def fixFreebsd(self):
if not checkPerms(self.path, [0, 0, 0o644], self.logger):
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
if not setPerms(self.path, [0, 0, 0o644], self.logger,
self.statechglogger, myid):
return False
if self.networkTuning1.getcurrvalue() or \
self.networkTuning2.getcurrvalue():
if self.editor.fixables:
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
self.editor.setEventID(myid)
if not self.editor.fix():
return False
elif not self.editor.commit():
return False
os.chown(self.path, 0, 0)
os.chmod(self.path, 0o644)
resetsecon(self.path)
cmd = ["/usr/sbin/service", "sysctl", "restart"]
self.ch.executeCommand(cmd)
if self.ch.getReturnCode() != 0:
self.detailedresults = "Unable to restart sysctl\n"
self.logger.log(LogPriority.DEBUG, self.detailedresults)
return False
else:
return True
else:
return True
def fix(self):
"""The fix method will apply the required settings to the system.
self.rulesuccess will be updated if the rule does not succeed.
:return: self.rulesuccess - boolean; True if fix succeeds, False if not
"""
self.detailedresults = ""
self.rulesuccess = True
path = "/etc/passwd"
tmppath = path + ".stonixtmp"
self.iditerator = 0
newcontentlines = []
try:
if not self.ci.getcurrvalue():
return self.rulesuccess
f = open(path, "r")
contentlines = f.readlines()
f.close()
for line in contentlines:
sline = line.split(":")
if sline[0] in self.corrections_needed:
sline[6] = "/sbin/nologin\n"
line = ":".join(sline)
newcontentlines.append(line)
tf = open(tmppath, "w")
tf.writelines(newcontentlines)
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
event = {'eventtype': 'conf',
'filepath': path}
self.statechglogger.recordchgevent(myid, event)
self.statechglogger.recordfilechange(path, tmppath, myid)
os.rename(tmppath, path)
os.chown(path, 0, 0)
os.chmod(path, 420)
resetsecon(path)
except (KeyboardInterrupt, SystemExit):
raise
except Exception:
self.rulesuccess = False
self.detailedresults = traceback.format_exc()
self.logger.log(LogPriority.ERROR, self.detailedresults)
self.formatDetailedResults("fix", self.rulesuccess, self.detailedresults)
self.logdispatch.log(LogPriority.INFO, self.detailedresults)
return self.rulesuccess
def setaccountlockout(self, regex):
"""
configure the account lockout time in pam
:param regex: string; regular expression
:return: success
:rtype: bool
"""
success = True
pamfiles = []
if self.ph.manager in ("yum", "dnf"):
pamfiles.append(self.pamauthfile)
pamfiles.append(self.pampassfile)
writecontents = self.auth + "\n" + self.acct + "\n" + \
self.password + "\n" + self.session
else:
pamfiles.append(self.pamauthfile)
writecontents = self.auth
for pamfile in pamfiles:
if not os.path.exists(pamfile):
self.detailedresults += pamfile + " doesn't exist.\n" + \
"Stonix will not attempt to create this file " + \
"and the fix for the this rule will not continue\n"
return False
# """Check permissions on pam file(s)"""
for pamfile in pamfiles:
if not checkPerms(pamfile, [0, 0, 0o644], self.logger):
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
if not setPerms(pamfile, [0, 0, 0o644], self.logger, self.statechglogger, myid):
success = False
self.detailedresults += "Unable to set " + \
"correct permissions on " + pamfile + "\n"
contents = readFile(pamfile, self.logger)
found = False
for line in contents:
if re.search(regex, line.strip()):
found = True
if not found:
tmpfile = pamfile + ".stonixtmp"
if writeFile(tmpfile, writecontents, self.logger):
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
event = {'eventtype': 'conf',
'filepath': pamfile}
self.statechglogger.recordchgevent(myid, event)
self.statechglogger.recordfilechange(pamfile, tmpfile, myid)
os.rename(tmpfile, pamfile)
os.chown(pamfile, 0, 0)
os.chmod(pamfile, 0o644)
resetsecon(pamfile)
else:
self.detailedresults += "Unable to write to " + pamfile + "\n"
success = False
return success
def fix(self):
'''set the sudo timeout to a pre-defined appropriate value
@author Breen Malmberg
'''
self.detailedresults = ""
self.rulesuccess = True
self.iditerator = 0
changed = False
tempfile = self.sudofile + ".stonixtmp"
self.fixsudotimeout = "Defaults timestamp_timeout=" + self.timeouttime + "\n"
try:
if self.ci.getcurrvalue():
f = open(self.sudofile, 'r')
contents = f.readlines()
f.close()
for line in contents:
if re.search("^Defaults\s+env_reset", line):
contents.insert((contents.index(line) + 1), self.fixsudotimeout)
changed = True
if changed:
tf = open(tempfile, 'w')
tf.writelines(contents)
tf.close()
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
event = {"eventtype": "conf",
"filepath": self.sudofile}
self.statechglogger.recordchgevent(myid, event)
self.statechglogger.recordfilechange(self.sudofile, tempfile, myid)
os.rename(tempfile, self.sudofile)
os.chown(self.sudofile, 0, 0)
os.chmod(self.sudofile, 0o440)
resetsecon(self.sudofile)
self.logger.log(LogPriority.DEBUG, "Added the configuration setting to " + str(self.sudofile))
else:
self.detailedresults += "\nRule was not enabled. Nothing was done."
self.logger.log(LogPriority.DEBUG, "Rule was not enabled. Nothing was done.")
except (KeyboardInterrupt, SystemExit):
raise
except Exception:
self.rulesuccess = False
self.detailedresults += "\n" + traceback.format_exc()
self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
self.formatDetailedResults("fix", self.rulesuccess, self.detailedresults)
self.logdispatch.log(LogPriority.INFO, self.detailedresults)
return self.rulesuccess
def correctFile(self, kfile, user):
'''separate method to find the correct contents of each file passed in
as a parameter.
