def setConditionsForRule(self): ''' Configure system for the unit test @param self: essential if you override this definition @return: boolean - If successful True; If failure False @author: dwalker ''' success = True if self.ph.check("squid"): if self.ph.manager == "apt-get": self.squidfile = "/etc/squid3/squid.conf" else: self.squidfile = "/etc/squid/squid.conf" self.backup = self.squidfile + ".original" self.data1 = {"ftp_passive": "on", "ftp_sanitycheck": "on", "check_hostnames": "on", "request_header_max_size": "20 KB", "reply_header_max_size": "20 KB", "cache_effective_user": "******", "cache_effective_group": "squid", "ignore_unknown_nameservers": "on", "allow_underscore": "off", "httpd_suppress_version_string": "on", "forwarded_for": "off", "log_mime_hdrs": "on", "http_access": "deny to_localhost"} #make sure these aren't in the file self.denied = ["acl Safe_ports port 70", "acl Safe_ports port 210", "acl Safe_ports port 280", "acl Safe_ports port 488", "acl Safe_ports port 591", "acl Safe_ports port 777"] if os.path.exists(self.squidfile): if checkPerms(self.squidfile, [0, 0, 420], self.logdispatch): if not setPerms(self.squidfile, [0, 0, 416], self.logdispatch): success = False copyfile(self.squidfile, self.backup) tempstring = "" contents = readFile(self.squidfile, self.logdispatch) if contents: for line in contents: if re.search("^ftp_passive", line.strip()): '''Delete this line''' continue else: tempstring += line '''insert line with incorrect value''' tempstring += "request_header_max_size 64 KB\n" '''insert line with no value''' tempstring += "ignore_unknown_nameservers\n" '''insert these two lines we don't want in there''' tempstring += "acl Safe_ports port 70\nacl Safe_ports port 210\n" if not writeFile(self.squidfile, tempstring, self.logdispatch): success = False return success
def setConditionsForRule(self): ''' Configure system for the unit test @param self: essential if you override this definition @return: boolean - If successful True; If failure False @author: ekkehard j. koch ''' self.detailedresults = "" self.path = "/private/etc/sshd_config" self.tmppath = "/private/etc/sshd_config.tmp" ssh = {"DenyGroups":"admin"} self.editor = KVEditorStonix(self.statechglogger, self.logdispatch, "conf", self.path, self.tmppath, ssh, "notpresent", "space") self.editor.report() self.editor.fix() setPerms(self.path, [0, 0, 511], self.logdispatch) success = True return success
def setConditionsForRule(self): ''' Configure system for the unit test @param self: essential if you override this definition @return: boolean - If successful True; If failure False @author: Eric Ball ''' success = True # This is tested as working on both platforms sudoers = "/etc/sudoers" self.rule.ci.updatecurrvalue(True) self.rule.iditerator = 0 myid = iterate(self.rule.iditerator, self.rule.rulenumber) setPerms(sudoers, [99, 99, 0770], self.logdispatch, self.statechglogger, myid) contents = readFile(sudoers, self.logdispatch) for line in contents: if re.search("^Defaults\s+timestamp_timeout", line.strip()): contents.remove(line) break return success
def setConditionsForRule(self): '''Configure system for the unit test :param self: essential if you override this definition :returns: boolean - If successful True; If failure False @author: Eric Ball ''' success = True # This is tested as working on both platforms sudoers = "/etc/sudoers" self.rule.ci.updatecurrvalue(True) self.rule.iditerator = 0 myid = iterate(self.rule.iditerator, self.rule.rulenumber) setPerms(sudoers, [99, 99, 0o770], self.logdispatch, self.statechglogger, myid) contents = readFile(sudoers, self.logdispatch) for line in contents: if re.search("^Defaults\s+timestamp_timeout", line.strip()): contents.remove(line) break return success
