elif self.ph.checkAvailable("prelink"):
self.ph.install("prelink")
else:
return True
path = "/usr/sbin/prelink"
cmd = [path, "/bin/ls"]
if os.path.exists(path):
self.ch.executeCommand(cmd)
if re.search("debian|ubuntu", self.environ.getostype().lower()):
path = "/etc/default/prelink"
else:
path = "/etc/sysconfig/prelink"
if os.path.exists(path):
tmppath = path + ".tmp"
data = {"PRELINKING": "yes"}
self.editor = KVEditorStonix(self.statechglogger, self.logdispatch,
"conf", path, tmppath,
data, "present", "closedeq")
if not self.editor.report():
if self.editor.fix():
if not self.editor.commit():
success = False
self.logdispatch.log(LogPriority.ERROR,
"KVEditor failed to commit.")
else:
success = False
self.logdispatch.log(LogPriority.ERROR,
"KVEditor failed to fix.")
else:
writeFile(path, "PRELINKING=yes", self.logdispatch)
return success
def wreckFile(self, filehandle):
'''Method to ensure correct contents are NOT in file for testing
@author: dwalker
@return: bool
@param filehandle: string
'''
self.editor = ""
kvt = "tagconf"
intent = "notpresent"
tpath = filehandle + ".tmp"
conftype = "closedeq"
self.editor = KVEditorStonix(self.statechglogger, self.logger, kvt,
filehandle, tpath, self.kdeprops, intent,
conftype)
if not self.editor.report():
if self.editor.fix():
if self.editor.commit():
return True
else:
return False
else:
return False
else:
return True
class zzzTestRuleSSHTimeout(RuleTest):
def setUp(self):
RuleTest.setUp(self)
self.rule = SSHTimeout(self.config, self.environ, self.logdispatch,
self.statechglogger)
self.rulename = self.rule.rulename
self.rulenumber = self.rule.rulenumber
self.ch = CommandHelper(self.logdispatch)
def tearDown(self):
pass
def runTest(self):
self.simpleRuleTest()
def setConditionsForRule(self):
'''Configure system for the unit test
:param self: essential if you override this definition
:returns: boolean - If successful True; If failure False
@author: Eric Ball
'''
success = True
# Run report() to get variables
self.rule.report()
ssh = {"ClientAliveInterval": "0", "ClientAliveCountMax": "900"}
if os.path.exists(self.rule.path):
kvtype = "conf"
intent = "present"
self.editor = KVEditorStonix(self.statechglogger, self.logdispatch,
kvtype, self.rule.path,
self.rule.tpath, ssh, intent, "space")
if not self.editor.report():
if self.editor.fixables:
if self.editor.fix():
if not self.editor.commit():
success = False
debug = "KVEditor commit did not succeed"
self.logdispatch.log(LogPriority.DEBUG, debug)
else:
success = False
debug = "KVEditor fix() did not succeed"
self.logdispatch.log(LogPriority.DEBUG, debug)
self.rule.iditerator = 0
myid = iterate(self.rule.iditerator, self.rule.rulenumber)
if not setPerms(self.rule.path, [99, 99, 0o770], self.logdispatch,
self.statechglogger, myid):
success = False
debug = "Could not set permissions"
self.logdispatch.log(LogPriority.DEBUG, debug)
return success
def checkReportForRule(self, pCompliance, pRuleSuccess):
'''check on whether report was correct
:param self: essential if you override this definition
:param pCompliance: the self.iscompliant value of rule
:param pRuleSuccess: did report run successfully
:returns: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.logdispatch.log(LogPriority.DEBUG,
"pCompliance = " + str(pCompliance) + ".")
self.logdispatch.log(LogPriority.DEBUG,
"pRuleSuccess = " + str(pRuleSuccess) + ".")
success = True
return success
def checkFixForRule(self, pRuleSuccess):
'''check on whether fix was correct
:param self: essential if you override this definition
:param pRuleSuccess: did report run successfully
:returns: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.logdispatch.log(LogPriority.DEBUG,
"pRuleSuccess = " + str(pRuleSuccess) + ".")
success = True
return success
def checkUndoForRule(self, pRuleSuccess):
'''check on whether undo was correct
:param self: essential if you override this definition
:param pRuleSuccess: did report run successfully
:returns: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.logdispatch.log(LogPriority.DEBUG,
"pRuleSuccess = " + str(pRuleSuccess) + ".")
success = True
return success
class zzzTestRuleSecureMTA(RuleTest):
def setUp(self):
RuleTest.setUp(self)
self.rule = SecureMTA(self.config,
self.environ,
self.logdispatch,
self.statechglogger)
self.rulename = self.rule.rulename
self.rulenumber = self.rule.rulenumber
self.logger = self.logdispatch
self.ch = CommandHelper(self.logdispatch)
if self.environ.operatingsystem == "Mac OS X":
self.isMac = True
else:
self.isMac = False
def tearDown(self):
pass
# if not self.isMac:
# if self.origState[0] is True and not self.ph.check("sendmail"):
# self.ph.install("sendmail")
# elif self.origState[0] is False and self.ph.check("sendmail"):
# self.ph.remove("sendmail")
#
# if self.origState[1] is True and not self.ph.check(self.postfixpkg):
# self.ph.install(self.postfixpkg)
# elif self.origState[1] is False and self.ph.check(self.postfixpkg):
# self.ph.remove(self.postfixpkg)
#
# if self.origState[2] is True and os.path.exists(self.smTmp):
# smDir = os.path.split(self.smPath)[0]
# if not os.path.exists(smDir):
# os.makedirs(smDir)
# os.rename(self.smTmp, self.smPath)
# elif self.origState[2] is False and os.path.exists(self.smPath):
# os.remove(self.smPath)
#
# if self.origState[3] is True and os.path.exists(self.pfTmp):
# pfDir = os.path.split(self.pfPath)[0]
# if not os.path.exists(pfDir):
# os.makedirs(pfDir)
# os.rename(self.pfTmp, self.pfPath)
# elif self.origState[3] is False and os.path.exists(self.pfPath):
# os.remove(self.pfPath)
def runTest(self):
self.simpleRuleTest()
def setConditionsForRule(self):
'''
Configure system for the unit test
@param self: essential if you override this definition
@return: boolean - If successful True; If failure False
@author: dwalker
'''
success = True
pfdata = {'inet_interfaces': 'localhost',
'default_process_limit': '100',
'smtpd_client_connection_count_limit': '10',
'smtpd_client_connection_rate_limit': '30',
'queue_minfree': '20971520',
'header_size_limit': '51200',
'message_size_limit': '10485760',
'smtpd_recipient_limit': '100',
'smtpd_banner': '$myhostname ESMTP',
'mynetworks_style': 'host',
'smtpd_recipient_restrictions':
'permit_mynetworks, reject_unauth_destination',
'relayhost': MAILRELAYSERVER}
if not self.isMac:
smdata = {"O SmtpGreetingMessage": "",
"O PrivacyOptions": "goaway"}
self.ph = Pkghelper(self.logdispatch, self.environ)
self.origState = [False, False, False, False]
self.smPath = "/etc/mail/sendmail.cf"
self.smTmp = self.smPath + ".stonixUT"
self.pfPathlist = ['/etc/postfix/main.cf',
'/usr/lib/postfix/main.cf']
self.postfixpkg = "postfix"
self.pfPath = ""
for path in self.pfPathlist:
if os.path.exists(path):
self.pfPath = path
break
self.pfTmp = self.pfPath + ".stonixUT"
#if postfix file exists, remove any correct contents
if self.pfPath:
self.postfixed = KVEditorStonix(self.statechglogger,
self.logger, "conf", self.pfPath, self.pfTmp,
pfdata, "notpresent", "openeq")
if not self.postfixed.report():
if self.postfixed.removeables:
print "kveditor has removeables\n"
if not self.postfixed.fix():
success = False
if os.path.exists(self.smPath):
self.sndmailed = KVEditorStonix(self.statechglogger, self.logger,
"conf", self.smPath, self.smTmp, smdata, "notpresent",
"closedeq")
if not self.sndmailed.report():
if self.postfixed.removeables:
if not self.postfixed.fix():
success = False
#remove postfix if installed
if self.ph.check("postfix"):
if not self.ph.remove("postfix"):
success = False
#remove sendmail if installed
if not self.ph.checkAvailable("postfix"):
if self.ph.check("sendmail"):
if not self.ph.remove("sendmail"):
success = False
else:
self.pfPath = "/private/etc/postfix/main.cf"
self.pfTmp = self.pfPath + ".stonixUT"
if os.path.exists(self.pfPath):
self.postfixed = KVEditorStonix(self.statechglogger,
self.logger, "conf", self.pfPath, self.pfTmp,
pfdata, "notpresent", "openeq")
if not self.postfixed.report():
if self.postfixed.removeables:
if not self.postfixed.fix():
success = False
# if self.ph.check("sendmail"):
# self.origState[0] = True
# if self.ph.check(self.postfixpkg):
# self.origState[1] = True
# if os.path.exists(self.smPath):
# self.origState[2] = True
# os.rename(self.smPath, self.smTmp)
# if os.path.exists(self.pfPath):
# self.origState[3] = True
# os.rename(self.pfPath, self.pfTmp)
return success
# def testFalseFalseFalseFalse(self):
# if not self.isMac:
# if self.ph.check("sendmail"):
# self.ph.remove("sendmail")
# if self.ph.check(self.postfixpkg):
# self.ph.remove(self.postfixpkg)
# if os.path.exists(self.smPath):
# os.remove(self.smPath)
# if os.path.exists(self.pfPath):
# os.remove(self.pfPath)
# self.simpleRuleTest()
#
# def testTrueFalseFalseFalse(self):
# if not self.isMac:
# if not self.ph.check("sendmail"):
# self.ph.install("sendmail")
# if self.ph.check(self.postfixpkg):
# self.ph.remove(self.postfixpkg)
# if os.path.exists(self.smPath):
# os.remove(self.smPath)
# if os.path.exists(self.pfPath):
# os.remove(self.pfPath)
# self.simpleRuleTest()
#
# def testTrueTrueFalseFalse(self):
# if not self.isMac:
# if not self.ph.check("sendmail"):
# self.ph.install("sendmail")
# if not self.ph.check(self.postfixpkg):
# self.ph.install(self.postfixpkg)
# if os.path.exists(self.smPath):
# os.remove(self.smPath)
# if os.path.exists(self.pfPath):
# os.remove(self.pfPath)
# self.simpleRuleTest()
#
# def testTrueTrueTrueFalse(self):
# if not self.isMac:
# if not self.ph.check("sendmail"):
# self.ph.install("sendmail")
# if not self.ph.check(self.postfixpkg):
# self.ph.install(self.postfixpkg)
# if not os.path.exists(self.smPath):
# splitpath = self.smPath.split('/')
# del splitpath[-1]
# subdir = "/".join(splitpath)
# if not os.path.exists(subdir):
# os.makedirs(subdir, 0755)
# open(self.smPath, "w")
# if os.path.exists(self.pfPath):
# os.remove(self.pfPath)
# self.simpleRuleTest()
#
# def testTrueTrueTrueTrue(self):
# if not self.isMac:
# if not self.ph.check("sendmail"):
# self.ph.install("sendmail")
# if not self.ph.check(self.postfixpkg):
# self.ph.install(self.postfixpkg)
# if not os.path.exists(self.smPath):
# splitpath = self.smPath.split('/')
# del splitpath[-1]
# subdir = "/".join(splitpath)
# if not os.path.exists(subdir):
# os.makedirs(subdir, 0755)
# open(self.smPath, "w")
# if not os.path.exists(self.pfPath):
# splitpath = self.pfPath.split('/')
# del splitpath[-1]
# subdir = "/".join(splitpath)
# if not os.path.exists(subdir):
# os.makedirs(subdir, 0755)
# open(self.pfPath, "w")
# self.simpleRuleTest()
#
# def testTrueFalseTrueFalse(self):
# if not self.isMac:
# if not self.ph.check("sendmail"):
# self.ph.install("sendmail")
# if self.ph.check(self.postfixpkg):
# self.ph.remove(self.postfixpkg)
# if not os.path.exists(self.smPath):
# splitpath = self.smPath.split('/')
# del splitpath[-1]
# subdir = "/".join(splitpath)
# if not os.path.exists(subdir):
# os.makedirs(subdir, 0755)
# open(self.smPath, "w")
# if os.path.exists(self.pfPath):
# os.remove(self.pfPath)
# self.simpleRuleTest()
#
# def testFalseTrueFalseFalse(self):
# if not self.isMac:
# if self.ph.check("sendmail"):
# self.ph.remove("sendmail")
# if not self.ph.check(self.postfixpkg):
# self.ph.install(self.postfixpkg)
# if os.path.exists(self.smPath):
# os.remove(self.smPath)
# if os.path.exists(self.pfPath):
# os.remove(self.pfPath)
# self.simpleRuleTest()
#
# def testFalseTrueFalseTrue(self):
# if not self.isMac:
# if self.ph.check("sendmail"):
# self.ph.remove("sendmail")
# if not self.ph.check(self.postfixpkg):
# self.ph.install(self.postfixpkg)
# if os.path.exists(self.smPath):
# os.remove(self.smPath)
# if not os.path.exists(self.pfPath):
# splitpath = self.pfPath.split('/')
# del splitpath[-1]
# subdir = "/".join(splitpath)
# if not os.path.exists(subdir):
# os.makedirs(subdir, 0755)
# open(self.pfPath, "w")
# self.simpleRuleTest()
def checkReportForRule(self, pCompliance, pRuleSuccess):
'''
check on whether report was correct
@param self: essential if you override this definition
@param pCompliance: the self.iscompliant value of rule
@param pRuleSuccess: did report run successfully
@return: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.logdispatch.log(LogPriority.DEBUG, "pCompliance = " +
str(pCompliance) + ".")