@author: dwalker
:param filehandle: string
:param kfile:
:param user:
:returns: bool
'''
created = False
success = True
self.editor = ""
debug = ""
if not os.path.exists(kfile):
if not createFile(kfile, self.logger):
self.detailedresults += "Unable to create " + kfile + \
" file for the user\n"
self.logger.log(LogPriority.DEBUG, self.detailedresults)
return False
created = True
if self.environ.geteuid() == 0:
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
event = {"eventtype": "creation", "filepath": kfile}
self.statechglogger.recordchgevent(myid, event)
if not self.searchFile(kfile):
if self.editor.fixables:
if self.environ.geteuid() == 0 and not created:
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
self.editor.setEventID(myid)
if not self.editor.fix():
debug = "Kveditor fix is failing for file " + \
kfile + "\n"
self.logger.log(LogPriority.DEBUG, debug)
self.detailedresults += "Unable to correct contents for " + \
kfile + "\n"
return False
elif not self.editor.commit():
debug = "Kveditor commit is failing for file " + \
kfile + "\n"
self.logger.log(LogPriority.DEBUG, debug)
self.detailedresults += "Unable to correct contents for " + \
kfile + "\n"
return False
uid = getpwnam(user)[2]
gid = getpwnam(user)[3]
os.chmod(kfile, 0o600)
os.chown(kfile, uid, gid)
resetsecon(kfile)
return success
def fix(self):
try:
if not self.ci.getcurrvalue():
return
results = ""
success = True
# Clear out event history so only the latest fix is recorded
self.iditerator = 0
eventlist = self.statechglogger.findrulechanges(self.rulenumber)
for event in eventlist:
self.statechglogger.deleteentry(event)
if os.path.exists(self.path):
if not checkPerms(self.path, [0, 0, 0o644], self.logger):
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
if not setPerms(self.path, [0, 0, 0o644], self.logger,
self.statechglogger, myid):
success = False
results += "Could not set permissions on " + \
self.path + "\n"
if self.editor.fixables or self.editor.removeables:
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
self.editor.setEventID(myid)
if not self.editor.fix():
debug = "kveditor fix did not run successfully\n"
self.logger.log(LogPriority.DEBUG, debug)
success = False
elif not self.editor.commit():
debug = "kveditor commit did not run successfully\n"
self.logger.log(LogPriority.DEBUG, debug)
success = False
os.chown(self.path, 0, 0)
os.chmod(self.path, 0o644)
resetsecon(self.path)
else:
success = False
results += "Could not find path to sshd_config\n"
self.detailedresults = results
self.rulesuccess = success
except (KeyboardInterrupt, SystemExit):
# User initiated exit
raise
except Exception:
self.rulesuccess = False
success = False
self.detailedresults += "\n" + traceback.format_exc()
self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
self.formatDetailedResults("fix", success, self.detailedresults)
self.logdispatch.log(LogPriority.INFO, self.detailedresults)
return self.rulesuccess
def fix(self):
try:
if not self.ci.getcurrvalue():
return
success = True
self.detailedresults = ""
self.iditerator = 0
eventlist = self.statechglogger.findrulechanges(self.rulenumber)
for event in eventlist:
self.statechglogger.deleteentry(event)
if os.path.exists(self.path):
sttyText = readFile(self.path, self.logger)
newSttyText = []
for line in sttyText:
# Check for both serial connections and the old style of
# virtual connections
if re.search(self.serialRE, line) or \
re.search(r"^vc/\d", line):
line = "#" + line
newSttyText.append(line)
newSttyString = "".join(newSttyText)
tmpfile = self.path + ".tmp"
if writeFile(tmpfile, newSttyString, self.logger):
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
event = {"eventtype": "conf", "filepath": self.path}
self.statechglogger.recordchgevent(myid, event)
self.statechglogger.recordfilechange(
self.path, tmpfile, myid)
os.rename(tmpfile, self.path)
perms = self.perms
setPerms(self.path, perms, self.logger,
self.statechglogger, myid)
resetsecon(self.path)
else:
success = False
self.detailedresults += "Problem writing new " + \
"contents to temporary file"
self.rulesuccess = success
except (KeyboardInterrupt, SystemExit):
# User initiated exit
raise
except Exception:
self.rulesuccess = False
self.detailedresults += "\n" + traceback.format_exc()
self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
self.formatDetailedResults("fix", self.rulesuccess,
self.detailedresults)
self.logdispatch.log(LogPriority.INFO, self.detailedresults)
return self.rulesuccess
def fix(self):
try:
if not self.ci.getcurrvalue():
return
success = True
self.detailedresults = ""
self.iditerator = 0
eventlist = self.statechglogger.findrulechanges(self.rulenumber)
for event in eventlist:
self.statechglogger.deleteentry(event)
if os.path.exists(self.path):
adminAllowed = "group=admin,wheel fail_safe"
adminDisabled = "group=wheel fail_safe"
ssText = "".join(readFile(self.path, self.logger))
if re.search(adminAllowed, ssText):
ssText = re.sub(adminAllowed, adminDisabled, ssText)
tmpfile = self.path + ".tmp"
if writeFile(tmpfile, ssText, self.logger):
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
event = {"eventtype": "conf", "filepath": self.path}
self.statechglogger.recordchgevent(myid, event)
self.statechglogger.recordfilechange(
self.path, tmpfile, myid)
os.rename(tmpfile, self.path)
resetsecon(self.path)
else:
success = False
self.detailedresults += "Problem writing new " + \
"contents to temporary file"
else:
success = False
self.detailedresults += self.path + ''' does not exist. STONIX \
will not attempt to create this file. If you are using OS X 10.9 or later, \
this is most likely a bug, and should be reported. Earlier versions of OS X \
are not currently supported by STONIX.'''
self.rulesuccess = success
except (KeyboardInterrupt, SystemExit):
# User initiated exit
raise
except Exception:
self.rulesuccess = False
self.detailedresults += "\n" + traceback.format_exc()
self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
self.formatDetailedResults("fix", self.rulesuccess,
self.detailedresults)
self.logdispatch.log(LogPriority.INFO, self.detailedresults)
return self.rulesuccess
def fixShadow(self):
success = True
if not os.path.exists(self.shadowfile):
self.detailedresults += self.shadowfile + "does not exist. \
Will not perform fix on shadow file\n"
return False
if self.fixusers:
contents = readFile(self.shadowfile, self.logger)
if self.ph.manager == "apt-get":
perms = [0, 42, 0o640]
else:
perms = [0, 0, 0o400]
if not checkPerms(self.shadowfile, perms, self.logger) and \
not checkPerms(self.shadowfile, [0, 0, 0], self.logger):
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
setPerms(self.shadowfile, perms, self.logger,
self.statechglogger, myid)
tmpdate = strftime("%Y%m%d")
tmpdate = list(tmpdate)
date = tmpdate[0] + tmpdate[1] + tmpdate[2] + tmpdate[3] + "-" + \
tmpdate[4] + tmpdate[5] + "-" + tmpdate[6] + tmpdate[7]
for user in self.fixusers:
cmd = ["chage", "-d", date, "-m", "1", "-M", "180", "-W", "28",
"-I", "35", user]
self.ch.executeCommand(cmd)
# We have to do some gymnastics here, because chage writes directly
# to /etc/shadow, but statechglogger expects the new contents to
# be in a temp file.
newContents = readFile(self.shadowfile, self.logger)
shadowTmp = "/tmp/shadow.stonixtmp"
createFile(shadowTmp, self.logger)
writeFile(shadowTmp, "".join(newContents) + "\n", self.logger)
writeFile(self.shadowfile, "".join(contents) + "\n", self.logger)
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
event = {'eventtype': 'conf',
'filepath': self.shadowfile}
self.statechglogger.recordchgevent(myid, event)
self.statechglogger.recordfilechange(self.shadowfile, shadowTmp,
myid)
shutil.move(shadowTmp, self.shadowfile)
os.chmod(self.shadowfile, perms[2])
os.chown(self.shadowfile, perms[0], perms[1])
resetsecon(self.shadowfile)
return success
def correctFile(self, kfile, user):
"""separate method to find the correct contents of each file passed in
as a parameter.