def setLinuxConditions(self): success = True path1 = "/etc/security/limits.conf" if os.path.exists(path1): lookfor1 = "(^\*)\s+hard\s+core\s+0?" contents = readFile(path1, self.logger) if contents: tempstring = "" for line in contents: if not re.search(lookfor1, line.strip()): tempstring += line if not writeFile(path1, tempstring, self.logger): debug = "unable to write incorrect contents to " + path1 + "\n" self.logger.log(LogPriority.DEBUG, debug) success = False if checkPerms(path1, [0, 0, 0o644], self.logger): if not setPerms(path1, [0, 0, 0o777], self.logger): debug = "Unable to set incorrect permissions on " + path1 + "\n" self.logger.log(LogPriority.DEBUG, debug) success = False else: debug = "successfully set incorrect permissions on " + path1 + "\n" self.logger.log(LogPriority.DEBUG, debug) self.ch.executeCommand("/sbin/sysctl fs.suid_dumpable") retcode = self.ch.getReturnCode() if retcode != 0: self.detailedresults += "Failed to get value of core dumps configuration with sysctl command\n" errmsg = self.ch.getErrorString() self.logger.log(LogPriority.DEBUG, errmsg) success = False else: output = self.ch.getOutputString() if output.strip() != "fs.suid_dumpable = 1": if not self.ch.executeCommand("/sbin/sysctl -w fs.suid_dumpable=1"): debug = "Unable to set incorrect value for fs.suid_dumpable" self.logger.log(LogPriority.DEBUG, debug) success = False elif not self.ch.executeCommand("/sbin/sysctl -p"): debug = "Unable to set incorrect value for fs.suid_dumpable" self.logger.log(LogPriority.DEBUG, debug) success = False return success
def setCommonConditions(self, sshfile, directives): '''Common system pre condition setting :param self: essential if you override this definition :param sshfile: ssh file to be fuzzed :param directives: intentionally incorrect directives to fuzz file with :returns: boolean - If successful True; If failure False @author: dwalker ''' # In this method, unlike the methods inside the rule, we don't # need a portion for Ubuntu to make sure directives aren't present # because we can put those directives in the file(s) to fuzz them success = True directives = dict(directives) tpath = sshfile + ".tmp" if not os.path.exists(sshfile): if not createFile(sshfile, self.logger): success = False debug = "Unable to create " + sshfile + " for setting " + \ "pre-conditions" self.logger.log(LogPriority.DEBUG, debug) return False editor = KVEditorStonix(self.statechglogger, self.logger, "conf", sshfile, tpath, directives, "present", "space") if not editor.report(): if not editor.fix(): success = False debug = "Kveditor fix for file " + sshfile + " not successful" self.logger.log(LogPriority.DEBUG, debug) elif not editor.commit(): success = False debug = "Kveditor commit for file " + sshfile + " not successful" self.logger.log(LogPriority.DEBUG, debug) if checkPerms(sshfile, [0, 0, 0o755], self.logger): if not setPerms(sshfile, [0, 0, 0o755], self.logger): success = False debug = "Unable to set incorrect permissions on " + \ sshfile + " for setting pre-conditions" self.logger.log(LogPriority.DEBUG, debug) return success
def setConditionsForRule(self): ''' Configure system for the unit test @param self: essential if you override this definition @return: boolean - If successful True; If failure False @author: Eric Ball ''' success = True # Run report() to populate self.rule.path self.rule.report() if success: badoptionstring = '''option domain-name example.com; option domain-name-servers servers.example.com; option nis-domain example.com; option nis-servers servers.example.com; option ntp-servers\tntp.example.com; option routers 127.0.0.1; option time-offset -18000; ''' open(self.rule.path, "a").write(badoptionstring) # Rule wants 644 perms, set to 770 success = setPerms(self.rule.path, [0, 0, 0770], self.logdispatch) return success