self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " +
str(pRuleSuccess) + ".")
success = True
return success
def checkFixForRule(self, pRuleSuccess):
'''
check on whether fix was correct
@param self: essential if you override this definition
@param pRuleSuccess: did report run successfully
@return: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " +
str(pRuleSuccess) + ".")
success = True
return success
def checkUndoForRule(self, pRuleSuccess):
'''
check on whether undo was correct
@param self: essential if you override this definition
@param pRuleSuccess: did report run successfully
@return: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " +
str(pRuleSuccess) + ".")
success = True
return success
def setConditionsForRule(self):
'''
Configure system for the unit test
@param self: essential if you override this definition
@return: boolean - If successful True; If failure False
@author: dwalker
'''
success = True
pfdata = {'inet_interfaces': 'localhost',
'default_process_limit': '100',
'smtpd_client_connection_count_limit': '10',
'smtpd_client_connection_rate_limit': '30',
'queue_minfree': '20971520',
'header_size_limit': '51200',
'message_size_limit': '10485760',
'smtpd_recipient_limit': '100',
'smtpd_banner': '$myhostname ESMTP',
'mynetworks_style': 'host',
'smtpd_recipient_restrictions':
'permit_mynetworks, reject_unauth_destination',
'relayhost': MAILRELAYSERVER}
if not self.isMac:
smdata = {"O SmtpGreetingMessage": "",
"O PrivacyOptions": "goaway"}
self.ph = Pkghelper(self.logdispatch, self.environ)
self.origState = [False, False, False, False]
self.smPath = "/etc/mail/sendmail.cf"
self.smTmp = self.smPath + ".stonixUT"
self.pfPathlist = ['/etc/postfix/main.cf',
'/usr/lib/postfix/main.cf']
self.postfixpkg = "postfix"
self.pfPath = ""
for path in self.pfPathlist:
if os.path.exists(path):
self.pfPath = path
break
self.pfTmp = self.pfPath + ".stonixUT"
#if postfix file exists, remove any correct contents
if self.pfPath:
self.postfixed = KVEditorStonix(self.statechglogger,
self.logger, "conf", self.pfPath, self.pfTmp,
pfdata, "notpresent", "openeq")
if not self.postfixed.report():
if self.postfixed.removeables:
print "kveditor has removeables\n"
if not self.postfixed.fix():
success = False
if os.path.exists(self.smPath):
self.sndmailed = KVEditorStonix(self.statechglogger, self.logger,
"conf", self.smPath, self.smTmp, smdata, "notpresent",
"closedeq")
if not self.sndmailed.report():
if self.postfixed.removeables:
if not self.postfixed.fix():
success = False
#remove postfix if installed
if self.ph.check("postfix"):
if not self.ph.remove("postfix"):
success = False
#remove sendmail if installed
if not self.ph.checkAvailable("postfix"):
if self.ph.check("sendmail"):
if not self.ph.remove("sendmail"):
success = False
else:
self.pfPath = "/private/etc/postfix/main.cf"
self.pfTmp = self.pfPath + ".stonixUT"
if os.path.exists(self.pfPath):
self.postfixed = KVEditorStonix(self.statechglogger,
self.logger, "conf", self.pfPath, self.pfTmp,
pfdata, "notpresent", "openeq")
if not self.postfixed.report():
if self.postfixed.removeables:
if not self.postfixed.fix():
success = False
# if self.ph.check("sendmail"):
# self.origState[0] = True
# if self.ph.check(self.postfixpkg):
# self.origState[1] = True
# if os.path.exists(self.smPath):
# self.origState[2] = True
# os.rename(self.smPath, self.smTmp)
# if os.path.exists(self.pfPath):
# self.origState[3] = True
# os.rename(self.pfPath, self.pfTmp)
return success
class zzzTestRuleForceIdleLogout(RuleTest):
def setUp(self):
RuleTest.setUp(self)
self.rule = ForceIdleLogout(self.config, self.environ,
self.logdispatch, self.statechglogger)
self.logger = self.logdispatch
self.rulename = self.rule.rulename
self.rulenumber = self.rule.rulenumber
self.rule.filci.updatecurrvalue(True)
self.checkUndo = True
self.cmdhelper = CommandHelper(self.logger)
self.ph = Pkghelper(self.logger, self.environ)
self.gnomesettingpath = "/etc/dconf/db/local.d/00-autologout"
self.gnomelockpath = "/etc/dconf/db/local.d/locks/autologout"
self.undotimeout = ""
self.undoforcelogout = ""
self.kdesddm = False
myos = self.environ.getostype().lower()
if re.search("red hat", myos) or re.search("centos", myos):
self.gconf = "GConf2"
else:
self.gconf = "gconf2"
self.timeoutci = self.rule.timeoutci.getcurrvalue()
def tearDown(self):
pass
def runTest(self):
self.simpleRuleTest()
def setConditionsForRule(self):
'''Configure system for the unit test
:param self: essential if you override this definition
:returns: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
success = True
if self.environ.osfamily == 'linux':
try:
self.seconds = self.timeoutci * 60
except (TypeError):
debug = "FORCEIDLELOGOUTTIMEOUT value is not " + \
"valid!\n"
self.logger.log(LogPriority.DEBUG, debug)
return False
self.kdesddm = self.ph.check("sddm")
self.gnomesettingpath = "/etc/dconf/db/local.d/00-autologout"
desktopmgr = False
desktopmgrs = [
"gdm", "gdm3", "kdm", "kde-workspace", "sddm",
"patterns-kde-kde_yast"
]
if self.ph.check("gdm") or self.ph.check("gdm3"):
desktopmgr = True
if self.ph.check("kdm") or self.ph.check("kde-workspace")or \
self.ph.check("sddm") or self.ph.check("patterns-kde-kde_yast"):
desktopmgr = True
if not desktopmgr:
for mgr in desktopmgrs:
if self.ph.checkAvailable(mgr):
if self.ph.install(mgr):
desktopmgr = True
if not desktopmgr:
success = False
debug = "Unable to install a desktop manager for testing\n"
self.logger.log(LogPriority.DEBUG, debug)
success = self.setgnome()
success = self.setkde()
elif self.environ.getosfamily() == 'darwin':
if not self.setosx():
success = False
return success
def setgnome(self):
'''
@author: dwalker
@return: bool - success
'''
debug = ""
if self.environ.geteuid() != 0:
debug = "Unable to set gnome conditions in unit " + \
"test because user is not root."
success = True
if os.path.exists('/etc/dconf/db/local.d'):
if os.path.exists(self.gnomesettingpath):
if not os.remove(self.gnomesettingpath):
success = False
debug = "Unable to remove " + self.gnomesettingpath + \
" for unit test preconditions\n"
self.logger.log(LogPriority.DEBUG, debug)
if self.ph.check(self.gconf):
get = "/usr/bin/gconftool-2 --direct --config-source " + \
"xml:readwrite:/etc/gconf/gconf.xml.mandatory --get "
set = "/usr/bin/gconftool-2 --direct --config-source " + \
"xml:readwrite:/etc/gconf/gconf.xml.mandatory --set "
unset = "/usr/bin/gconftool-2 --direct --config-source " + \
"xml/readwrite:/etc/gconf/gconf.xml.mandatory --unset "
idletimecmd = get + "/desktop/gnome/session/max_idle_time"
if self.cmdhelper.executeCommand(idletimecmd):
output = self.cmdhelper.getOutput()
if output:
try:
if int(output[0].strip()) == self.seconds:
timeout = int(self.seconds) + 5
idletimecmd = set + "--type integer /desktop/gnome/session/max_idle_time " + \
str(timeout)
if not self.cmdhelper.executeCommand(idletimecmd):
success = False
debug = "Unable to set incorrect timeout value for " + \
"unit test preconditions\n"
self.logger.log(LogPriority.DEBUG, debug)
except (IndexError):
debug = "No output to display timeout value\n"
self.logger.log(LogPriority.DEBUG, debug)
else:
success = False
debug = "Unable to obtain the timeout value\n"
self.logger.log(LogPriority.DEBUG, debug)
idleactcmd = get + "/desktop/gnome/session/max_idle_action"
if self.cmdhelper.executeCommand(idleactcmd):
output = self.cmdhelper.getOutput()
if output:
if re.search("forced-logout", output[0]):
idleact = unset + "/desktop/gnome/session/max_idle_action"
if not self.cmdhelper.executeCommand(idleact):
success = False
debug = "Unable to unset max_idle_action for " + \
"unit test preconditions\n"
self.logger.log(LogPriority.DEBUG, debug)
return success
def setkde(self):
'''
@author: dwalker
@return: bool - success
'''
success = True
debug = ""
if self.kdesddm:
self.kdecheck = ".config/kdeglobals"
self.rcpath = ".config/kscreenlockerrc"
self.kdeprops = {"ScreenSaver": {"Timeout": str(self.seconds)}}
else:
self.kdecheck = ".kde"
self.rcpath = ".kde/share/config/kscreensaverrc"
self.kdeprops = {
"ScreenSaver": {
"AutoLogout": "true",
"AutoLogoutTimeout": str(self.seconds)
}
}
contents = readFile("/etc/passwd", self.logger)
for line in contents:
username = ""
homepath = ""
temp = line.split(":")
try:
username = temp[0]
homepath = temp[5]
except (IndexError):
continue
kdeparent = os.path.join(homepath, self.kdecheck)
kdefile = os.path.join(homepath, self.rcpath)
if not os.path.exists(kdeparent):
continue
elif os.path.exists(kdefile):
if self.searchFile(kdefile):
if not self.messFile(kdefile):
success = False
debug = "Unable to set incorrect values for kde " + \
"for user " + username + " in " + \
"unit test preconditions\n"
self.logger.log(LogPriority.DEBUG, debug)
return success
def searchFile(self, filehandle):
'''temporary method to separate the code to find directives from the
rest of the code. Will put back all in one method eventually
@author: dwalker
@return: bool
@param filehandle: string
'''
self.editor = ""
kvt = "tagconf"
intent = "present"
tpath = filehandle + ".tmp"
conftype = "closedeq"
self.editor = KVEditorStonix(self.statechglogger, self.logger, kvt,
filehandle, tpath, self.kdeprops, intent,
conftype)
if not self.editor.report():
return False
else:
return True
def messFile(self, filehandle):
success = True
self.editor = ""
garbagevalue = ""
while True:
garbagevalue = randint(0, 200)
if garbagevalue != self.timeoutci:
break
kvt = "tagconf"
intent = "present"
tpath = filehandle + ".tmp"
conftype = "closedeq"
if self.kdesddm:
self.kdecheck = ".config/kdeglobals"
self.rcpath = ".config/kscreenlockerrc"
self.kdeprops = {"ScreenSaver": {"Timeout": str(garbagevalue)}}
else:
self.kdecheck = ".kde"
self.rcpath = ".kde/share/config/kscreensaverrc"
self.kdeprops = {
"ScreenSaver": {
"AutoLogout": "true",
"AutoLogoutTimeout": str(garbagevalue)
}
}
self.editor = KVEditorStonix(self.statechglogger, self.logger, kvt,
filehandle, tpath, self.kdeprops, intent,
conftype)
self.editor.report()
if not self.editor.fix():
success = False
elif not self.editor.commit():
success = False
return success
def checkReportForRule(self, pCompliance, pRuleSuccess):
'''check on whether report was correct
:param self: essential if you override this definition
:param pCompliance: the self.iscompliant value of rule
:param pRuleSuccess: did report run successfully
:returns: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.logdispatch.log(LogPriority.DEBUG,
"pCompliance = " + str(pCompliance) + ".")