@author: dwalker
:param kfile:
:param user:
:returns: bool
"""
success = True
if not os.path.exists(kfile):
if not createFile(kfile, self.logger):
self.detailedresults += "Unable to create " + kfile + \
" file for the user\n"
self.logger.log(LogPriority.DEBUG, self.detailedresults)
return False
if not self.searchFile(kfile):
if self.editor.fixables:
if not self.editor.fix():
debug = "Kveditor fix is failing for file " + \
kfile + "\n"
self.logger.log(LogPriority.DEBUG, debug)
self.detailedresults += "Unable to correct contents for " + \
kfile + "\n"
return False
elif not self.editor.commit():
debug = "Kveditor commit is failing for file " + \
kfile + "\n"
self.logger.log(LogPriority.DEBUG, debug)
self.detailedresults += "Unable to correct contents for " + \
kfile + "\n"
return False
uid = getpwnam(user)[2]
gid = getpwnam(user)[3]
if uid != "" and gid != "":
os.chmod(kfile, 0o600)
os.chown(kfile, uid, gid)
resetsecon(kfile)
else:
success = False
self.detailedresults += "Unable to obtain uid and gid of " + user + "\n"
self.logger.log(LogPriority.DEBUG, self.detailedresults)
return success
def fixLogDef(self, specs):
success = True
debug = ""
if not os.path.exists(self.logdeffile):
if createFile(self.logdeffile, self.logger):
self.logindefcreate = True
setPerms(self.logdeffile, [0, 0, 0o644], self.logger)
tmpfile = self.logdeffile + ".tmp"
self.editor1 = KVEditorStonix(self.statechglogger, self.logger,
"conf", self.logdeffile, tmpfile,
specs, "present", "space")
else:
self.detailedresults += "Was not able to create " + \
self.logdeffile + " file\n"
success = False
if self.logindefcreate:
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
event = {"eventtype": "creation",
"filepath": self.logdeffile}
self.statechglogger.recordchgevent(myid, event)
elif not checkPerms(self.logdeffile, [0, 0, 0o644], self.logger):
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
if not setPerms(self.logdeffile, [0, 0, 0o644], self.logger,
self.statechglogger, myid):
debug += "permissions not correct on: " + \
self.logdeffile + "\n"
success = False
if self.editor1.fixables or self.editor1.removeables:
if not self.logindefcreate:
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
self.editor1.setEventID(myid)
if not self.editor1.fix():
debug += "fixLogDef editor.fix did not complete successfully\n"
success = False
elif not self.editor1.commit():
debug += "fixLogDef editor.commit did not complete successfully\n"
success = False
os.chown(self.logdeffile, 0, 0)
os.chmod(self.logdeffile, 0o644)
resetsecon(self.logdeffile)
if debug:
self.logger.log(LogPriority.DEBUG, debug)
return success
def undo(self):
"""
Revert all fix actions taken by this rule
"""
try:
if os.path.isfile(self.sudoers_backup):
os.rename(self.sudoers_backup, self.sudoers_file)
resetsecon(self.sudoers_file)
os.remove(self.sudoers_backup)
self.detailedresults += "\nOriginal files/settings restored."
else:
self.detailedresults += "\nNo files/settings to restore."
except (KeyboardInterrupt, SystemExit):
raise
except:
self.detailedresults += traceback.format_exc()
self.logger.log(LogPriority.ERROR, self.detailedresults)
def setlogindefs(self):
"""
configure login.defs options
:return: success
:rtype: bool
"""
success = True
if not checkPerms(self.logindefs, [0, 0, 0o644], self.logger):
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
if not setPerms(self.logindefs, [0, 0, 0o644], self.logger,
self.statechglogger, myid):
self.detailedresults += "Unable to set permissions on " + self.logindefs + " file\n"
success = False
if self.editor2:
if self.editor2.fixables:
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
self.editor2.setEventID(myid)
if self.editor2.fix():
if self.editor2.commit():
debug = "/etc/login.defs file has been corrected\n"
self.logger.log(LogPriority.DEBUG, debug)
os.chown(self.logindefs, 0, 0)
os.chmod(self.logindefs, 0o644)
resetsecon(self.logindefs)
else:
debug = "Unable to correct the contents of /etc/login.defs\n"
self.detailedresults += "Unable to correct the contents of /etc/login.defs\n"
self.logger.log(LogPriority.DEBUG, debug)
success = False
else:
self.detailedresults += "Unable to correct the contents of /etc/login.defs\n"
debug = "Unable to correct the contents of /etc/login.defs\n"
self.logger.log(LogPriority.DEBUG, debug)
success = False
return success
def fixBootMode(self):
success = True
if self.initver == "systemd":
cmd = ["/bin/systemctl", "set-default",
"multi-user.target"]
if not self.ch.executeCommand(cmd):
success = False
self.detailedresults += '"systemctl set-default ' \
+ 'multi-user.target" did not succeed\n'
else:
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
commandstring = "/bin/systemctl set-default " + \
"graphical.target"
event = {"eventtype": "commandstring",
"command": commandstring}
self.statechglogger.recordchgevent(myid, event)
elif self.initver == "debian":
dmlist = ["gdm", "gdm3", "lightdm", "xdm", "kdm"]
for dm in dmlist:
cmd = ["update-rc.d", "-f", dm, "disable"]
if not self.ch.executeCommand(cmd):
self.detailedresults += "Failed to disable desktop " + \
"manager " + dm
else:
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
event = {"eventtype": "servicehelper",
"servicename": dm,
"startstate": "enabled",
"endstate": "disabled"}
self.statechglogger.recordchgevent(myid, event)
elif self.initver == "ubuntu":
ldmover = "/etc/init/lightdm.override"
tmpfile = ldmover + ".tmp"
created = False
if not os.path.exists(ldmover):
createFile(ldmover, self.logger)
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
event = {"eventtype": "creation", "filepath": ldmover}
self.statechglogger.recordchgevent(myid, event)
created = True
writeFile(tmpfile, "manual\n", self.logger)
if not created:
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
event = {"eventtype": "conf", "filepath": ldmover}
self.statechglogger.recordchgevent(myid, event)
self.statechglogger.recordfilechange(ldmover, tmpfile, myid)
os.rename(tmpfile, ldmover)
resetsecon(ldmover)
grub = "/etc/default/grub"
if not os.path.exists(grub):
createFile(grub, self.logger)
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
event = {"eventtype": "creation", "filepath": grub}
self.statechglogger.recordchgevent(myid, event)
tmppath = grub + ".tmp"
data = {"GRUB_CMDLINE_LINUX_DEFAULT": '"quiet"'}
editor = KVEditorStonix(self.statechglogger, self.logger,
"conf", grub, tmppath, data,
"present", "closedeq")
editor.report()
if editor.fixables:
if editor.fix():
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
editor.setEventID(myid)
debug = "kveditor fix ran successfully\n"
self.logger.log(LogPriority.DEBUG, debug)
if editor.commit():
debug = "kveditor commit ran successfully\n"
self.logger.log(LogPriority.DEBUG, debug)
else:
error = "kveditor commit did not run " + \
"successfully\n"
self.logger.log(LogPriority.ERROR, error)
success = False
else:
error = "kveditor fix did not run successfully\n"
self.logger.log(LogPriority.ERROR, error)
success = False
cmd = "update-grub"
self.ch.executeCommand(cmd)
else:
inittab = "/etc/inittab"
tmpfile = inittab + ".tmp"
if os.path.exists(inittab):
initText = open(inittab, "r").read()
initre = r"id:\d:initdefault:"
if re.search(initre, initText):
initText = re.sub(initre, "id:3:initdefault:",
initText)
writeFile(tmpfile, initText, self.logger)
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
event = {"eventtype": "conf", "filepath": inittab}
self.statechglogger.recordchgevent(myid, event)
self.statechglogger.recordfilechange(inittab,
tmpfile, myid)
os.rename(tmpfile, inittab)
resetsecon(inittab)
else:
initText += "\nid:3:initdefault:\n"
writeFile(tmpfile, initText, self.logger)
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
event = {"eventtype": "conf", "filepath": inittab}
self.statechglogger.recordchgevent(myid, event)
self.statechglogger.recordfilechange(inittab,
tmpfile, myid)
os.rename(tmpfile, inittab)
resetsecon(inittab)
else:
self.detailedresults += inittab + " not found, no other " + \
"init system found. If you are using a supported " + \
"Linux OS, please report this as a bug\n"
return success
def fix(self):
'''The fix method will apply the required settings to the system.
self.rulesuccess will be updated if the rule does not succeed.