def setConditionsForRule(self): '''Configure system for the unit test :param self: essential if you override this definition :returns: boolean - If successful True; If failure False @author: Eric Ball ''' success = True # Run report() to get variables self.rule.report() ssh = {"ClientAliveInterval": "0", "ClientAliveCountMax": "900"} if os.path.exists(self.rule.path): kvtype = "conf" intent = "present" self.editor = KVEditorStonix(self.statechglogger, self.logdispatch, kvtype, self.rule.path, self.rule.tpath, ssh, intent, "space") if not self.editor.report(): if self.editor.fixables: if self.editor.fix(): if not self.editor.commit(): success = False debug = "KVEditor commit did not succeed" self.logdispatch.log(LogPriority.DEBUG, debug) else: success = False debug = "KVEditor fix() did not succeed" self.logdispatch.log(LogPriority.DEBUG, debug) self.rule.iditerator = 0 myid = iterate(self.rule.iditerator, self.rule.rulenumber) if not setPerms(self.rule.path, [99, 99, 0o770], self.logdispatch, self.statechglogger, myid): success = False debug = "Could not set permissions" self.logdispatch.log(LogPriority.DEBUG, debug) return success
def setConditionsForRule(self): '''Configure system for the unit test :param self: essential if you override this definition :returns: boolean - If successful True; If failure False @author: Eric Ball ''' success = True # Run report() to populate self.rule.path self.rule.report() if success: badoptionstring = '''option domain-name example.com; option domain-name-servers servers.example.com; option nis-domain example.com; option nis-servers servers.example.com; option ntp-servers\tntp.example.com; option routers 127.0.0.1; option time-offset -18000; ''' open(self.rule.path, "a").write(badoptionstring) # Rule wants 644 perms, set to 770 success = setPerms(self.rule.path, [0, 0, 0o770], self.logdispatch) return success
def setConditionsForRule(self): ''' Configure system for the unit test @param self: essential if you override this definition @return: boolean - If successful True; If failure False @author: Eric Ball ''' success = True # Run report() to get variables self.rule.report() ssh = {"ClientAliveInterval": "0", "ClientAliveCountMax": "900"} if os.path.exists(self.rule.path): kvtype = "conf" intent = "present" self.editor = KVEditorStonix(self.statechglogger, self.logdispatch, kvtype, self.rule.path, self.rule.tpath, ssh, intent, "space") if not self.editor.report(): if self.editor.fixables: if self.editor.fix(): if not self.editor.commit(): success = False debug = "KVEditor commit did not succeed" self.logdispatch.log(LogPriority.DEBUG, debug) else: success = False debug = "KVEditor fix() did not succeed" self.logdispatch.log(LogPriority.DEBUG, debug) self.rule.iditerator = 0 myid = iterate(self.rule.iditerator, self.rule.rulenumber) if not setPerms(self.rule.path, [99, 99, 0770], self.logdispatch, self.statechglogger, myid): success = False debug = "Could not set permissions" self.logdispatch.log(LogPriority.DEBUG, debug)
def setConditionsForRule(self): ''' Configure system for the unit test @param self: essential if you override this definition @return: boolean - If successful True; If failure False @author: dwalker ''' success = True if not self.environ.getostype() == "Mac OS X": self.ph = Pkghelper(self.logger, self.environ) if self.ph.manager == "apt-get": self.tftpfile = "/etc/default/tftpd-hpa" tmpfile = self.tftpfile + ".tmp" if os.path.exists(self.tftpfile): contents = readFile(self.tftpfile, self.logger) tempstring = "" for line in contents: '''Take TFTP_OPTIONS line out of file''' if re.search("TFTP_OPTIONS", line.strip()): continue elif re.search("TFTP_DIRECTORY", line.strip()): tempstring += 'TFTP_DIRECTORY="/var/lib/tftpbad"' continue else: tempstring += line if not writeFile(tmpfile, tempstring, self.logger): success = False else: os.rename(tmpfile, self.tftpfile) os.chown(self.tftpfile, 0, 0) os.chmod(self.tftpfile, 400) else: #if server_args line found, remove to make non-compliant self.tftpfile = "/etc/xinetd.d/tftp" tftpoptions, contents2 = [], [] if os.path.exists(self.tftpfile): i = 0 contents = readFile(self.tftpfile, self.logger) if checkPerms(self.tftpfile, [0, 0, 420], self.logger): setPerms(self.tftpfile, [0, 0, 400], self.logger) try: for line in contents: if re.search("service tftp", line.strip()): contents2 = contents[i+1:] else: i += 1 except IndexError: pass if contents2: if contents2[0].strip() == "{": del(contents2[0]) if contents2: i = 0 while i <= len(contents2) and contents2[i].strip() != "}" and contents2[i].strip() != "{": tftpoptions.append(contents2[i]) i += 1 if tftpoptions: for line in tftpoptions: if re.search("server_args", line): contents.remove(line) return success