self.logdispatch.log(LogPriority.DEBUG,
"pRuleSuccess = " + str(pRuleSuccess) + ".")
success = True
return success
def checkFixForRule(self, pRuleSuccess):
'''check on whether fix was correct
:param self: essential if you override this definition
:param pRuleSuccess: did report run successfully
:returns: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.logdispatch.log(LogPriority.DEBUG,
"pRuleSuccess = " + str(pRuleSuccess) + ".")
success = True
return success
def checkUndoForRule(self, pRuleSuccess):
'''check on whether undo was correct
:param self: essential if you override this definition
:param pRuleSuccess: did report run successfully
:returns: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.logdispatch.log(LogPriority.DEBUG,
"pRuleSuccess = " + str(pRuleSuccess) + ".")
success = True
return success
def setgnome(self):
'''Method to setup gnome desktop to not be compliant
@author: dwalker
:returns: bool
'''
success = True
debug = "Inside setgnome method\n"
gconf = "/usr/bin/gconftool-2"
gsettings = "/usr/bin/gsettings"
dconfsettingslock = "/etc/dconf/db/local.d/locks/stonix-settings.conf"
dconflockdata = ["/org/gnome/desktop/session/idle-delay",
"/org/gnome/desktop/screensaver/idle-activation-enabled",
"/org/gnome/desktop/screensaver/lock-enabled",
"/org/gnome/desktop/screensaver/lock-delay",
"/org/gnome/desktop/screensaver/picture-uri"]
dconfsettings = "/etc/dconf/db/local.d/local.key"
dconfdata = {"org/gnome/desktop/screensaver": {
"idle-activation-enabled": "true",
"lock-enabled": "true",
"lock-delay": "0",
"picture-opacity": "100",
"picture-uri": "\'\'"},
"org/gnome/desktop/session": {
"idle-delay": "uint32 900"}}
dconfuserprofile = "/etc/dconf/profile/user"
userprofilecontent = "user-db:user\n" + \
"system-db:local"
if os.path.exists(gconf):
setcmds1 = ["/apps/gnome-screensaver/idle_activation_enabled false",
"/apps/gnome-screensaver/lock_enabled false"]
setcmds2 = "/desktop/gnome/session/idle_delay 5"
for cmd in setcmds1:
cmd2 = gconf + " --type bool --set " + cmd
if not self.ch.executeCommand(cmd2):
success = False
debug += "Issues setting " + cmd2 + "\n"
cmd2 = gconf + " --type int --set " + setcmds2
if not self.ch.executeCommand(cmd2):
success = False
debug += "Issues setting " + cmd2 + "\n"
if os.path.exists(gsettings):
# delete lock file so that
if os.path.exists(dconfsettingslock):
os.remove(dconfsettingslock)
cmd = "/usr/bin/dconf update"
self.ch.executeCommand(cmd)
setcmds = [" set org.gnome.desktop.screensaver " +
"idle-activation-enabled false",
" set org.gnome.desktop.screensaver lock-enabled false",
" set org.gnome.desktop.screensaver lock-delay 10",
" set org.gnome.desktop.screensaver picture-opacity 50",
" set org.gnome.desktop.session idle-delay 20"]
for cmd in setcmds:
cmd2 = gsettings + cmd
if not self.ch.executeCommand(cmd2):
success = False
debug += "Issues setting " + cmd2 + "\n"
#write correct contents to dconf lock file
if os.path.exists(dconfsettings):
self.kveditor = KVEditorStonix(self.statechglogger,
self.logger,
"tagconf",
dconfsettings,
dconfsettings + ".tmp",
dconfdata, "notpresent",
"closedeq")
if not self.kveditor.report():
if not self.kveditor.fix():
success = False
debug += "Unable to set incorrect contents " + \
"for " + dconfsettings + "\n"
elif not self.kveditor.commit():
success = False
debug += "Unable to set incorrect contents " + \
"for " + dconfsettings + "\n"
# self.logger.log(LogPriority.ERROR, debug)
return success
class zzzTestRuleDisablePrelinking(RuleTest):
def setUp(self):
RuleTest.setUp(self)
self.rule = DisablePrelinking(self.config,
self.environ,
self.logdispatch,
self.statechglogger)
self.rulename = self.rule.rulename
self.rulenumber = self.rule.rulenumber
self.ch = CommandHelper(self.logdispatch)
self.ph = Pkghelper(self.logdispatch, self.environ)
self.prelinkInstalled = False
def tearDown(self):
if not self.prelinkInstalled:
self.ph.remove("prelink")
def runTest(self):
self.simpleRuleTest()
def setConditionsForRule(self):
'''
Configure system for the unit test
@param self: essential if you override this definition
@return: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
success = True
if self.ph.check("prelink"):
self.prelinkInstalled = True
elif self.ph.checkAvailable("prelink"):
self.ph.install("prelink")
else:
return True
path = "/usr/sbin/prelink"
cmd = [path, "/bin/ls"]
if os.path.exists(path):
self.ch.executeCommand(cmd)
if re.search("debian|ubuntu", self.environ.getostype().lower()):
path = "/etc/default/prelink"
else:
path = "/etc/sysconfig/prelink"
if os.path.exists(path):
tmppath = path + ".tmp"
data = {"PRELINKING": "yes"}
self.editor = KVEditorStonix(self.statechglogger, self.logdispatch,
"conf", path, tmppath,
data, "present", "closedeq")
if not self.editor.report():
if self.editor.fix():
if not self.editor.commit():
success = False
self.logdispatch.log(LogPriority.ERROR,
"KVEditor failed to commit.")
else:
success = False
self.logdispatch.log(LogPriority.ERROR,
"KVEditor failed to fix.")
else:
writeFile(path, "PRELINKING=yes", self.logdispatch)
return success
def checkReportForRule(self, pCompliance, pRuleSuccess):
'''
check on whether report was correct
@param self: essential if you override this definition
@param pCompliance: the self.iscompliant value of rule
@param pRuleSuccess: did report run successfully
@return: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.logdispatch.log(LogPriority.DEBUG, "pCompliance = " +
str(pCompliance) + ".")
self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " +
str(pRuleSuccess) + ".")
success = True
return success
def checkFixForRule(self, pRuleSuccess):
'''
check on whether fix was correct
@param self: essential if you override this definition
@param pRuleSuccess: did report run successfully
@return: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " +
str(pRuleSuccess) + ".")
success = True
return success
def checkUndoForRule(self, pRuleSuccess):
'''
check on whether undo was correct
@param self: essential if you override this definition
@param pRuleSuccess: did report run successfully
@return: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " +
str(pRuleSuccess) + ".")
success = True
return success
class zzzTestRuleRestrictAdminSSH(RuleTest):
def setUp(self):
RuleTest.setUp(self)
self.rule = RestrictAdminSSH(self.config,
self.environ,
self.logdispatch,
self.statechglogger)
self.rulename = self.rule.rulename
self.rulenumber = self.rule.rulenumber
self.ch = CommandHelper(self.logdispatch)
def tearDown(self):
pass
def runTest(self):
self.simpleRuleTest()
def setConditionsForRule(self):
'''
Configure system for the unit test
@param self: essential if you override this definition
@return: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.detailedresults = ""
self.path = "/private/etc/sshd_config"
self.tmppath = "/private/etc/sshd_config.tmp"
ssh = {"DenyGroups":"admin"}
self.editor = KVEditorStonix(self.statechglogger, self.logdispatch,
"conf", self.path, self.tmppath, ssh, "notpresent", "space")
self.editor.report()
self.editor.fix()
setPerms(self.path, [0, 0, 511], self.logdispatch)
success = True
return success
def checkReportForRule(self, pCompliance, pRuleSuccess):
'''
check on whether report was correct
@param self: essential if you override this definition
@param pCompliance: the self.iscompliant value of rule
@param pRuleSuccess: did report run successfully
@return: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.logdispatch.log(LogPriority.DEBUG, "pCompliance = " + \
str(pCompliance) + ".")
self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \
str(pRuleSuccess) + ".")
success = True
return success
def checkFixForRule(self, pRuleSuccess):
'''
check on whether fix was correct
@param self: essential if you override this definition
@param pRuleSuccess: did report run successfully
@return: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \
str(pRuleSuccess) + ".")
success = True
return success
def checkUndoForRule(self, pRuleSuccess):
'''
check on whether undo was correct
@param self: essential if you override this definition
@param pRuleSuccess: did report run successfully
@return: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \
str(pRuleSuccess) + ".")
success = True
return success
def setLinuxConditions(self):
success = True
debug = ""
path1 = "/etc/security/limits.conf"
if os.path.exists(path1):
lookfor1 = "(^\*)\s+hard\s+core\s+0?"