@author: Breen Malmberg
@change: dwalker - added statechglogger findrulechanges and deleteentry
@changed: Breen Malmberg - 12/05/2017 - removed unnecessary servicetarget
'''
try:
self.rulesuccess = True
self.iditerator = 0
eventlist = self.statechglogger.findrulechanges(self.rulenumber)
for event in eventlist:
self.statechglogger.deleteentry(event)
self.detailedresults = ""
# if this system is a mac, run fixmac()
if self.ismac:
self.rulesuccess = self.fixmac()
# if not mac os x, run this portion
else:
# if DisableAvahi CI is enabled, disable the avahi service
# and remove the package
if self.DisableAvahi.getcurrvalue():
avahi = self.package
avahid = 'avahi-daemon'
if self.sh.auditService(avahid):
debug = "Disabling " + avahid + " service"
self.logger.log(LogPriority.DEBUG, debug)
self.sh.disableService(avahid)
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
event = {
"eventtype": "servicehelper",
"servicename": avahid,
"startstate": "enabled",
"endstate": "disabled"
}
self.statechglogger.recordchgevent(myid, event)
if self.environ.getosfamily() == 'linux' and \
self.pkghelper.check(avahi):
if self.numdependencies <= 3:
self.pkghelper.remove(avahi)
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
event = {
"eventtype": "pkghelper",
"pkgname": avahi,
"startstate": "installed",
"endstate": "removed"
}
self.statechglogger.recordchgevent(myid, event)
else:
debug += 'Avahi package has too many dependent ' \
+ 'packages. Will not attempt to remove.\n'
self.logger.log(LogPriority.DEBUG, debug)
if self.pkghelper.determineMgr() == 'yum' or \
self.pkghelper.determineMgr() == 'dnf':
path = self.path
if not os.path.exists(path):
if createFile(path, self.logger):
self.iditerator += 1
myid = iterate(self.iditerator,
self.rulenumber)
event = {
"eventtype": "creation",
"filepath": path
}
self.statechglogger.recordchgevent(myid, event)
else:
self.rulesuccess = False
self.detailedresults += "Failed to create " + \
"file: " + path + ".\n"
if self.editor is None:
tmppath = path + ".tmp"
data = {"NOZEROCONF": "yes"}
self.editor = KVEditorStonix(
self.statechglogger, self.logger, "conf", path,
tmppath, data, "present", "closedeq")
if not self.editor.report():
if self.editor.fix():
self.iditerator += 1
myid = iterate(self.iditerator,
self.rulenumber)
self.editor.setEventID(myid)
if not self.editor.commit():
self.rulesuccess = False
self.detailedresults += "Could not " + \
"commit changes to " + path + ".\n"
else:
self.rulesuccess = False
self.detailedresults += "Could not fix " + \
"file " + path + ".\n"
# if SecureMDNS CI is enabled, configure avahi-daemon.conf
if self.SecureMDNS.getcurrvalue():
# if config file is present, proceed
avahiconf = '/etc/avahi/avahi-daemon.conf'
if os.path.exists(avahiconf):
if self.avahiconfeditor.fixables:
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
self.avahiconfeditor.setEventID(myid)
if not self.avahiconfeditor.fix():
self.rulesuccess = False
debug = "KVEditor fix for " + avahiconf + \
"failed"
self.logger.log(LogPriority.DEBUG, debug)
elif not self.avahiconfeditor.commit():
self.rulesuccess = False
debug = "KVEditor commit for " + avahiconf + \
"failed"
self.logger.log(LogPriority.DEBUG, debug)
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
setPerms(avahiconf, [0, 0, 0o644], self.logger,
self.statechglogger, myid)
resetsecon(avahiconf)
# if config file is not present and avahi not installed,
# then we can't configure it
else:
if not self.pkghelper.check(avahi):
debug = 'Avahi Daemon not installed. ' + \
'Cannot configure it.'
self.logger.log(LogPriority.DEBUG, debug)
else:
self.detailedresults += 'Avahi daemon ' + \
'installed, but could not locate the ' + \
'configuration file for it.\n'
self.rulesuccess = False
except IOError:
self.detailedresults += '\n' + traceback.format_exc()
self.logger.log(LogPriority.DEBUG, self.detailedresults)
except (KeyboardInterrupt, SystemExit):
# User initiated exit
raise
except Exception:
self.rulesuccess = False
self.detailedresults += "\n" + traceback.format_exc()
self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
self.formatDetailedResults("fix", self.rulesuccess,
self.detailedresults)
self.logdispatch.log(LogPriority.INFO, self.detailedresults)
return self.rulesuccess
def fix(self):
'''will check if the shadow, passwd, or group file is present and
if so remove the plus(+) account located in the file
'''
try:
if not self.ci.getcurrvalue():
return
self.detailedresults = ""
#clear out event history so only the latest fix is recorded
self.iditerator = 0
eventlist = self.statechglogger.findrulechanges(self.rulenumber)
for event in eventlist:
self.statechglogger.deleteentry(event)
for path in self.badfiles:
path = path.strip()
if os.path.exists(path):
tempstring = ""
contents = readFile(path, self.logger)
if not contents:
continue
for line in contents:
if not re.search('^\+', line.strip()):
tempstring += line
if path == "/etc/master.passwd":
if not checkPerms(path, [0, 0, 384], self.logger):
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
setPerms(path, [0, 0, 384], self.logger,
self.statechglogger, myid)
elif path == "/etc/shadow":
#put in code to handle apt-get systems /etc/shadow file later
#for this file, the owner is root, but the group is shadow
#by default this group is 42 but may not always be that
if self.ph.manager == "apt-get":
retval = getUserGroupName("/etc/shadow")
if retval[0] != "root" or retval[1] != "shadow":
uid = pwd.getpwnam("root").pw_uid
gid = grp.getgrnam("shadow").gr_gid
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
setPerms(path, [uid, gid, 420], self.logger,
self.statechglogger, myid)
else:
if not checkPerms(path, [0, 0, 256], self.logger) and \
not checkPerms(path, [0, 0, 0], self.logger):
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
setPerms(path, [0, 0, 256], self.logger,
self.statechglogger, myid)
else:
if not checkPerms(path, [0, 0, 420], self.logger):
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
setPerms(path, [0, 0, 420], self.logger,
self.statechglogger, myid)
tmpfile = path + ".tmp"
if not writeFile(tmpfile, tempstring, self.logger):
self.rulesuccess = False
return
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
event = {'eventtype': 'conf',
'filepath': path}
self.statechglogger.recordchgevent(myid, event)
self.statechglogger.recordfilechange(path, tmpfile, myid)
os.rename(tmpfile, path)
if path == "/etc/master.passwd":
os.chown(path, 0, 0)
os.chmod(path, 384)
elif path == "/etc/shadow":
if self.ph.manager == "apt-get":
os.chown(path, uid, gid)
os.chmod(path, 420)
else:
os.chown(path, 0, 0)
os.chmod(path, 256)
else:
os.chmod(path, 420)
resetsecon(path)
except (KeyboardInterrupt, SystemExit):