def setLinuxConditions(self): success = True debug = "" path1 = "/etc/security/limits.conf" if os.path.exists(path1): lookfor1 = "(^\*)\s+hard\s+core\s+0?" contents = readFile(path1, self.logger) if contents: tempstring = "" for line in contents: if not re.search(lookfor1, line.strip()): tempstring += line if not writeFile(path1, tempstring, self.logger): debug = "unable to write incorrect contents to " + path1 self.logger.log(LogPriority.DEBUG, debug) success = False if not checkPerms(path1, [0, 0, 0o777], self.logger): if not setPerms(path1, [0, 0, 0o777], self.logger): debug = "Unable to set incorrect permissions on " + path1 self.logger.log(LogPriority.DEBUG, debug) success = False else: debug = "successfully set incorrect permissions on " + path1 self.logger.log(LogPriority.DEBUG, debug) sysctl = "/etc/sysctl.conf" tmpfile = sysctl + ".tmp" editor = KVEditorStonix(self.statechglogger, self.logger, "conf", sysctl, tmpfile, {"fs.suid_dumpable": "1"}, "present", "openeq") if not checkPerms(sysctl, [0, 0, 0o777], self.logger): if not setPerms(sysctl, [0, 0, 0o777], self.logger): debug = "Unable to set incorrect permissions on " + path1 self.logger.log(LogPriority.DEBUG, debug) success = False else: debug = "successfully set incorrect permissions on " + path1 self.logger.log(LogPriority.DEBUG, debug) if not editor.report(): if not editor.fix(): success = False debug = "Unable to set conditions for /etc/sysctl.conf file" self.logger.log(LogPriority.DEBUG, debug) elif not editor.commit(): success = False debug = "Unable to set conditions for /etc/sysctl.conf file" self.logger.log(LogPriority.DEBUG, debug) self.ch.executeCommand("/sbin/sysctl fs.suid_dumpable") retcode = self.ch.getReturnCode() if retcode != 0: debug = "Failed to get value of core dumps configuration with sysctl command" debug += self.ch.getErrorString() self.logger.log(LogPriority.DEBUG, debug) success = False else: output = self.ch.getOutputString() if output.strip() != "fs.suid_dumpable = 1": if not self.ch.executeCommand( "/sbin/sysctl -w fs.suid_dumpable=1"): debug = "Unable to set incorrect value for fs.suid_dumpable" self.logger.log(LogPriority.DEBUG, debug) success = False elif not self.ch.executeCommand("/sbin/sysctl -q -e -p"): debug = "Unable to set incorrect value for fs.suid_dumpable" self.logger.log(LogPriority.DEBUG, debug) success = False return success
def setConditionsForLinux(self): '''Method to configure mac non compliant for unit test @author: dwalker :returns: boolean ''' success = True self.ph = Pkghelper(self.logger, self.environ) # check compliance of grub file(s) if files exist if re.search("Red Hat", self.environ.getostype()) and \ re.search("^6", self.environ.getosver()): self.grubperms = [0, 0, 0o600] elif self.ph.manager is "apt-get": self.grubperms = [0, 0, 0o400] else: self.grubperms = [0, 0, 0o644] grubfiles = ["/boot/grub2/grub.cfg", "/boot/grub/grub.cfg" "/boot/grub/grub.conf"] for grub in grubfiles: if os.path.exists(grub): if self.grubperms: if checkPerms(grub, self.grubperms, self.logger): if not setPerms(grub, [0, 0, 0o777], self.logger): success = False contents = readFile(grub, self.logger) if contents: for line in contents: if re.search("^kernel", line.strip()) or re.search("^linux", line.strip()) \ or re.search("^linux16", line.strip()): if re.search("\s+nousb\s*", line): if not re.sub("nousb", "", line): success = False if re.search("\s+usbcore\.authorized_default=0\s*", line): if not re.sub("usbcore\.authorized_default=0", "", line): success = False pcmcialist = ['pcmcia-cs', 'kernel-pcmcia-cs', 'pcmciautils'] # check for existence of certain usb packages, non-compliant # if any exist for item in pcmcialist: if not self.ph.check(item): self.ph.install(item) removeables = [] found1 = True blacklist = {"blacklist usb_storage": False, "install usbcore /bin/true": False, "install usb-storage /bin/true": False, "blacklist uas": False, "blacklist firewire-ohci": False, "blacklist firewire-sbp2": False} if os.path.exists("/etc/modprobe.d"): dirs = glob.glob("/etc/modprobe.d/*") for directory in dirs: if os.path.isdir(directory): continue tempstring = "" contents = readFile(directory, self.logger) for line in contents: if line.strip() in blacklist: continue else: tempstring += line if not writeFile(directory, tempstring, self.logger): success = False if os.path.exists("/etc/modprobe.conf"): contents = readFile("/etc/modprobe.conf", self.logger) tempstring = "" for line in contents: if line.strip() in blacklist: continue else: tempstring += line if not writeFile("/etc/modprobe.conf", tempstring, self.logger): success = False udevfile = "/etc/udev/rules.d/10-local.rules" if os.path.exists(udevfile): if checkPerms(udevfile, [0, 0, 0o644], self.logger): if not setPerms(udevfile, [0 ,0, 0o777], self.logger): success = False contents = readFile(udevfile, self.logger) tempstring = "" for line in contents: if re.search("ACTION\=\=\"add\"\, SUBSYSTEMS\=\=\"usb\"\, RUN\+\=\"/bin/sh \-c \'for host in /sys/bus/usb/devices/usb\*\; do echo 0 \> \$host/authorized\_default\; done\'\"", line.strip()): continue else: tempstring += line if not writeFile(udevfile, tempstring, self.logger): success = False return success
def setConditionsForRule(self): """Configure system for the unit test :param self: essential if you override this definition :returns: boolean - If successful True; If failure False @author: Derek Walker """ success = True if self.ph.manager == "apt-get": self.tftpfile = "/etc/default/tftpd-hpa" tmpfile = self.tftpfile + ".tmp" if os.path.exists(self.tftpfile): contents = readFile(self.tftpfile, self.logger) tempstring = "" for line in contents: """Take TFTP_OPTIONS line out of file""" if re.search("TFTP_OPTIONS", line.strip()): continue elif re.search("TFTP_DIRECTORY", line.strip()): tempstring += 'TFTP_DIRECTORY="/var/lib/tftpbad"' continue else: tempstring += line if not writeFile(tmpfile, tempstring, self.logger): success = False else: os.rename(tmpfile, self.tftpfile) os.chown(self.tftpfile, 0, 0) os.chmod(self.tftpfile, 400) else: #if server_args line found, remove to make non-compliant self.tftpfile = "/etc/xinetd.d/tftp" tftpoptions, contents2 = [], [] if os.path.exists(self.tftpfile): i = 0 contents = readFile(self.tftpfile, self.logger) if checkPerms(self.tftpfile, [0, 0, 420], self.logger): setPerms(self.tftpfile, [0, 0, 400], self.logger) try: for line in contents: if re.search("service tftp", line.strip()): contents2 = contents[i + 1:] else: i += 1 except IndexError: pass if contents2: if contents2[0].strip() == "{": del (contents2[0]) if contents2: i = 0 while i <= len(contents2) and contents2[i].strip( ) != "}" and contents2[i].strip() != "{": tftpoptions.append(contents2[i]) i += 1 if tftpoptions: for line in tftpoptions: if re.search("server_args", line): contents.remove(line) return success
def setConditionsForLinux(self): ''' Method to configure mac non compliant for unit test @author: dwalker @return: boolean ''' success = True self.ph = Pkghelper(self.logger, self.environ) # check compliance of grub file(s) if files exist if re.search("Red Hat", self.environ.getostype()) and \ re.search("^6", self.environ.getosver()): self.grubperms = [0, 0, 0o600] elif self.ph.manager is "apt-get": self.grubperms = [0, 0, 0o400] else: self.grubperms = [0, 0, 0o644] grubfiles = ["/boot/grub2/grub.cfg", "/boot/grub/grub.cfg" "/boot/grub/grub.conf"] for grub in grubfiles: if os.path.exists(grub): if self.grubperms: if checkPerms(grub, self.grubperms, self.logger): if not setPerms(grub, [0, 0, 0o777], self.logger): success = False contents = readFile(grub, self.logger) if contents: for line in contents: if re.search("^kernel", line.strip()) or re.search("^linux", line.strip()) \ or