contents = readFile(path1, self.logger)
if contents:
tempstring = ""
for line in contents:
if not re.search(lookfor1, line.strip()):
tempstring += line
if not writeFile(path1, tempstring, self.logger):
debug = "unable to write incorrect contents to " + path1
self.logger.log(LogPriority.DEBUG, debug)
success = False
if not checkPerms(path1, [0, 0, 0o777], self.logger):
if not setPerms(path1, [0, 0, 0o777], self.logger):
debug = "Unable to set incorrect permissions on " + path1
self.logger.log(LogPriority.DEBUG, debug)
success = False
else:
debug = "successfully set incorrect permissions on " + path1
self.logger.log(LogPriority.DEBUG, debug)
sysctl = "/etc/sysctl.conf"
tmpfile = sysctl + ".tmp"
editor = KVEditorStonix(self.statechglogger, self.logger, "conf",
sysctl, tmpfile, {"fs.suid_dumpable": "1"},
"present", "openeq")
if not checkPerms(sysctl, [0, 0, 0o777], self.logger):
if not setPerms(sysctl, [0, 0, 0o777], self.logger):
debug = "Unable to set incorrect permissions on " + path1
self.logger.log(LogPriority.DEBUG, debug)
success = False
else:
debug = "successfully set incorrect permissions on " + path1
self.logger.log(LogPriority.DEBUG, debug)
if not editor.report():
if not editor.fix():
success = False
debug = "Unable to set conditions for /etc/sysctl.conf file"
self.logger.log(LogPriority.DEBUG, debug)
elif not editor.commit():
success = False
debug = "Unable to set conditions for /etc/sysctl.conf file"
self.logger.log(LogPriority.DEBUG, debug)
self.ch.executeCommand("/sbin/sysctl fs.suid_dumpable")
retcode = self.ch.getReturnCode()
if retcode != 0:
debug = "Failed to get value of core dumps configuration with sysctl command"
debug += self.ch.getErrorString()
self.logger.log(LogPriority.DEBUG, debug)
success = False
else:
output = self.ch.getOutputString()
if output.strip() != "fs.suid_dumpable = 1":
if not self.ch.executeCommand(
"/sbin/sysctl -w fs.suid_dumpable=1"):
debug = "Unable to set incorrect value for fs.suid_dumpable"
self.logger.log(LogPriority.DEBUG, debug)
success = False
elif not self.ch.executeCommand("/sbin/sysctl -q -e -p"):
debug = "Unable to set incorrect value for fs.suid_dumpable"
self.logger.log(LogPriority.DEBUG, debug)
success = False
return success
class zzzTestRuleDisablePrelinking(RuleTest):
def setUp(self):
RuleTest.setUp(self)
self.rule = DisablePrelinking(self.config,
self.environ,
self.logdispatch,
self.statechglogger)
self.rulename = self.rule.rulename
self.rulenumber = self.rule.rulenumber
self.ch = CommandHelper(self.logdispatch)
self.ph = Pkghelper(self.logdispatch, self.environ)
self.prelinkInstalled = False
def tearDown(self):
if not self.prelinkInstalled:
self.ph.remove("prelink")
def runTest(self):
self.simpleRuleTest()
def setConditionsForRule(self):
'''Configure system for the unit test
:param self: essential if you override this definition
:returns: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
success = True
if self.ph.check("prelink"):
self.prelinkInstalled = True
elif self.ph.checkAvailable("prelink"):
self.ph.install("prelink")
else:
return True
path = "/usr/sbin/prelink"
cmd = [path, "/bin/ls"]
if os.path.exists(path):
self.ch.executeCommand(cmd)
if re.search("debian|ubuntu", self.environ.getostype().lower()):
path = "/etc/default/prelink"
else:
path = "/etc/sysconfig/prelink"
if os.path.exists(path):
tmppath = path + ".tmp"
data = {"PRELINKING": "yes"}
self.editor = KVEditorStonix(self.statechglogger, self.logdispatch,
"conf", path, tmppath,
data, "present", "closedeq")
if not self.editor.report():
if self.editor.fix():
if not self.editor.commit():
success = False
self.logdispatch.log(LogPriority.ERROR,
"KVEditor failed to commit.")
else:
success = False
self.logdispatch.log(LogPriority.ERROR,
"KVEditor failed to fix.")
else:
writeFile(path, "PRELINKING=yes", self.logdispatch)
return success
def checkReportForRule(self, pCompliance, pRuleSuccess):
'''check on whether report was correct
:param self: essential if you override this definition
:param pCompliance: the self.iscompliant value of rule
:param pRuleSuccess: did report run successfully
:returns: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.logdispatch.log(LogPriority.DEBUG, "pCompliance = " +
str(pCompliance) + ".")
self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " +
str(pRuleSuccess) + ".")
success = True
return success
def checkFixForRule(self, pRuleSuccess):
'''check on whether fix was correct
:param self: essential if you override this definition
:param pRuleSuccess: did report run successfully
:returns: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " +
str(pRuleSuccess) + ".")
success = True
return success
def checkUndoForRule(self, pRuleSuccess):
'''check on whether undo was correct
:param self: essential if you override this definition
:param pRuleSuccess: did report run successfully
:returns: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " +
str(pRuleSuccess) + ".")
success = True
return success
class zzzTestRuleConfigureScreenLocking(RuleTest):
def setUp(self):
RuleTest.setUp(self)
self.rule = ConfigureScreenLocking(self.config,
self.environ,
self.logdispatch,
self.statechglogger)
self.logger = self.logdispatch
self.rulename = self.rule.rulename
self.rulenumber = self.rule.rulenumber
self.effectiveUserID = self.environ.geteuid()
self.ch = CommandHelper(self.logdispatch)
self.dc = "/usr/bin/defaults"
def tearDown(self):
pass
def runTest(self):
self.simpleRuleTest()
def setConditionsForRule(self):
'''
Configure system for the unit test
@param self: essential if you override this definition
@return: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
success = True
if self.environ.getosfamily() == "darwin":
if self.effectiveUserID == 0:
if success:
command = [self.dc, "-currentHost", "delete",
"/Library/Preferences/com.apple.screensaver",
"askForPassword"]
self.logdispatch.log(LogPriority.DEBUG, str(command))
success = self.ch.executeCommand(command)
if success:
command = [self.dc, "-currentHost", "delete",
"/Library/Preferences/com.apple.screensaver",
"idleTime"]
self.logdispatch.log(LogPriority.DEBUG, str(command))
success = self.ch.executeCommand(command)
if success:
command = [self.dc, "-currentHost", "delete",
"/Library/Preferences/com.apple.screensaver",
"loginWindowIdleTime"]
self.logdispatch.log(LogPriority.DEBUG, str(command))
success = self.ch.executeCommand(command)
else:
if success:
command = [self.dc, "-currentHost", "delete",
"~/Library/Preferences/com.apple.screensaver",
"askForPassword"]
self.logdispatch.log(LogPriority.DEBUG, str(command))
success = self.ch.executeCommand(command)
if success:
command = [self.dc, "-currentHost", "delete",
"~/Library/Preferences/com.apple.screensaver",
"askForPasswordDelay"]
self.logdispatch.log(LogPriority.DEBUG, str(command))
success = self.ch.executeCommand(command)
else:
success1 = self.setkde()
success2 = self.setgnome()
if success1 and success2:
success = True
else:
success = False
return success
def setkde(self):
'''Method to setup kde desktop to not be compliant
@author: dwalker
@return: bool
'''
self.kdeprops = {"ScreenSaver": {"Enabled": "true",
"Lock": "true",
"LockGrace": "60000",
"Timeout": "840"}}
self.kderuin = []
debug = "Inside setkde method"
success = True
bindir = glob("/usr/bin/kde*")
kdefound = False
for kdefile in bindir:
if re.search("^/usr/bin/kde\d$", str(kdefile)):
kdefound = True
if kdefound and self.environ.geteuid() == 0:
contents = readFile("/etc/passwd", self.logger)
if not contents:
debug += "You have some serious issues, /etc/passwd is blank\n"
self.logger.log(LogPriority.ERROR, debug)
return False
for line in contents:
temp = line.split(":")
try:
if int(temp[2]) >= 500:
if temp[5] and re.search('/', temp[5]):
homebase = temp[5]
if not re.search("^/home/", homebase):
continue
kfile = homebase + "/.kde/share/config/kscreensaverrc"
if os.path.exists(kfile):
uid = getpwnam(temp[0])[2]
gid = getpwnam(temp[0])[3]
if checkPerms(kfile, [uid, gid, 0o600],
self.logger):
if not setPerms(kfile, [0, 0, 0o644],
self.logger):
success = False
debug += "Unable to set incorrect perms " + \
"on " + kfile + " for testing\n"
if not self.wreckFile(kfile):
debug += "Was not able to mess " + \
"up file for testing\n"
success = False
else:
debug += "placeholder 6 in /etc/passwd is not a \
directory, invalid form of /etc/passwd"
self.logger.log(LogPriority.ERROR, debug)
return False
except IndexError:
success = False
debug += traceback.format_exc() + "\n"
debug += "Index out of range\n"
self.logger.log(LogPriority.ERROR, debug)
break
except Exception:
break
elif kdefound:
who = "/usr/bin/whoami"
message = Popen(who, stdout=PIPE, shell=False)
info = message.stdout.read().strip()
contents = readFile('/etc/passwd', self.logger)
if not contents:
debug += "You have some serious issues, /etc/passwd is blank\n"
self.logger.log(LogPriority.ERROR, debug)
return False
compliant = True
for line in contents:
temp = line.split(':')
try:
if temp[0] == info:
if temp[5] and re.search('/', temp[5]):
homebase = temp[5]
if not re.search("^/home/", homebase):
continue
kfile = homebase + "/.kde/share/config/kscreensaverrc"
if os.path.exists(kfile):
uid = getpwnam(temp[0])[2]
gid = getpwnam(temp[0])[3]
if checkPerms(kfile, [uid, gid, 0o600],
self.logger):
if not setPerms(kfile, [0, 0, 0o644],
self.logger):
success = False
debug += "Unable to set incorrect perms " + \
"on " + kfile + " for testing\n"
if not self.wreckFile(kfile):
debug += "Was not able to mess " + \
"up file for testing\n"
success = False
else:
debug += "placeholder 6 in /etc/passwd is not a \
directory, invalid form of /etc/passwd"
self.logger.log(LogPriority.ERROR, debug)
return False
break
except IndexError:
success = False
debug += traceback.format_exc() + "\n"
debug += "Index out of range\n"
self.logger.log(LogPriority.ERROR, debug)
self.detailedresults += "Unexpected formatting in " + \
"/etc/passwd"
break
except Exception:
debug += traceback.format_exc() + "\n"
self.logger.log(LogPriority.ERROR, debug)
break