# User initiated exit
raise
except Exception:
self.rulesuccess = False
self.detailedresults += "\n" + traceback.format_exc()
self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
self.formatDetailedResults("fix", self.rulesuccess,
self.detailedresults)
self.logdispatch.log(LogPriority.INFO, self.detailedresults)
return self.rulesuccess
def fix(self):
try:
if not self.ci.getcurrvalue():
self.detailedresults += "CI not enabled\n"
else:
success = True
self.detailedresults = ""
self.iditerator = 0
eventlist = self.statechglogger.findrulechanges(self.rulenumber)
for event in eventlist:
self.statechglogger.deleteentry(event)
if not os.path.exists(self.path1):
createFile(self.path1, self.logger)
self.created = True
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
event = {"eventtype": "creation",
"filepath": self.path1}
self.statechglogger.recordchgevent(myid, event)
self.tmppath = self.path1 + ".tmp"
self.editor1 = KVEditorStonix(self.statechglogger, self.logger,
"conf", self.path1, self.tmppath,
self.data1, "present",
"closedeq")
self.editor1.report()
self.editor2 = KVEditorStonix(self.statechglogger, self.logger,
"conf", self.path1, self.tmppath,
self.data2, "present", "space")
self.editor2.report()
if self.editor1.fixables or self.editor2.fixables:
if self.editor1.fix():
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
self.editor1.setEventID(myid)
if self.editor1.commit():
debug = self.path1 + "'s contents have been " + \
"corrected\n"
self.logger.log(LogPriority.DEBUG, debug)
resetsecon(self.path1)
else:
debug = "kveditor commit not successful\n"
self.logger.log(LogPriority.DEBUG, debug)
success = False
self.detailedresults += self.path1 + \
" properties could not be set\n"
else:
debug = "kveditor fix not successful\n"
self.logger.log(LogPriority.DEBUG, debug)
success = False
self.detailedresults += self.path1 + \
" properties could not be set\n"
if self.editor2.fix():
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
self.editor2.setEventID(myid)
if self.editor2.commit():
debug = self.path1 + "'s contents have been " + \
"corrected\n"
self.logger.log(LogPriority.DEBUG, debug)
resetsecon(self.path1)
else:
debug = "kveditor commit not successful\n"
self.logger.log(LogPriority.DEBUG, debug)
success = False
self.detailedresults += self.path1 + \
" properties could not be set\n"
else:
debug = "kveditor fix not successful\n"
self.logger.log(LogPriority.DEBUG, debug)
success = False
self.detailedresults += self.path1 + \
" properties could not be set\n"
if not checkPerms(self.path1, [0, 0, 0o755], self.logger) and \
not checkPerms(self.path1, [0, 0, 0o644], self.logger):
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
if not setPerms(self.path1, [0, 0, 0o644], self.logger,
self.statechglogger, myid):
success = False
self.detailedresults += "Could not set permissions " + \
"for " + self.path1 + "\n"
if not os.path.exists(self.path2):
createFile(self.path2, self.logger)
self.created = True
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
event = {"eventtype": "creation",
"filepath": self.path2}
self.statechglogger.recordchgevent(myid, event)
writeFile(self.path2, self.cshData, self.logger)
if not checkPerms(self.path2, [0, 0, 0o755], self.logger) and \
not checkPerms(self.path2, [0, 0, 0o644], self.logger):
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
if not setPerms(self.path2, [0, 0, 0o644],
self.logger, self.statechglogger, myid):
success = False
self.detailedresults += "Could not set permissions " + \
"for " + self.path2 + "\n"
self.rulesuccess = success
except (KeyboardInterrupt, SystemExit):
# User initiated exit
raise
except Exception:
self.rulesuccess = False
self.detailedresults += "\n" + traceback.format_exc()
self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
self.formatDetailedResults("fix", self.rulesuccess,
self.detailedresults)
self.logdispatch.log(LogPriority.INFO, self.detailedresults)
return self.rulesuccess
def fix_security_limits(self):
'''ensure the limits.conf file contains the configuration
setting * hard core 0
:returns: succcess
:rtype: bool
@author: ???
'''
success = True
path1 = "/etc/security/limits.conf"
lookfor1 = "(^\*)\s+hard\s+core\s+0?"
created = False
if not os.path.exists(path1):
if not createFile(path1, self.logger):
success = False
self.detailedresults += "Unable to create " + path1 + " file\n"
else:
created = True
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
event = {"eventtype": "creation", "filepath": "path1"}
self.statechglogger.recordchgevent(myid, event)
if os.path.exists(path1):
if not checkPerms(path1, [0, 0, 0o644], self.logger):
if not created:
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
if not setPerms(path1, [0, 0, 0o644], self.logger,
self.statechglogger, myid):
success = False
self.detailedresults += "Unable to correct permissions on " + path1 + "\n"
contents = readFile(path1, self.logger)
found = False
tempstring = ""
if contents:
for line in contents:
if re.search(lookfor1, line.strip()):
found = True
else:
tempstring += line
else:
found = False
if not found:
tempstring += "* hard core 0\n"
tempfile = path1 + ".stonixtmp"
if not writeFile(tempfile, tempstring, self.logger):
success = False
self.detailedresults += "Unable to write contents to " + path1 + "\n"
else:
if not created:
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
event = {"eventtype": "conf", "filepath": path1}
self.statechglogger.recordchgevent(myid, event)
self.statechglogger.recordfilechange(
path1, tempfile, myid)
os.rename(tempfile, path1)
setPerms(path1, [0, 0, 0o644], self.logger)
resetsecon(path1)
return success
def fix(self):
'''Enable the firewall services and establish basic rules if needed.
@author: D. Kennel
'''
try:
if not self.clfci.getcurrvalue():
return
self.iditerator = 0
self.detailedresults = ""
success = True
# delete past state change records from previous fix
eventlist = self.statechglogger.findrulechanges(self.rulenumber)
for event in eventlist:
self.statechglogger.deleteentry(event)
#firewall-cmd portion
if self.checkFirewalld():
if self.servicehelper.enableService('firewalld.service', serviceTarget=self.serviceTarget):
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
cmd = "/usr/bin/systemctl disable firewalld.service"
event = {"eventtype": "commandstring",
"command": cmd}
self.statechglogger.recordchgevent(myid, event)
self.detailedresults += "Firewall configured.\n "
else:
success = False
self.detailedresults += "Unable to enable firewall\n"
debug = "Unable to enable firewall\n"
self.logger.log(LogPriority.DEBUG, debug)
#ufw command portion
elif self.checkUFW():
self.logger.log(LogPriority.DEBUG, "System uses ufw. Running ufw commands...")