re.search("^linux16", line.strip()): if re.search("\s+nousb\s*", line): if not re.sub("nousb", "", line): success = False if re.search("\s+usbcore\.authorized_default=0\s*", line): if not re.sub("usbcore\.authorized_default=0", "", line): success = False pcmcialist = ['pcmcia-cs', 'kernel-pcmcia-cs', 'pcmciautils'] # check for existence of certain usb packages, non-compliant # if any exist for item in pcmcialist: if not self.ph.check(item): self.ph.install(item) removeables = [] found1 = True blacklist = {"blacklist usb_storage": False, "install usbcore /bin/true": False, "install usb-storage /bin/true": False, "blacklist uas": False, "blacklist firewire-ohci": False, "blacklist firewire-sbp2": False} if os.path.exists("/etc/modprobe.d"): dirs = glob.glob("/etc/modprobe.d/*") for directory in dirs: if os.path.isdir(directory): continue tempstring = "" contents = readFile(directory, self.logger) for line in contents: if line.strip() in blacklist: continue else: tempstring += line if not writeFile(directory, tempstring, self.logger): success = False if os.path.exists("/etc/modprobe.conf"): contents = readFile("/etc/modprobe.conf", self.logger) tempstring = "" for line in contents: if line.strip() in blacklist: continue else: tempstring += line if not writeFile("/etc/modprobe.conf", tempstring, self.logger): success = False udevfile = "/etc/udev/rules.d/10-local.rules" if os.path.exists(udevfile): if checkPerms(udevfile, [0, 0, 0o644], self.logger): if not setPerms(udevfile, [0 ,0, 0o777], self.logger): success = False contents = readFile(udevfile, self.logger) tempstring = "" for line in contents: if re.search("ACTION\=\=\"add\"\, SUBSYSTEMS\=\=\"usb\"\, RUN\+\=\"/bin/sh \-c \'for host in /sys/bus/usb/devices/usb\*\; do echo 0 \> \$host/authorized\_default\; done\'\"", line.strip()): continue else: tempstring += line if not writeFile(udevfile, tempstring, self.logger): success = False return success
def setkde(self): '''Method to setup kde desktop to not be compliant @author: dwalker @return: bool ''' self.kdeprops = {"ScreenSaver": {"Enabled": "true", "Lock": "true", "LockGrace": "60000", "Timeout": "840"}} self.kderuin = [] debug = "Inside setkde method" success = True bindir = glob("/usr/bin/kde*") kdefound = False for kdefile in bindir: if re.search("^/usr/bin/kde\d$", str(kdefile)): kdefound = True if kdefound and self.environ.geteuid() == 0: contents = readFile("/etc/passwd", self.logger) if not contents: debug += "You have some serious issues, /etc/passwd is blank\n" self.logger.log(LogPriority.ERROR, debug) return False for line in contents: temp = line.split(":") try: if int(temp[2]) >= 500: if temp[5] and re.search('/', temp[5]): homebase = temp[5] if not re.search("^/home/", homebase): continue kfile = homebase + "/.kde/share/config/kscreensaverrc" if os.path.exists(kfile): uid = getpwnam(temp[0])[2] gid = getpwnam(temp[0])[3] if checkPerms(kfile, [uid, gid, 0o600], self.logger): if not setPerms(kfile, [0, 0, 0o644], self.logger): success = False debug += "Unable to set incorrect perms " + \ "on " + kfile + " for testing\n" if not self.wreckFile(kfile): debug += "Was not able to mess " + \ "up file for testing\n" success = False else: debug += "placeholder 6 in /etc/passwd is not a \ directory, invalid form of /etc/passwd" self.logger.log(LogPriority.ERROR, debug) return False except IndexError: success = False debug += traceback.format_exc() + "\n" debug += "Index out of range\n" self.logger.log(LogPriority.ERROR, debug) break except Exception: break elif kdefound: who = "/usr/bin/whoami" message = Popen(who, stdout=PIPE, shell=False) info = message.stdout.read().strip() contents = readFile('/etc/passwd', self.logger) if not contents: debug += "You have some serious issues, /etc/passwd is blank\n" self.logger.log(LogPriority.ERROR, debug) return False compliant = True for line in contents: temp = line.split(':') try: if temp[0] == info: if temp[5] and re.search('/', temp[5]): homebase = temp[5] if not