return success
def setgnome(self):
'''Method to setup gnome desktop to not be compliant
@author: dwalker
@return: bool
'''
success = True
debug = "Inside setgnome method\n"
gconf = "/usr/bin/gconftool-2"
gsettings = "/usr/bin/gsettings"
dconfsettingslock = "/etc/dconf/db/local.d/locks/stonix-settings.conf"
dconflockdata = ["/org/gnome/desktop/session/idle-delay",
"/org/gnome/desktop/session/idle-activation-enabled",
"/org/gnome/desktop/screensaver/lock-enabled",
"/org/gnome/desktop/screensaver/lock-delay",
"/org/gnome/desktop/screensaver/picture-uri"]
dconfsettings = "/etc/dconf/db/local.d/local.key"
dconfdata = {"org/gnome/desktop/screensaver": {
"idle-activation-enabled": "true",
"lock-enabled": "true",
"lock-delay": "0",
"picture-opacity": "100",
"picture-uri": "\'\'"},
"org/gnome/desktop/session": {
"idle-delay": "uint32 900"}}
dconfuserprofile = "/etc/dconf/profile/user"
userprofilecontent = "user-db:user\n" + \
"system-db:local"
if os.path.exists(gconf):
setcmds1 = ["/apps/gnome-screensaver/idle_activation_enabled false",
"/apps/gnome-screensaver/lock_enabled false"]
setcmds2 = "/desktop/gnome/session/idle_delay 5"
for cmd in setcmds1:
cmd2 = gconf + " --type bool --set " + cmd
if not self.ch.executeCommand(cmd2):
success = False
debug += "Issues setting " + cmd2 + "\n"
cmd2 = gconf + " --type int --set " + setcmds2
if not self.ch.executeCommand(cmd2):
success = False
debug += "Issues setting " + cmd2 + "\n"
if os.path.exists(gsettings):
setcmds = [" set org.gnome.desktop.screensaver " +
"idle-activation-enabled false",
" set org.gnome.desktop.screensaver lock-enabled false",
" set org.gnome.desktop.screensaver lock-delay 10",
" set org.gnome.desktop.screensaver picture-opacity 50",
" set org.gnome.desktop.session idle-delay 20"]
for cmd in setcmds:
cmd2 = gsettings + cmd
if not self.ch.executeCommand(cmd2):
success = False
debug += "Issues setting " + cmd2 + "\n"
if self.environ.geteuid() == 0:
#write correct contents to dconf lock file
if os.path.exists(dconfsettingslock):
tempstring = ""
tmpfile = dconfsettingslock + ".tmp"
contents = readFile(dconfsettingslock, self.logger)
for line in contents:
if line.strip() in dconflockdata:
continue
else:
tempstring += line
if not writeFile(tmpfile, tempstring, self.logger):
success = False
debug += "Unable to write contents to " + \
"stonix-settings file\n"
else:
os.rename(tmpfile, dconfsettingslock)
os.chown(dconfsettingslock, 0, 0)
os.chmod(dconfsettingslock, 493)
resetsecon(dconfsettingslock)
#write correct contents to dconf lock file
if os.path.exists(dconfsettings):
self.kveditor = KVEditorStonix(self.statechglogger,
self.logger,
"tagconf",
dconfsettings,
dconfsettings + ".tmp",
dconfdata, "notpresent",
"closedeq")
if not self.kveditor.report():
success = False
debug += "Unable to set incorrect contents " + \
"for " + dconfsettings + "\n"
elif not self.kveditor.fix():
success = False
debug += "Unable to set incorrect contents " + \
"for " + dconfsettings + "\n"
elif not self.kveditor.commit():
success = False
debug += "Unable to set incorrect contents " + \
"for " + dconfsettings + "\n"
if os.path.exists(dconfuserprofile):
fixing = False
contents = readFile(dconfuserprofile, self.logger)
contentstring = ""
for line in contents:
contentstring += line
if re.search(userprofilecontent, contentstring):
fixing = True
if fixing:
contentstring = ""
tempfile = dconfuserprofile + ".tmp"
if not writeFile(tempfile, contentstring, self.logger):
success = False
debug += "Unable to set incorrect contents " + \
"for " + dconfuserprofile + "\n"
else:
os.rename(tempfile, dconfuserprofile)
os.chown(dconfuserprofile, 0, 0)
os.chmod(dconfuserprofile, 493)
resetsecon(dconfuserprofile)
self.logger.log(LogPriority.ERROR, debug)
return success
def wreckFile(self, filehandle):
'''Method to ensure correct contents are NOT in file for testing
@author: dwalker
@return: bool
@param filehandle: string
'''
self.editor = ""
kvt = "tagconf"
intent = "notpresent"
tpath = filehandle + ".tmp"
conftype = "closedeq"
self.editor = KVEditorStonix(self.statechglogger, self.logger, kvt,
filehandle, tpath, self.kdeprops, intent,
conftype)
if not self.editor.report():
if self.editor.fix():
if self.editor.commit():
return True
else:
return False
else:
return False
else:
return True
def checkReportForRule(self, pCompliance, pRuleSuccess):
'''
check on whether report was correct
@param self: essential if you override this definition
@param pCompliance: the self.iscompliant value of rule
@param pRuleSuccess: did report run successfully
@return: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.logdispatch.log(LogPriority.DEBUG, "pCompliance = " + \
str(pCompliance) + ".")
self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \
str(pRuleSuccess) + ".")
success = True
return success
def checkFixForRule(self, pRuleSuccess):
'''
check on whether fix was correct
@param self: essential if you override this definition
@param pRuleSuccess: did report run successfully
@return: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \
str(pRuleSuccess) + ".")
success = True
return success
def checkUndoForRule(self, pRuleSuccess):
'''
check on whether undo was correct
@param self: essential if you override this definition
@param pRuleSuccess: did report run successfully
@return: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \
str(pRuleSuccess) + ".")
success = True
return success
def setConditionsForRule(self):
'''Configure system for the unit test
:param self: essential if you override this definition
:returns: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
success = True
if self.environ.getosfamily() == "darwin":
success = False
osxversion = str(self.environ.getosver())
if osxversion.startswith("10.10.0") or \
osxversion.startswith("10.10.1") or \
osxversion.startswith("10.10.2") or \
osxversion.startswith("10.10.3"):
debug = "Using discoveryd LaunchDaemon"
self.logdispatch.log(LogPriority.DEBUG, debug)
service = \
"/System/Library/LaunchDaemons/com.apple.discoveryd.plist"
servicename = "com.apple.networking.discoveryd"
parameter = "--no-multicast"
plistText = readFile(service, self.logdispatch)
newPlistText = re.sub("<string>" + parameter + "</string>", "",
"".join(plistText))
success = True
else:
debug = "Using mDNSResponder LaunchDaemon"
self.logdispatch.log(LogPriority.DEBUG, debug)
service = "/System/Library/LaunchDaemons/" + \
"com.apple.mDNSResponder.plist"
if osxversion.startswith("10.10"):
servicename = "com.apple.mDNSResponder.reloaded"
parameter = "-NoMulticastAdvertisements"
else:
servicename = "com.apple.mDNSResponder"
parameter = "-NoMulticastAdvertisements"
plistText = readFile(service, self.logdispatch)
newPlistText = re.sub("<string>" + parameter + "</string>", "",
"".join(plistText))
success = True
self.service = service
if success and self.sh.auditService(service,
serviceTarget=servicename):
success = writeFile(service + ".stonixtmp", "".join(plistText),
self.logdispatch)
success = writeFile(service, newPlistText, self.logdispatch)
if success and self.sh.auditService(service,
serviceTarget=servicename):
success = self.sh.reloadService(service,
serviceTarget=servicename)
else:
ph = Pkghelper(self.logdispatch, self.environ)
package = "avahi-daemon"
service = "avahi-daemon"
if (ph.determineMgr() == "yum" or ph.determineMgr() == "dnf"):
package = "avahi"
path = "/etc/sysconfig/network"
if os.path.exists(path):
tmppath = path + ".tmp"
data = {"NOZEROCONF": "yes"}
editor = KVEditorStonix(self.statechglogger,
self.logdispatch, "conf", path,
tmppath, data, "notpresent",
"closedeq")
if not editor.report():
if editor.fix():
if not editor.commit():
success = False
else:
success = False
elif ph.determineMgr() == "zypper":
package = "avahi"
if not ph.check(package) and ph.checkAvailable(package):
success = ph.install(package)
if success and not self.sh.auditService(
service, serviceTarget=self.serviceTarget):
self.sh.enableService(service,
serviceTarget=self.serviceTarget)
return success
class zzzTestRuleRestrictAdminSSH(RuleTest):
def setUp(self):
RuleTest.setUp(self)
self.rule = RestrictAdminSSH(self.config,
self.environ,
self.logdispatch,
self.statechglogger)
self.rulename = self.rule.rulename
self.rulenumber = self.rule.rulenumber
self.ch = CommandHelper(self.logdispatch)
def tearDown(self):
pass
def runTest(self):
self.simpleRuleTest()
def setConditionsForRule(self):
'''
Configure system for the unit test
@param self: essential if you override this definition
@return: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.detailedresults = ""
self.path = "/private/etc/sshd_config"
self.tmppath = "/private/etc/sshd_config.tmp"
ssh = {"DenyGroups":"admin"}
self.editor = KVEditorStonix(self.statechglogger, self.logdispatch,
"conf", self.path, self.tmppath, ssh, "notpresent", "space")
self.editor.report()
self.editor.fix()
setPerms(self.path, [0, 0, 511], self.logdispatch)
success = True
return success
def checkReportForRule(self, pCompliance, pRuleSuccess):
'''
check on whether report was correct
@param self: essential if you override this definition
@param pCompliance: the self.iscompliant value of rule
@param pRuleSuccess: did report run successfully
@return: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.logdispatch.log(LogPriority.DEBUG, "pCompliance = " + \
str(pCompliance) + ".")
self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \
str(pRuleSuccess) + ".")
success = True
return success
def checkFixForRule(self, pRuleSuccess):
'''
check on whether fix was correct
@param self: essential if you override this definition
@param pRuleSuccess: did report run successfully
@return: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \
str(pRuleSuccess) + ".")
success = True
return success
def checkUndoForRule(self, pRuleSuccess):
'''
check on whether undo was correct
@param self: essential if you override this definition
@param pRuleSuccess: did report run successfully
@return: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \
str(pRuleSuccess) + ".")