cmdufw = '/usr/sbin/ufw status'
if not self.cmdhelper.executeCommand(cmdufw):
self.detailedresults += "Unable to run " + \
"ufw status command\n"
success = False
else:
outputufw = self.cmdhelper.getOutputString()
if re.search('Status: inactive', outputufw):
ufwcmd = '/usr/sbin/ufw --force enable'
if not self.cmdhelper.executeCommand(ufwcmd):
self.detailedresults += "Unable to run " + \
"ufw enable command\n"
success = False
else:
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
undocmd = "/usr/sbin/ufw --force disable"
event = {"eventtype": "commandstring",
"command": undocmd}
self.statechglogger.recordchgevent(myid, event)
cmdufw = "/usr/sbin/ufw status verbose"
if not self.cmdhelper.executeCommand(cmdufw):
self.detailedresults += "Unable to retrieve firewall rules\n"
success = False
else:
outputfw = self.cmdhelper.getOutputString()
if not re.search("Default\:\ deny\ \(incoming\)", outputfw):
ufwcmd = "/usr/sbin/ufw default deny incoming"
if not self.cmdhelper.executeCommand(ufwcmd):
self.detailedresults += "Unable to set default " + \
"rule for incoming unspecified packets\n"
success = False
else:
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
undocmd = "/usr/sbin/ufw default allow incoming"
event = {"eventtype": "commandstring",
"command": undocmd}
self.statechglogger.recordchgevent(myid, event)
elif re.search('Status: active', outputufw):
cmdufw = "/usr/sbin/ufw status verbose"
if not self.cmdhelper.executeCommand(cmdufw):
self.detailedresults += "Cannot retrieve firewall rules\n"
success = False
else:
outputufw = self.cmdhelper.getOutputString()
if not re.search("Default\:\ deny\ \(incoming\)", outputufw):
ufwcmd = "/usr/sbin/ufw default deny incoming"
if not self.cmdhelper.executeCommand(ufwcmd):
self.detailedresults += "Unable to set default " + \
"rule for incoming unspecified packets\n"
success = False
else:
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
undocmd = "/usr/sbin/ufw default allow incoming"
event = {"eventtype": "commandstring",
"command": undocmd}
self.statechglogger.recordchgevent(myid, event)
else:
#following portion is mainly for debian and opensuse systems only
if os.path.exists("/etc/network/if-pre-up.d"):
self.iptScriptPath = "/etc/network/if-pre-up.d/iptables"
self.scriptType = "debian"
servicename = "networking"
elif os.path.exists("/etc/sysconfig/scripts"):
self.iptScriptPath = "/etc/sysconfig/scripts/SuSEfirewall2-custom"
self.scriptType = "suse"
servicename = "network"
#this script will ensure that iptables gets configured
#each time the network restarts
iptables = self.getScriptValues("iptables")
ip6tables = self.getScriptValues("ip6tables")
iptScript = ""
created = False
if self.iptScriptPath:
if self.scriptType == "debian":
if self.iprestore and self.ip6restore:
iptScript = '#!/bin/bash\n' + self.iprestore + \
' <<< "' + iptables + '"\n' + self.ip6restore + \
' <<< "' + ip6tables + '"'
else:
iptScript = self.getScriptValues("iptscript")
if iptScript:
if not os.path.exists(self.iptScriptPath):
if not createFile(self.iptScriptPath, self.logger):
success = False
self.detailedresults += "Unable to create file " + self.iptScriptPath + "\n"
else:
created = True
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
event = {"eventtype": "creation",
"filepath": self.iptScriptPath}
self.statechglogger.recordchgevent(myid, event)
if os.path.exists(self.iptScriptPath):
if not checkPerms(self.iptScriptPath, [0, 0, 0o755], self.logger):
if not created:
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
if not setPerms(self.iptScriptPath, [0, 0, 0o755], self.logger, self.statechglogger, myid):
success = False
self.detailedresults += "Unable to set permissions on " + self.iptScriptPath + "\n"
contents = readFile(self.iptScriptPath, self.logger)
if contents != iptScript:
tempfile = self.iptScriptPath + ".tmp"
if not writeFile(tempfile, iptScript, self.logger):
success = False
self.detailedresults += "Unable to write contents to " + self.iptScriptPath + "\n"
else:
if not created:
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
event = {"eventtype": "conf",
"filepath": self.iptScriptPath}
self.statechglogger.recordchgevent(myid, event)
self.statechglogger.recordfilechange(self.iptScriptPath, tempfile, myid)
os.rename(tempfile, self.iptScriptPath)
os.chown(self.iptScriptPath, 0, 0)
os.chmod(self.iptScriptPath, 0o755)
resetsecon(self.iptScriptPath)
stonixfilepath = "/var/db/stonix/"
savecmd = "/sbin/iptables-save > " + stonixfilepath + "user-firewall-pre-stonix"
if not self.cmdhelper.executeCommand(savecmd):
success = False
self.detailedresults += "Unable to save current ipv4 " + \
"firewall rules for revert\n"
debug = "Unable to save current ipv4 " + \
"firewall rules for revert\n"
self.logger.log(LogPriority.DEBUG, debug)
save6cmd = "/sbin/ip6tables-save > " + stonixfilepath + "user-firewall6-pre-stonix"
if not self.cmdhelper.executeCommand(save6cmd):
success = False
self.detailedresults += "Unable to save current ipv6 " + \
"firewall rules for revert\n"
debug = "Unable to save current ipv6 " + \
"firewall rules for revert\n"
self.logger.log(LogPriority.DEBUG, debug)
self.servicehelper.stopService(servicename)
if not self.servicehelper.startService(servicename):
success = False
self.detailedresults += "Unable to restart networking\n"
debug = "Unable to restart networking\n"
self.logger.log(LogPriority.DEBUG, debug)
else:
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
cmd = "/sbin/iptables-restore < " + stonixfilepath + "user-firewall-pre-stonix"
event = {"eventtype": "commandstring",
"command": cmd}
self.statechglogger.recordchgevent(myid, event)
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
cmd = "/sbin/ip6tables-restore < " + stonixfilepath + "user-firewall6-pre-stonix"
event = {"eventtype": "commandstring",
"command": cmd}
self.statechglogger.recordchgevent(myid, event)
else:
success = False
self.detailedresults += "There is no iptables startup script\n"
debug = "There is no iptables startup script\n"
self.logger.log(LogPriority.DEBUG, debug)
#this portion mostly applies to RHEL6 and Centos6
if os.path.exists('/usr/bin/system-config-firewall') or \
os.path.exists('/usr/bin/system-config-firewall-tui'):
systemconfigfirewall = self.getScriptValues("systemconfigfirewall")
sysconfigiptables = self.getScriptValues("sysconfigiptables")
sysconfigip6tables = self.getScriptValues("sysconfigip6tables")
fwpath = '/etc/sysconfig/system-config-firewall'
iptpath = '/etc/sysconfig/iptables'
ip6tpath = '/etc/sysconfig/ip6tables'
#portion to handle the system-config-firewall file
created = False
if not os.path.exists(fwpath):
if not createFile(fwpath, self.logger):
success = False
self.detailedresults += "Unable to create file " + fwpath + "\n"
else:
created = True
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
event = {"eventtype": "creation",
"filepath": fwpath}
self.statechglogger.recordchgevent(myid, event)
if os.path.exists(fwpath):
if not checkPerms(fwpath, [0, 0, 0o600], self.logger):
if not created:
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
if not setPerms(fwpath, [0, 0, 0o600], self.logger, self.statechglogger, myid):
success = False
self.detailedresults += "Unable to set permissions on " + fwpath + "\n"
contents = readFile(fwpath, self.logger)
if contents != systemconfigfirewall:
print("contents don't equal systemconfigurefirewall contents\n")
tempfile = fwpath + ".tmp"
if not writeFile(tempfile, systemconfigfirewall, self.logger):
success = False
self.detailedresults += "Unable to write contents to " + fwpath + "\n"
else:
if not created:
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
event = {"eventtype": "conf",
"filepath": fwpath}
self.statechglogger.recordchgevent(myid, event)
self.statechglogger.recordfilechange(fwpath, tempfile, myid)
os.rename(tempfile, fwpath)
os.chown(fwpath, 0, 0)
os.chmod(fwpath, 0o600)
resetsecon(fwpath)
created = False
#portion to handle the iptables rules file
if not os.path.exists(iptpath):