re.search("^/home/", homebase): continue kfile = homebase + "/.kde/share/config/kscreensaverrc" if os.path.exists(kfile): uid = getpwnam(temp[0])[2] gid = getpwnam(temp[0])[3] if checkPerms(kfile, [uid, gid, 0o600], self.logger): if not setPerms(kfile, [0, 0, 0o644], self.logger): success = False debug += "Unable to set incorrect perms " + \ "on " + kfile + " for testing\n" if not self.wreckFile(kfile): debug += "Was not able to mess " + \ "up file for testing\n" success = False else: debug += "placeholder 6 in /etc/passwd is not a \ directory, invalid form of /etc/passwd" self.logger.log(LogPriority.ERROR, debug) return False break except IndexError: success = False debug += traceback.format_exc() + "\n" debug += "Index out of range\n" self.logger.log(LogPriority.ERROR, debug) self.detailedresults += "Unexpected formatting in " + \ "/etc/passwd" break except Exception: debug += traceback.format_exc() + "\n" self.logger.log(LogPriority.ERROR, debug) break return success
def setkde(self): '''Method to setup kde desktop to not be compliant @author: dwalker :returns: bool ''' self.kdeprops = {"ScreenSaver": {"Enabled": "true", "Lock": "true", "LockGrace": "60000", "Timeout": "840"}} self.kderuin = [] debug = "Inside setkde method" success = True bindir = glob("/usr/bin/kde*") kdefound = False for kdefile in bindir: if re.search("^/usr/bin/kde\d$", str(kdefile)): kdefound = True if kdefound and self.environ.geteuid() == 0: contents = readFile("/etc/passwd", self.logger) if not contents: debug += "You have some serious issues, /etc/passwd is blank\n" self.logger.log(LogPriority.ERROR, debug) return False for line in contents: temp = line.split(":") try: if int(temp[2]) >= 500: if temp[5] and re.search('/', temp[5]): homebase = temp[5] if not re.search("^/home/", homebase): continue kfile = homebase + "/.kde/share/config/kscreensaverrc" if os.path.exists(kfile): uid = getpwnam(temp[0])[2] gid = getpwnam(temp[0])[3] if checkPerms(kfile, [uid, gid, 0o600], self.logger): if not setPerms(kfile, [0, 0, 0o644], self.logger): success = False debug += "Unable to set incorrect perms " + \ "on " + kfile + " for testing\n" if not self.wreckFile(kfile): debug += "Was not able to mess " + \ "up file for testing\n" success = False else: debug += "placeholder 6 in /etc/passwd is not a \ directory, invalid form of /etc/passwd" self.logger.log(LogPriority.ERROR, debug) return False except IndexError: success = False debug += traceback.format_exc() + "\n" debug += "Index out of range\n" self.logger.log(LogPriority.ERROR, debug) break except Exception: break elif kdefound: who = "/usr/bin/whoami" message = Popen(who, stdout=PIPE, shell=False) info = message.stdout.read().strip() contents = readFile('/etc/passwd', self.logger) if not contents: debug += "You have some serious issues, /etc/passwd is blank\n" self.logger.log(LogPriority.ERROR, debug) return False compliant = True for line in contents: temp = line.split(':') try: if temp[0] == info: if temp[5] and re.search('/', temp[5]): homebase = temp[5] if not re.search("^/home/", homebase): continue kfile = homebase + "/.kde/share/config/kscreensaverrc" if os.path.exists(kfile): uid = getpwnam(temp[0])[2] gid = getpwnam(temp[0])[3] if checkPerms(kfile, [uid, gid, 0o600], self.logger): if not setPerms(kfile, [0, 0, 0o644], self.logger): success = False debug += "Unable to set incorrect perms " + \ "on " + kfile + " for testing\n" if not self.wreckFile(kfile): debug += "Was not able to mess " + \ "up file for testing\n" success = False else: debug += "placeholder 6 in /etc/passwd is not a \ directory, invalid form of /etc/passwd" self.logger.log(LogPriority.ERROR, debug) return False break except IndexError: success = False debug += traceback.format_exc() + "\n" debug += "Index out of range\n" self.logger.log(LogPriority.ERROR, debug) self.detailedresults += "Unexpected formatting in " + \ "/etc/passwd" break except Exception: debug += traceback.format_exc() + "\n" self.logger.log(LogPriority.ERROR, debug) break return success