success = True
return success
def setConditionsForRule(self):
'''@author: dwalker
@note: This unit test will install two incorrect profiles on purpose
to force system non-compliancy
'''
success = True
goodprofiles = {}
pwprofile = os.path.abspath(os.path.join(os.path.dirname(sys.argv[0]))) + \
"/src/stonix_resources/files/stonix4macPasscodeProfileFor" + \
"OSXElCapitan10.11.mobileconfig"
secprofile = os.path.abspath(os.path.join(os.path.dirname(sys.argv[0]))) + \
"/src/stonix_resources/files/stonix4macSecurity&Privacy" + \
"ForOSXElcapitan10.11.mobileconfig"
pwprofiledict = {
"com.apple.mobiledevice.passwordpolicy": {
"allowSimple": ["1", "bool"],
"forcePIN": ["1", "bool"],
"maxFailedAttempts": ["5", "int", "less"],
"maxPINAgeInDays": ["180", "int", "more"],
"minComplexChars": ["1", "int", "more"],
"minLength": ["8", "int", "more"],
"minutesUntilFailedLoginReset": ["15", "int", "more"],
"pinHistory": ["5", "int", "more"],
"requireAlphanumeric": ["1", "bool"]
}
}
spprofiledict = {
"com.apple.screensaver": "",
"com.apple.loginwindow": "",
"com.apple.systempolicy.managed": "",
"com.apple.SubmitDiagInfo": "",
"com.apple.preference.security": "",
"com.apple.MCX": "",
"com.apple.applicationaccess": "",
"com.apple.systempolicy.control": ""
}
self.rule.pwprofile = pwprofile
self.rule.secprofile = secprofile
goodprofiles[pwprofile] = pwprofiledict
goodprofiles[secprofile] = spprofiledict
cmd = ["/usr/sbin/system_profiler", "SPConfigurationProfileDataType"]
if self.ch.executeCommand(cmd):
output = self.ch.getOutput()
if output:
for item, values in list(goodprofiles.items()):
self.editor = KVEditorStonix(self.statechglogger,
self.logdispatch, "profiles",
"", "", values, "", "",
output)
if self.editor.report():
cmd = ["/usr/bin/profiles", "-R", "-F", item]
if not self.ch.executeCommand(cmd):
success = False
else:
cmd = [
"/usr/bin/profiles", "-I", "-F,", item + "fake"
]
if not self.ch.executeCommand(cmd):
success = False
else:
success = False
return success
def setgnome(self):
'''Method to setup gnome desktop to not be compliant
@author: dwalker
@return: bool
'''
success = True
debug = "Inside setgnome method\n"
gconf = "/usr/bin/gconftool-2"
gsettings = "/usr/bin/gsettings"
dconfsettingslock = "/etc/dconf/db/local.d/locks/stonix-settings.conf"
dconflockdata = ["/org/gnome/desktop/session/idle-delay",
"/org/gnome/desktop/session/idle-activation-enabled",
"/org/gnome/desktop/screensaver/lock-enabled",
"/org/gnome/desktop/screensaver/lock-delay",
"/org/gnome/desktop/screensaver/picture-uri"]
dconfsettings = "/etc/dconf/db/local.d/local.key"
dconfdata = {"org/gnome/desktop/screensaver": {
"idle-activation-enabled": "true",
"lock-enabled": "true",
"lock-delay": "0",
"picture-opacity": "100",
"picture-uri": "\'\'"},
"org/gnome/desktop/session": {
"idle-delay": "uint32 900"}}
dconfuserprofile = "/etc/dconf/profile/user"
userprofilecontent = "user-db:user\n" + \
"system-db:local"
if os.path.exists(gconf):
setcmds1 = ["/apps/gnome-screensaver/idle_activation_enabled false",
"/apps/gnome-screensaver/lock_enabled false"]
setcmds2 = "/desktop/gnome/session/idle_delay 5"
for cmd in setcmds1:
cmd2 = gconf + " --type bool --set " + cmd
if not self.ch.executeCommand(cmd2):
success = False
debug += "Issues setting " + cmd2 + "\n"
cmd2 = gconf + " --type int --set " + setcmds2
if not self.ch.executeCommand(cmd2):
success = False
debug += "Issues setting " + cmd2 + "\n"
if os.path.exists(gsettings):
setcmds = [" set org.gnome.desktop.screensaver " +
"idle-activation-enabled false",
" set org.gnome.desktop.screensaver lock-enabled false",
" set org.gnome.desktop.screensaver lock-delay 10",
" set org.gnome.desktop.screensaver picture-opacity 50",
" set org.gnome.desktop.session idle-delay 20"]
for cmd in setcmds:
cmd2 = gsettings + cmd
if not self.ch.executeCommand(cmd2):
success = False
debug += "Issues setting " + cmd2 + "\n"
if self.environ.geteuid() == 0:
#write correct contents to dconf lock file
if os.path.exists(dconfsettingslock):
tempstring = ""
tmpfile = dconfsettingslock + ".tmp"
contents = readFile(dconfsettingslock, self.logger)
for line in contents:
if line.strip() in dconflockdata:
continue
else:
tempstring += line
if not writeFile(tmpfile, tempstring, self.logger):
success = False
debug += "Unable to write contents to " + \
"stonix-settings file\n"
else:
os.rename(tmpfile, dconfsettingslock)
os.chown(dconfsettingslock, 0, 0)
os.chmod(dconfsettingslock, 493)
resetsecon(dconfsettingslock)
#write correct contents to dconf lock file
if os.path.exists(dconfsettings):
self.kveditor = KVEditorStonix(self.statechglogger,
self.logger,
"tagconf",
dconfsettings,
dconfsettings + ".tmp",
dconfdata, "notpresent",
"closedeq")
if not self.kveditor.report():
success = False
debug += "Unable to set incorrect contents " + \
"for " + dconfsettings + "\n"
elif not self.kveditor.fix():
success = False
debug += "Unable to set incorrect contents " + \
"for " + dconfsettings + "\n"
elif not self.kveditor.commit():
success = False
debug += "Unable to set incorrect contents " + \
"for " + dconfsettings + "\n"
if os.path.exists(dconfuserprofile):
fixing = False
contents = readFile(dconfuserprofile, self.logger)
contentstring = ""
for line in contents:
contentstring += line
if re.search(userprofilecontent, contentstring):
fixing = True
if fixing:
contentstring = ""
tempfile = dconfuserprofile + ".tmp"
if not writeFile(tempfile, contentstring, self.logger):
success = False
debug += "Unable to set incorrect contents " + \
"for " + dconfuserprofile + "\n"
else:
os.rename(tempfile, dconfuserprofile)
os.chown(dconfuserprofile, 0, 0)
os.chmod(dconfuserprofile, 493)
resetsecon(dconfuserprofile)
self.logger.log(LogPriority.ERROR, debug)
return success
def setConditionsForRule(self):
'''Configure system for the unit test
:param self: essential if you override this definition
:returns: boolean - If successful True; If failure False
@author: dwalker
'''
success = True
pfdata = {
'inet_interfaces': 'localhost',
'default_process_limit': '100',
'smtpd_client_connection_count_limit': '10',
'smtpd_client_connection_rate_limit': '30',
'queue_minfree': '20971520',
'header_size_limit': '51200',
'message_size_limit': '10485760',
'smtpd_recipient_limit': '100',
'smtpd_banner': '$myhostname ESMTP',
'mynetworks_style': 'host',
'smtpd_recipient_restrictions':
'permit_mynetworks, reject_unauth_destination',
'relayhost': MAILRELAYSERVER
}
if not self.isMac:
smdata = {
"O SmtpGreetingMessage": "",
"O PrivacyOptions": "goaway"
}
self.ph = Pkghelper(self.logdispatch, self.environ)
self.origState = [False, False, False, False]
self.smPath = "/etc/mail/sendmail.cf"
self.smTmp = self.smPath + ".stonixUT"
self.pfPathlist = [
'/etc/postfix/main.cf', '/usr/lib/postfix/main.cf'
]
self.postfixpkg = "postfix"
self.pfPath = ""
for path in self.pfPathlist:
if os.path.exists(path):
self.pfPath = path
break
self.pfTmp = self.pfPath + ".stonixUT"
#if postfix file exists, remove any correct contents
if self.pfPath:
self.postfixed = KVEditorStonix(self.statechglogger,
self.logger, "conf",
self.pfPath, self.pfTmp,
pfdata, "notpresent", "openeq")
if not self.postfixed.report():
if self.postfixed.removeables:
print("kveditor has removeables\n")
if not self.postfixed.fix():
success = False
if os.path.exists(self.smPath):
self.sndmailed = KVEditorStonix(self.statechglogger,
self.logger, "conf",
self.smPath, self.smTmp,
smdata, "notpresent",
"closedeq")
if not self.sndmailed.report():
if self.postfixed.removeables:
if not self.postfixed.fix():
success = False
#remove postfix if installed
if self.ph.check("postfix"):
if not self.ph.remove("postfix"):
success = False
#remove sendmail if installed
if not self.ph.checkAvailable("postfix"):
if self.ph.check("sendmail"):
if not self.ph.remove("sendmail"):
success = False
else:
self.pfPath = "/private/etc/postfix/main.cf"
self.pfTmp = self.pfPath + ".stonixUT"
if os.path.exists(self.pfPath):
self.postfixed = KVEditorStonix(self.statechglogger,
self.logger, "conf",
self.pfPath, self.pfTmp,
pfdata, "notpresent", "openeq")
if not self.postfixed.report():
if self.postfixed.removeables:
if not self.postfixed.fix():
success = False
# if self.ph.check("sendmail"):
# self.origState[0] = True
# if self.ph.check(self.postfixpkg):
# self.origState[1] = True
# if os.path.exists(self.smPath):
# self.origState[2] = True
# os.rename(self.smPath, self.smTmp)
# if os.path.exists(self.pfPath):
# self.origState[3] = True
# os.rename(self.pfPath, self.pfTmp)
return success
class zzzTestRuleConfigureScreenLocking(RuleTest):
def setUp(self):
RuleTest.setUp(self)
self.rule = ConfigureScreenLocking(self.config,
self.environ,
self.logdispatch,
self.statechglogger)
self.logger = self.logdispatch
self.rulename = self.rule.rulename
self.rulenumber = self.rule.rulenumber
self.effectiveUserID = self.environ.geteuid()
self.ch = CommandHelper(self.logdispatch)
self.dc = "/usr/bin/defaults"
def tearDown(self):
pass
def runTest(self):
self.simpleRuleTest()
def setConditionsForRule(self):
'''Configure system for the unit test
:param self: essential if you override this definition
:returns: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
success = True
if self.environ.getosfamily() == "darwin":
if self.effectiveUserID == 0:
if success:
command = [self.dc, "-currentHost", "delete",
"/Library/Preferences/com.apple.screensaver",
"askForPassword"]
self.logdispatch.log(LogPriority.DEBUG, str(command))
success = self.ch.executeCommand(command)
if success:
command = [self.dc, "-currentHost", "delete",
"/Library/Preferences/com.apple.screensaver",
"idleTime"]
self.logdispatch.log(LogPriority.DEBUG, str(command))
success = self.ch.executeCommand(command)
if success:
command = [self.dc, "-currentHost", "delete",
"/Library/Preferences/com.apple.screensaver",
"loginWindowIdleTime"]
self.logdispatch.log(LogPriority.DEBUG, str(command))
success = self.ch.executeCommand(command)
else:
if success:
command = [self.dc, "-currentHost", "delete",
"~/Library/Preferences/com.apple.screensaver",
"askForPassword"]
self.logdispatch.log(LogPriority.DEBUG, str(command))
success = self.ch.executeCommand(command)
if success:
command = [self.dc, "-currentHost", "delete",
"~/Library/Preferences/com.apple.screensaver",
"askForPasswordDelay"]
self.logdispatch.log(LogPriority.DEBUG, str(command))
success = self.ch.executeCommand(command)
else:
success1 = self.setkde()
if self.effectiveUserID == 0:
success2 = self.setgnome()
else:
success2 = True
if success1 and success2:
success = True
else:
success = False
return success
def setkde(self):
'''Method to setup kde desktop to not be compliant
@author: dwalker
:returns: bool
'''
self.kdeprops = {"ScreenSaver": {"Enabled": "true",
"Lock": "true",
"LockGrace": "60000",
"Timeout": "840"}}
self.kderuin = []
debug = "Inside setkde method"
success = True
bindir = glob("/usr/bin/kde*")
kdefound = False
for kdefile in bindir:
if re.search("^/usr/bin/kde\d$", str(kdefile)):
kdefound = True
if kdefound and self.environ.geteuid() == 0:
contents = readFile("/etc/passwd", self.logger)
if not contents:
debug += "You have some serious issues, /etc/passwd is blank\n"
self.logger.log(LogPriority.ERROR, debug)
return False
for line in contents:
temp = line.split(":")
try:
if int(temp[2]) >= 500:
if temp[5] and re.search('/', temp[5]):
homebase = temp[5]
if not re.search("^/home/", homebase):
continue
kfile = homebase + "/.kde/share/config/kscreensaverrc"
if os.path.exists(kfile):
uid = getpwnam(temp[0])[2]
gid = getpwnam(temp[0])[3]
if checkPerms(kfile, [uid, gid, 0o600],
self.logger):
if not setPerms(kfile, [0, 0, 0o644],
self.logger):
success = False
debug += "Unable to set incorrect perms " + \
"on " + kfile + " for testing\n"
if not self.wreckFile(kfile):
debug += "Was not able to mess " + \
"up file for testing\n"
success = False
else:
debug += "placeholder 6 in /etc/passwd is not a \
directory, invalid form of /etc/passwd"
self.logger.log(LogPriority.ERROR, debug)
return False
except IndexError:
success = False
debug += traceback.format_exc() + "\n"
debug += "Index out of range\n"
self.logger.log(LogPriority.ERROR, debug)
break
except Exception:
break
elif kdefound:
who = "/usr/bin/whoami"
message = Popen(who, stdout=PIPE, shell=False)
info = message.stdout.read().strip()
contents = readFile('/etc/passwd', self.logger)
if not contents:
debug += "You have some serious issues, /etc/passwd is blank\n"
self.logger.log(LogPriority.ERROR, debug)
return False
compliant = True
for line in contents:
temp = line.split(':')
try:
if temp[0] == info:
if temp[5] and re.search('/', temp[5]):
homebase = temp[5]
if not re.search("^/home/", homebase):
continue
kfile = homebase + "/.kde/share/config/kscreensaverrc"
if os.path.exists(kfile):
uid = getpwnam(temp[0])[2]
gid = getpwnam(temp[0])[3]
if checkPerms(kfile, [uid, gid, 0o600],
self.logger):
if not setPerms(kfile, [0, 0, 0o644],
self.logger):
success = False
debug += "Unable to set incorrect perms " + \
"on " + kfile + " for testing\n"
if not self.wreckFile(kfile):
debug += "Was not able to mess " + \
"up file for testing\n"
success = False
else:
debug += "placeholder 6 in /etc/passwd is not a \
directory, invalid form of /etc/passwd"
self.logger.log(LogPriority.ERROR, debug)
return False
break
except IndexError:
success = False
debug += traceback.format_exc() + "\n"
debug += "Index out of range\n"
self.logger.log(LogPriority.ERROR, debug)
self.detailedresults += "Unexpected formatting in " + \
"/etc/passwd"
break
except Exception:
debug += traceback.format_exc() + "\n"
self.logger.log(LogPriority.ERROR, debug)
break
return success
def setgnome(self):
'''Method to setup gnome desktop to not be compliant
@author: dwalker
:returns: bool
'''
success = True
debug = "Inside setgnome method\n"
gconf = "/usr/bin/gconftool-2"
gsettings = "/usr/bin/gsettings"
dconfsettingslock = "/etc/dconf/db/local.d/locks/stonix-settings.conf"
dconflockdata = ["/org/gnome/desktop/session/idle-delay",
"/org/gnome/desktop/screensaver/idle-activation-enabled",
"/org/gnome/desktop/screensaver/lock-enabled",
"/org/gnome/desktop/screensaver/lock-delay",
"/org/gnome/desktop/screensaver/picture-uri"]
dconfsettings = "/etc/dconf/db/local.d/local.key"
dconfdata = {"org/gnome/desktop/screensaver": {
"idle-activation-enabled": "true",
"lock-enabled": "true",
"lock-delay": "0",
"picture-opacity": "100",
"picture-uri": "\'\'"},
"org/gnome/desktop/session": {
"idle-delay": "uint32 900"}}
dconfuserprofile = "/etc/dconf/profile/user"
userprofilecontent = "user-db:user\n" + \
"system-db:local"
if os.path.exists(gconf):
setcmds1 = ["/apps/gnome-screensaver/idle_activation_enabled false",
"/apps/gnome-screensaver/lock_enabled false"]
setcmds2 = "/desktop/gnome/session/idle_delay 5"
for cmd in setcmds1:
cmd2 = gconf + " --type bool --set " + cmd
if not self.ch.executeCommand(cmd2):
success = False
debug += "Issues setting " + cmd2 + "\n"
cmd2 = gconf + " --type int --set " + setcmds2
if not self.ch.executeCommand(cmd2):
success = False
debug += "Issues setting " + cmd2 + "\n"
if os.path.exists(gsettings):
# delete lock file so that
if os.path.exists(dconfsettingslock):
os.remove(dconfsettingslock)
cmd = "/usr/bin/dconf update"
self.ch.executeCommand(cmd)
setcmds = [" set org.gnome.desktop.screensaver " +
"idle-activation-enabled false",
" set org.gnome.desktop.screensaver lock-enabled false",
" set org.gnome.desktop.screensaver lock-delay 10",
" set org.gnome.desktop.screensaver picture-opacity 50",
" set org.gnome.desktop.session idle-delay 20"]
for cmd in setcmds:
cmd2 = gsettings + cmd
if not self.ch.executeCommand(cmd2):
success = False
debug += "Issues setting " + cmd2 + "\n"
#write correct contents to dconf lock file
if os.path.exists(dconfsettings):
self.kveditor = KVEditorStonix(self.statechglogger,
self.logger,
"tagconf",
dconfsettings,
dconfsettings + ".tmp",
dconfdata, "notpresent",
"closedeq")
if not self.kveditor.report():
if not self.kveditor.fix():
success = False
debug += "Unable to set incorrect contents " + \
"for " + dconfsettings + "\n"
elif not self.kveditor.commit():
success = False
debug += "Unable to set incorrect contents " + \
"for " + dconfsettings + "\n"
# self.logger.log(LogPriority.ERROR, debug)
return success
def wreckFile(self, filehandle):
'''Method to ensure correct contents are NOT in file for testing
@author: dwalker
:param filehandle: string
:returns: bool
'''
self.editor = ""
kvt = "tagconf"
intent = "notpresent"
tpath = filehandle + ".tmp"
conftype = "closedeq"
self.editor = KVEditorStonix(self.statechglogger, self.logger, kvt,
filehandle, tpath, self.kdeprops, intent,
conftype)
if not self.editor.report():
if self.editor.fix():
if self.editor.commit():
return True
else:
return False
else:
return False
else:
return True
def checkReportForRule(self, pCompliance, pRuleSuccess):
'''check on whether report was correct
:param self: essential if you override this definition
:param pCompliance: the self.iscompliant value of rule
:param pRuleSuccess: did report run successfully
:returns: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.logdispatch.log(LogPriority.DEBUG, "pCompliance = " + \
str(pCompliance) + ".")
self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \
str(pRuleSuccess) + ".")
success = True
return success
def checkFixForRule(self, pRuleSuccess):
'''check on whether fix was correct
:param self: essential if you override this definition
:param pRuleSuccess: did report run successfully
:returns: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \
str(pRuleSuccess) + ".")
success = True
return success
def checkUndoForRule(self, pRuleSuccess):
'''check on whether undo was correct
:param self: essential if you override this definition
:param pRuleSuccess: did report run successfully
:returns: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \
str(pRuleSuccess) + ".")
success = True
return success
class zzzTestRuleSecureMTA(RuleTest):
def setUp(self):
RuleTest.setUp(self)
self.rule = SecureMTA(self.config, self.environ, self.logdispatch,
self.statechglogger)
self.rulename = self.rule.rulename
self.rulenumber = self.rule.rulenumber
self.logger = self.logdispatch
self.ch = CommandHelper(self.logdispatch)
if self.environ.operatingsystem == "Mac OS X":
self.isMac = True
else:
self.isMac = False
def tearDown(self):
pass
# if not self.isMac:
# if self.origState[0] is True and not self.ph.check("sendmail"):
# self.ph.install("sendmail")
# elif self.origState[0] is False and self.ph.check("sendmail"):
# self.ph.remove("sendmail")
#
# if self.origState[1] is True and not self.ph.check(self.postfixpkg):
# self.ph.install(self.postfixpkg)
# elif self.origState[1] is False and self.ph.check(self.postfixpkg):
# self.ph.remove(self.postfixpkg)
#
# if self.origState[2] is True and os.path.exists(self.smTmp):
# smDir = os.path.split(self.smPath)[0]
# if not os.path.exists(smDir):
# os.makedirs(smDir)
# os.rename(self.smTmp, self.smPath)
# elif self.origState[2] is False and os.path.exists(self.smPath):
# os.remove(self.smPath)
#
# if self.origState[3] is True and os.path.exists(self.pfTmp):
# pfDir = os.path.split(self.pfPath)[0]
# if not os.path.exists(pfDir):
# os.makedirs(pfDir)
# os.rename(self.pfTmp, self.pfPath)
# elif self.origState[3] is False and os.path.exists(self.pfPath):
# os.remove(self.pfPath)
def runTest(self):
self.simpleRuleTest()
def setConditionsForRule(self):
'''Configure system for the unit test
:param self: essential if you override this definition
:returns: boolean - If successful True; If failure False
@author: dwalker
'''
success = True
pfdata = {
'inet_interfaces': 'localhost',
'default_process_limit': '100',
'smtpd_client_connection_count_limit': '10',
'smtpd_client_connection_rate_limit': '30',
'queue_minfree': '20971520',
'header_size_limit': '51200',
'message_size_limit': '10485760',
'smtpd_recipient_limit': '100',
'smtpd_banner': '$myhostname ESMTP',
'mynetworks_style': 'host',
'smtpd_recipient_restrictions':
'permit_mynetworks, reject_unauth_destination',
'relayhost': MAILRELAYSERVER
}
if not self.isMac:
smdata = {
"O SmtpGreetingMessage": "",
"O PrivacyOptions": "goaway"
}
self.ph = Pkghelper(self.logdispatch, self.environ)
self.origState = [False, False, False, False]
self.smPath = "/etc/mail/sendmail.cf"
self.smTmp = self.smPath + ".stonixUT"
self.pfPathlist = [
'/etc/postfix/main.cf', '/usr/lib/postfix/main.cf'
]
self.postfixpkg = "postfix"
self.pfPath = ""
for path in self.pfPathlist:
if os.path.exists(path):
self.pfPath = path
break
self.pfTmp = self.pfPath + ".stonixUT"
#if postfix file exists, remove any correct contents
if self.pfPath:
self.postfixed = KVEditorStonix(self.statechglogger,
self.logger, "conf",
self.pfPath, self.pfTmp,
pfdata, "notpresent", "openeq")
if not self.postfixed.report():
if self.postfixed.removeables:
print("kveditor has removeables\n")
if not self.postfixed.fix():
success = False
if os.path.exists(self.smPath):
self.sndmailed = KVEditorStonix(self.statechglogger,
self.logger, "conf",
self.smPath, self.smTmp,
smdata, "notpresent",
"closedeq")
if not self.sndmailed.report():
if self.postfixed.removeables:
if not self.postfixed.fix():
success = False
#remove postfix if installed
if self.ph.check("postfix"):
if not self.ph.remove("postfix"):
success = False
#remove sendmail if installed
if not self.ph.checkAvailable("postfix"):
if self.ph.check("sendmail"):
if not self.ph.remove("sendmail"):
success = False
else:
self.pfPath = "/private/etc/postfix/main.cf"
self.pfTmp = self.pfPath + ".stonixUT"
if os.path.exists(self.pfPath):
self.postfixed = KVEditorStonix(self.statechglogger,
self.logger, "conf",
self.pfPath, self.pfTmp,
pfdata, "notpresent", "openeq")
if not self.postfixed.report():
if self.postfixed.removeables:
if not self.postfixed.fix():
success = False
# if self.ph.check("sendmail"):
# self.origState[0] = True
# if self.ph.check(self.postfixpkg):
# self.origState[1] = True
# if os.path.exists(self.smPath):
# self.origState[2] = True
# os.rename(self.smPath, self.smTmp)
# if os.path.exists(self.pfPath):
# self.origState[3] = True
# os.rename(self.pfPath, self.pfTmp)
return success