if not createFile(iptpath, self.logger):
success = False
self.detailedresults += "Unable to create file " + iptpath + "\n"
else:
created = True
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
event = {"eventtype": "creation",
"filepath": iptpath}
self.statechglogger.recordchgevent(myid, event)
if os.path.exists(iptpath):
if not checkPerms(iptpath, [0, 0, 0o644], self.logger):
if not created:
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
if not setPerms(iptpath, [0, 0, 0o644], self.logger, self.statechglogger, myid):
success = False
self.detailedresults += "Unable to set permissions on " + iptpath + "\n"
contents = readFile(iptpath, self.logger)
if contents != sysconfigiptables:
tempfile = iptpath + ".tmp"
if not writeFile(tempfile, sysconfigiptables, self.logger):
success = False
self.detailedresults += "Unable to write contents to " + iptpath + "\n"
else:
if not created:
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
event = {"eventtype": "conf",
"filepath": iptpath}
self.statechglogger.recordchgevent(myid, event)
self.statechglogger.recordfilechange(iptpath, tempfile, myid)
os.rename(tempfile, iptpath)
os.chown(iptpath, 0, 0)
os.chmod(iptpath, 0o644)
resetsecon(iptpath)
created = False
#portion to handle ip6tables rules file
if not os.path.exists(ip6tpath):
if not createFile(ip6tpath, self.logger):
success = False
self.detailedresults += "Unable to create file " + ip6tpath + "\n"
else:
created = True
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
event = {"eventtype": "creation",
"filepath": ip6tpath}
self.statechglogger.recordchgevent(myid, event)
if os.path.exists(ip6tpath):
if not checkPerms(ip6tpath, [0, 0, 0o644], self.logger):
if not created:
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
if not setPerms(ip6tpath, [0, 0, 0o644], self.logger, self.statechglogger, myid):
success = False
self.detailedresults += "Unable to set permissions on " + ip6tpath + "\n"
contents = readFile(ip6tpath, self.logger)
if contents != sysconfigip6tables:
tempfile = ip6tpath + ".tmp"
if not writeFile(tempfile, sysconfigip6tables, self.logger):
success = False
self.detailedresults += "Unable to write contents to " + ip6tpath + "\n"
else:
if not created:
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
event = {"eventtype": "conf",
"filepath": ip6tpath}
self.statechglogger.recordchgevent(myid, event)
self.statechglogger.recordfilechange(ip6tpath, tempfile, myid)
os.rename(tempfile, ip6tpath)
os.chown(ip6tpath, 0, 0)
os.chmod(ip6tpath, 0o644)
resetsecon(ip6tpath)
# check if iptables is enabled to run at start
if not self.servicehelper.auditService('iptables'):
# enable service to run at start if not
if not self.servicehelper.enableService('iptables'):
self.detailedresults += "Unable to enable iptables service\n"
debug = "Unable to enable iptables service\n"
self.logger.log(LogPriority.DEBUG, debug)
success = False
else:
# record event if successful
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
cmd = self.servicehelper.getDisableCommand('iptables')
event = {"eventtype": "commandstring",
"command": cmd}
self.statechglogger.recordchgevent(myid, event)
self.servicehelper.stopService('iptables')
# start iptables if not
if not self.servicehelper.startService('iptables'):
self.detailedresults += "Unable to start iptables service\n"
debug = "Unable to start iptables service\n"
self.logger.log(LogPriority.DEBUG, debug)
success = False
else:
stonixfilepath = "/var/db/stonix/"
savecmd = "/sbin/iptables-save > " + stonixfilepath + "user-firewall-pre-stonix"
if not self.cmdhelper.executeCommand(savecmd):
success = False
self.detailedresults += "Unable to save current ipv4 " + \
"firewall rules for revert\n"
debug = "Unable to save current ipv4 " + \
"firewall rules for revert\n"
self.logger.log(LogPriority.DEBUG, debug)
else:
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
cmd = "/sbin/iptables-restore < " + stonixfilepath + "user-firewall-pre-stonix"
event = {"eventtype": "commandstring",
"command": cmd}
self.statechglogger.recordchgevent(myid, event)
savecmd = "/sbin/ip6tables-save > " + stonixfilepath + "user-firewall6-pre-stonix"
if not self.cmdhelper.executeCommand(savecmd):
success = False
self.detailedresults += "Unable to save current ipv6 " + \
"firewall rules for revert\n"
debug = "Unable to save current ipv6 " + \
"firewall rules for revert\n"
self.logger.log(LogPriority.DEBUG, debug)
else:
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
cmd = "/sbin/ip6tables-restore < " + stonixfilepath + "user-firewall6-pre-stonix"
event = {"eventtype": "commandstring",
"command": cmd}
self.statechglogger.recordchgevent(myid, event)
# check if ip6tables is enabled to run at start
if not self.servicehelper.auditService('ip6tables'):
# enable service to run at start if not
if not self.servicehelper.enableService('ip6tables'):
self.detailedresults += "Unable to enable ip6tables service\n"
debug = "Unable to enable ip6tables service\n"
self.logger.log(LogPriority.DEBUG, debug)
success = False
else:
# record event if successful
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
cmd = self.servicehelper.getDisableCommand('ip6tables')
event = {"eventtype": "commandstring",
"command": cmd}
self.statechglogger.recordchgevent(myid, event)
self.servicehelper.stopService('ip6tables')
# start ip6tables if not
if not self.servicehelper.startService('ip6tables'):
self.detailedresults += "Unable to start ip6tables service\n"
debug = "Unable to start ip6tables service\n"
self.logger.log(LogPriority.DEBUG, debug)
success = False
# Sleep for a bit to let the restarts occur
time.sleep(10)
self.rulesuccess = success
except (KeyboardInterrupt, SystemExit):
# User initiated exit
raise
except Exception:
self.rulesuccess = False
self.detailedresults += "\n" + traceback.format_exc()
self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
self.formatDetailedResults("fix", self.rulesuccess,
self.detailedresults)
self.logdispatch.log(LogPriority.INFO, self.detailedresults)
return self.rulesuccess
def fix(self):
'''DisableWeakAuthentication.fix() Public method to fix any issues
that were found in the report method.
@author: dwalker
:returns: bool - False if the method died during execution
'''
try:
self.detailedresults = ""
if not self.ci.getcurrvalue():
return
success = True
for item in self.rsh:
if self.helper.check(item):
if not self.helper.remove(item):
success = False
if self.incorrects:
for item in self.incorrects:
tempstring = ""
contents = readFile(item, self.logger)
if not contents:
continue
for line in contents:
if re.match('^#', line) or re.match(r'^\s*$', line):
tempstring += line
elif re.search("pam_rhosts", line):
continue
else:
tempstring += line
if not checkPerms(item, [0, 0, 420], self.logger):
if not setPerms(item, [0, 0, 420], self.logger):
success = False
tmpfile = item + ".tmp"
if writeFile(tmpfile, tempstring, self.logger):
os.rename(tmpfile, item)
os.chown(item, 0, 0)
os.chmod(item, 420)
resetsecon(item)
else:
success = False
for item in self.pams:
if os.path.exists(item):
if not checkPerms(item, [0, 0, 420], self.logger):
if not setPerms(item, [0, 0, 420], self.logger):
success = False
if os.path.exists("/etc/pam.d/"):
fileItems = glob.glob("/etc/pam.d/*")
for item in fileItems:
if not checkPerms(item, [0, 0, 420], self.logger):
if not setPerms(item, [0, 0, 420], self.logger):
success = False
return success
except (KeyboardInterrupt, SystemExit):
raise
except Exception:
self.rulesuccess = False
self.detailedresults += "\n" + traceback.format_exc()
self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
self.formatDetailedResults("fix", self.rulesuccess,
self.detailedresults)
self.logdispatch.log(LogPriority.INFO, self.detailedresults)
return self.rulesuccess
def fixGnome(self):
"""ensures gnome is configured to automatically screen lock after
15 minutes of inactivity, if gnome is installed
@author: dwalker
:param self: essential if you override this definition