# def testFalseFalseFalseFalse(self):
# if not self.isMac:
# if self.ph.check("sendmail"):
# self.ph.remove("sendmail")
# if self.ph.check(self.postfixpkg):
# self.ph.remove(self.postfixpkg)
# if os.path.exists(self.smPath):
# os.remove(self.smPath)
# if os.path.exists(self.pfPath):
# os.remove(self.pfPath)
# self.simpleRuleTest()
#
# def testTrueFalseFalseFalse(self):
# if not self.isMac:
# if not self.ph.check("sendmail"):
# self.ph.install("sendmail")
# if self.ph.check(self.postfixpkg):
# self.ph.remove(self.postfixpkg)
# if os.path.exists(self.smPath):
# os.remove(self.smPath)
# if os.path.exists(self.pfPath):
# os.remove(self.pfPath)
# self.simpleRuleTest()
#
# def testTrueTrueFalseFalse(self):
# if not self.isMac:
# if not self.ph.check("sendmail"):
# self.ph.install("sendmail")
# if not self.ph.check(self.postfixpkg):
# self.ph.install(self.postfixpkg)
# if os.path.exists(self.smPath):
# os.remove(self.smPath)
# if os.path.exists(self.pfPath):
# os.remove(self.pfPath)
# self.simpleRuleTest()
#
# def testTrueTrueTrueFalse(self):
# if not self.isMac:
# if not self.ph.check("sendmail"):
# self.ph.install("sendmail")
# if not self.ph.check(self.postfixpkg):
# self.ph.install(self.postfixpkg)
# if not os.path.exists(self.smPath):
# splitpath = self.smPath.split('/')
# del splitpath[-1]
# subdir = "/".join(splitpath)
# if not os.path.exists(subdir):
# os.makedirs(subdir, 0755)
# open(self.smPath, "w")
# if os.path.exists(self.pfPath):
# os.remove(self.pfPath)
# self.simpleRuleTest()
#
# def testTrueTrueTrueTrue(self):
# if not self.isMac:
# if not self.ph.check("sendmail"):
# self.ph.install("sendmail")
# if not self.ph.check(self.postfixpkg):
# self.ph.install(self.postfixpkg)
# if not os.path.exists(self.smPath):
# splitpath = self.smPath.split('/')
# del splitpath[-1]
# subdir = "/".join(splitpath)
# if not os.path.exists(subdir):
# os.makedirs(subdir, 0755)
# open(self.smPath, "w")
# if not os.path.exists(self.pfPath):
# splitpath = self.pfPath.split('/')
# del splitpath[-1]
# subdir = "/".join(splitpath)
# if not os.path.exists(subdir):
# os.makedirs(subdir, 0755)
# open(self.pfPath, "w")
# self.simpleRuleTest()
#
# def testTrueFalseTrueFalse(self):
# if not self.isMac:
# if not self.ph.check("sendmail"):
# self.ph.install("sendmail")
# if self.ph.check(self.postfixpkg):
# self.ph.remove(self.postfixpkg)
# if not os.path.exists(self.smPath):
# splitpath = self.smPath.split('/')
# del splitpath[-1]
# subdir = "/".join(splitpath)
# if not os.path.exists(subdir):
# os.makedirs(subdir, 0755)
# open(self.smPath, "w")
# if os.path.exists(self.pfPath):
# os.remove(self.pfPath)
# self.simpleRuleTest()
#
# def testFalseTrueFalseFalse(self):
# if not self.isMac:
# if self.ph.check("sendmail"):
# self.ph.remove("sendmail")
# if not self.ph.check(self.postfixpkg):
# self.ph.install(self.postfixpkg)
# if os.path.exists(self.smPath):
# os.remove(self.smPath)
# if os.path.exists(self.pfPath):
# os.remove(self.pfPath)
# self.simpleRuleTest()
#
# def testFalseTrueFalseTrue(self):
# if not self.isMac:
# if self.ph.check("sendmail"):
# self.ph.remove("sendmail")
# if not self.ph.check(self.postfixpkg):
# self.ph.install(self.postfixpkg)
# if os.path.exists(self.smPath):
# os.remove(self.smPath)
# if not os.path.exists(self.pfPath):
# splitpath = self.pfPath.split('/')
# del splitpath[-1]
# subdir = "/".join(splitpath)
# if not os.path.exists(subdir):
# os.makedirs(subdir, 0755)
# open(self.pfPath, "w")
# self.simpleRuleTest()
def checkReportForRule(self, pCompliance, pRuleSuccess):
'''check on whether report was correct
:param self: essential if you override this definition
:param pCompliance: the self.iscompliant value of rule
:param pRuleSuccess: did report run successfully
:returns: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.logdispatch.log(LogPriority.DEBUG,
"pCompliance = " + str(pCompliance) + ".")
self.logdispatch.log(LogPriority.DEBUG,
"pRuleSuccess = " + str(pRuleSuccess) + ".")
success = True
return success
def checkFixForRule(self, pRuleSuccess):
'''check on whether fix was correct
:param self: essential if you override this definition
:param pRuleSuccess: did report run successfully
:returns: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.logdispatch.log(LogPriority.DEBUG,
"pRuleSuccess = " + str(pRuleSuccess) + ".")
success = True
return success
def checkUndoForRule(self, pRuleSuccess):
'''check on whether undo was correct
:param self: essential if you override this definition
:param pRuleSuccess: did report run successfully
:returns: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.logdispatch.log(LogPriority.DEBUG,
"pRuleSuccess = " + str(pRuleSuccess) + ".")
success = True
return success
def setConditionsForRule(self):
'''
Configure system for the unit test
@param self: essential if you override this definition
@return: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
success = True
if self.environ.getosfamily() == "darwin":
success = False
osxversion = str(self.environ.getosver())
if osxversion.startswith("10.10.0") or \
osxversion.startswith("10.10.1") or \
osxversion.startswith("10.10.2") or \
osxversion.startswith("10.10.3"):
debug = "Using discoveryd LaunchDaemon"
self.logdispatch.log(LogPriority.DEBUG, debug)
service = \
"/System/Library/LaunchDaemons/com.apple.discoveryd.plist"
servicename = "com.apple.networking.discoveryd"
parameter = "--no-multicast"
plistText = readFile(service, self.logdispatch)
newPlistText = re.sub("<string>" + parameter + "</string>",
"", "".join(plistText))
success = True
else:
debug = "Using mDNSResponder LaunchDaemon"
self.logdispatch.log(LogPriority.DEBUG, debug)
service = "/System/Library/LaunchDaemons/" + \
"com.apple.mDNSResponder.plist"
if osxversion.startswith("10.10"):
servicename = "com.apple.mDNSResponder.reloaded"
parameter = "-NoMulticastAdvertisements"
else:
servicename = "com.apple.mDNSResponder"
parameter = "-NoMulticastAdvertisements"
plistText = readFile(service, self.logdispatch)
newPlistText = re.sub("<string>" + parameter + "</string>",
"", "".join(plistText))
success = True
self.service = service
if success and self.sh.auditService(service, serviceTarget=servicename):
success = writeFile(service + ".stonixtmp", "".join(plistText),
self.logdispatch)
success = writeFile(service, newPlistText, self.logdispatch)
if success and self.sh.auditService(service, serviceTarget=servicename):
success = self.sh.reloadService(service, serviceTarget=servicename)
else:
ph = Pkghelper(self.logdispatch, self.environ)
package = "avahi-daemon"
service = "avahi-daemon"
if (ph.determineMgr() == "yum" or ph.determineMgr() == "dnf"):
package = "avahi"
path = "/etc/sysconfig/network"
if os.path.exists(path):
tmppath = path + ".tmp"
data = {"NOZEROCONF": "yes"}
editor = KVEditorStonix(self.statechglogger,
self.logdispatch, "conf",
path, tmppath, data,
"notpresent", "closedeq")
if not editor.report():
if editor.fix():
if not editor.commit():
success = False
else:
success = False
elif ph.determineMgr() == "zypper":
package = "avahi"
if not ph.check(package) and ph.checkAvailable(package):
success = ph.install(package)
if success and not self.sh.auditService(service, serviceTarget=self.serviceTarget):
self.sh.enableService(service, serviceTarget=self.serviceTarget)
return success
class zzzTestRuleConfigurePasswordPolicy(RuleTest):
def setUp(self):
RuleTest.setUp(self)
self.rule = ConfigurePasswordPolicy(self.config, self.environ,
self.logdispatch,
self.statechglogger)
self.rulename = self.rule.rulename
self.rulenumber = self.rule.rulenumber
self.ch = CommandHelper(self.logdispatch)
def tearDown(self):
pass
def runTest(self):
self.simpleRuleTest()
def setConditionsForRule(self):
'''@author: dwalker
@note: This unit test will install two incorrect profiles on purpose
to force system non-compliancy
'''
success = True
goodprofiles = {}
pwprofile = os.path.abspath(os.path.join(os.path.dirname(sys.argv[0]))) + \
"/src/stonix_resources/files/stonix4macPasscodeProfileFor" + \
"OSXElCapitan10.11.mobileconfig"
secprofile = os.path.abspath(os.path.join(os.path.dirname(sys.argv[0]))) + \
"/src/stonix_resources/files/stonix4macSecurity&Privacy" + \
"ForOSXElcapitan10.11.mobileconfig"
pwprofiledict = {
"com.apple.mobiledevice.passwordpolicy": {
"allowSimple": ["1", "bool"],
"forcePIN": ["1", "bool"],
"maxFailedAttempts": ["5", "int", "less"],
"maxPINAgeInDays": ["180", "int", "more"],
"minComplexChars": ["1", "int", "more"],
"minLength": ["8", "int", "more"],
"minutesUntilFailedLoginReset": ["15", "int", "more"],
"pinHistory": ["5", "int", "more"],
"requireAlphanumeric": ["1", "bool"]
}
}
spprofiledict = {
"com.apple.screensaver": "",
"com.apple.loginwindow": "",
"com.apple.systempolicy.managed": "",
"com.apple.SubmitDiagInfo": "",
"com.apple.preference.security": "",
"com.apple.MCX": "",
"com.apple.applicationaccess": "",
"com.apple.systempolicy.control": ""
}
self.rule.pwprofile = pwprofile
self.rule.secprofile = secprofile
goodprofiles[pwprofile] = pwprofiledict
goodprofiles[secprofile] = spprofiledict
cmd = ["/usr/sbin/system_profiler", "SPConfigurationProfileDataType"]
if self.ch.executeCommand(cmd):
output = self.ch.getOutput()
if output:
for item, values in list(goodprofiles.items()):
self.editor = KVEditorStonix(self.statechglogger,
self.logdispatch, "profiles",
"", "", values, "", "",
output)
if self.editor.report():
cmd = ["/usr/bin/profiles", "-R", "-F", item]
if not self.ch.executeCommand(cmd):
success = False
else:
cmd = [
"/usr/bin/profiles", "-I", "-F,", item + "fake"
]
if not self.ch.executeCommand(cmd):
success = False
else:
success = False
return success
def checkReportForRule(self, pCompliance, pRuleSuccess):
'''check on whether report was correct
:param self: essential if you override this definition
:param pCompliance: the self.iscompliant value of rule
:param pRuleSuccess: did report run successfully
:returns: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.logdispatch.log(LogPriority.DEBUG,
"pCompliance = " + str(pCompliance) + ".")
self.logdispatch.log(LogPriority.DEBUG,
"pRuleSuccess = " + str(pRuleSuccess) + ".")
success = True
return success
def checkFixForRule(self, pRuleSuccess):
'''check on whether fix was correct
:param self: essential if you override this definition
:param pRuleSuccess: did report run successfully
:returns: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.logdispatch.log(LogPriority.DEBUG,
"pRuleSuccess = " + str(pRuleSuccess) + ".")
success = True
return success
def checkUndoForRule(self, pRuleSuccess):
'''check on whether undo was correct
:param self: essential if you override this definition
:param pRuleSuccess: did report run successfully
:returns: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.logdispatch.log(LogPriority.DEBUG,
"pRuleSuccess = " + str(pRuleSuccess) + ".")
success = True
return success