:returns: bool - True if gnome is successfully configured, False if it
isn't
"""
info = ""
success = True
gconf = "/usr/bin/gconftool-2"
gsettings = "/usr/bin/gsettings"
if os.path.exists(gconf):
#variable self.setcmds still has items left in its dictionary
#which was set in the reportGnome method, meaning some values
#either were incorrect or didn't have values. Go through and
#set each remaining value that isn't correct
cmd = ""
if self.setcmds:
for item in self.setcmds:
if item == "/apps/gnome-screensaver/idle_activation_enabled":
cmd = gconf + " --type bool --set /apps/gnome-screensaver/idle_activation_enabled true"
elif item == "/apps/gnome-screensaver/lock_enabled":
cmd = gconf + " --type bool --set /apps/gnome-screensaver/lock_enabled true"
elif item == "/apps/gnome-screensaver/mode":
cmd = gconf + ' --type string --set /apps/gnome-screensaver/mode "blank-only"'
elif item == "/desktop/gnome/session/idle_delay":
if self.gconfidletime:
cmd = gconf + " --type int --set /desktop/gnome/session/idle_delay " + \
self.gconfidletime
else:
cmd = gconf + " --type int --set /desktop/gnome/session/idle_delay 15"
if self.cmdhelper.executeCommand(cmd):
if self.cmdhelper.getReturnCode() != 0:
info += "Unable to set value for " + cmd + "\n"
success = False
else:
info += "Unable to set value for " + cmd + "\n"
success = False
if os.path.exists(gsettings):
setcmds = [
"org.gnome.desktop.screensaver idle-activation-enabled true",
"org.gnome.desktop.screensaver lock-enabled true",
"org.gnome.desktop.screensaver lock-delay 0",
"org.gnome.desktop.screensaver picture-opacity 100",
"org.gnome.desktop.screensaver picture-uri ''",
"org.gnome.desktop.session idle-delay 900"
]
# " set org.gnome.desktop.session idle-delay " + self.gsettingsidletime]
for cmd in setcmds:
cmd2 = gsettings + " set " + cmd
self.cmdhelper.executeCommand(cmd2)
if self.cmdhelper.getReturnCode() != 0:
success = False
info += "Unable to set value for " + cmd + \
" using gsettings\n"
# Set gsettings with dconf
# Unlock dconf settings
# Create dconf settings lock file
if self.environ.geteuid() == 0:
if not os.path.exists(self.dconfsettingslock):
if not createFile(self.dconfsettingslock, self.logger):
self.rulesuccess = False
self.detailedresults += "Unable to create stonix-settings file\n"
self.formatDetailedResults("fix", self.rulesuccess,
self.detailedresults)
return False
#write correct contents to dconf lock file
if os.path.exists(self.dconfsettingslock):
# Write to the lock file
if self.dconflockdata:
contents = ""
tmpfile = self.dconfsettingslock + ".tmp"
for line in self.dconflockdata:
contents += line + "\n"
if not writeFile(tmpfile, contents, self.logger):
self.rulesuccess = False
self.detailedresults += "Unable to write contents to " + \
"stonix-settings file\n"
else:
os.rename(tmpfile, self.dconfsettingslock)
os.chown(self.dconfsettingslock, 0, 0)
os.chmod(self.dconfsettingslock, 0o644)
resetsecon(self.dconfsettingslock)
# Create dconf user profile file
if not os.path.exists(self.dconfuserprofile):
if not createFile(self.dconfuserprofile, self.logger):
self.rulesuccess = False
self.detailedresults += "Unable to create dconf " + \
"user profile file\n"
self.formatDetailedResults("fix", self.rulesuccess,
self.detailedresults)
return False
# Write dconf user profile
if os.path.exists(self.dconfuserprofile):
tmpfile = self.dconfuserprofile + ".tmp"
if not writeFile(tmpfile, self.userprofilecontent,
self.logger):
self.rulesuccess = False
self.detailedresults += "Unabled to write to dconf user" + \
" profile file\n"
self.formatDetailedResults("fix", self.rulesuccess,
self.detailedresults)
return False
else:
os.rename(tmpfile, self.dconfuserprofile)
os.chown(self.dconfuserprofile, 0, 0)
os.chmod(self.dconfuserprofile, 0o644)
resetsecon(self.dconfuserprofile)
# Fix dconf settings
if not os.path.exists(self.dconfsettings):
if not createFile(self.dconfsettings, self.logger):
self.rulesuccess = False
self.detailedresults += "Unable to create " + self.dconfsettings + " file \n"
self.formatDetailedResults("fix", self.rulesuccess,
self.detailedresults)
return False
self.dconfdata = {
"org/gnome/desktop/screensaver": {
"idle-activation-enabled": "true",
"lock-enabled": "true",
"lock-delay": "0",
"picture-opacity": "100",
"picture-uri": "\'\'"
},
"org/gnome/desktop/session": {
"idle-delay": "uint32 900"
}
}
self.kveditordconf = KVEditorStonix(
self.statechglogger, self.logger, "tagconf",
self.dconfsettings, self.dconfsettings + ".tmp",
self.dconfdata, "present", "closedeq")
self.kveditordconf.report()
if self.kveditordconf.fixables:
if not self.kveditordconf.fix():
success = False
self.detailedresults += "Unable to put correct settings inside " + \
self.dconfsettings + "\n"
elif not self.kveditordconf.commit():
success = False
self.detailedresults += "Unable to put correct settings inside " + \
self.dconfsettings + "\n"
#run dconf update command to make dconf changes take effect
if os.path.exists("/bin/dconf"):
cmd = "/bin/dconf update"
self.cmdhelper.executeCommand(cmd)
elif os.path.exists("/usr/bin/dconf"):
cmd = "/usr/bin/dconf update"
self.cmdhelper.executeCommand(cmd)
self.detailedresults += info
return success
def fix(self):
try:
if not self.ci.getcurrvalue():
return
success = True
path = self.path
tmppath = path + ".tmp"
prelinkCache = "/etc/prelink.cache"
self.detailedresults = ""
self.iditerator = 0
eventlist = self.statechglogger.findrulechanges(self.rulenumber)
for event in eventlist:
self.statechglogger.deleteentry(event)
if not os.path.exists(path):
if createFile(path, self.logger):
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
event = {"eventtype": "creation", "filepath": path}
self.statechglogger.recordchgevent(myid, event)
else:
success = False
self.detailedresults += "Failed to create file: " + \
path + "\n"
if writeFile(tmppath, "PRELINKING=no", self.logger):
os.rename(tmppath, path)
resetsecon(path)
else:
success = False
self.detailedresults += "Failed to write settings " + \
"to file: " + path + "\n"
elif not self.editor.report():
if self.editor.fix():
if self.editor.commit():
self.detailedresults += "Changes successfully " + \
"committed to " + path + "\n"
else:
success = False
self.detailedresults += "Changes could not be " + \
"committed to " + path + "\n"
else:
success = False
self.detailedresults += "Could not fix file " + path + "\n"
# Although the guidance and documentation recommends using "prelink
# -ua" command, testing has shown this command to be completely
# unreliable. Instead, the prelink cache will be removed entirely.
if os.path.exists(prelinkCache):
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
self.statechglogger.recordfiledelete(prelinkCache, myid)
os.remove(prelinkCache)
self.rulesuccess = success
except (KeyboardInterrupt, SystemExit):
# User initiated exit
raise
except Exception:
self.rulesuccess = False
self.detailedresults += "\n" + traceback.format_exc()
self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
self.formatDetailedResults("fix", self.rulesuccess,
self.detailedresults)
self.logdispatch.log(LogPriority.INFO, self.detailedresults)
return self.rulesuccess
def undo(self):
'''
:returns: @author: D. Kennel
'''
self.targetstate = 'notconfigured'
try:
event1 = self.statechglogger.getchgevent('0007001')
if event1['startstate'] == 'notconfigured' and \
event1['endstate'] == 'configured':
rootcron = "/var/spool/cron/root"
fhandle = open(rootcron, 'r')
crondata = fhandle.readlines()
fhandle.close()
newcron = []
if os.path.exists('/usr/bin/yum') and \
os.path.exists('/usr/sbin/rhn_check'):
command = "/usr/sbin/rhn_check > /dev/null 2>&1 && /usr/bin/yum " \
+ "--exclude=kernel* -y update > /dev/null 2>&1"
elif os.path.exists('/usr/bin/yum'):
command = "/usr/bin/yum --exclude=kernel* -y update > /dev/null 2>&1"
elif os.path.exists('/usr/sbin/freebsd-update'):
command = "/usr/sbin/freebsd-update fetch &> && " + \
"/usr/sbin/freebsd-update install &>"
elif os.path.exists('/usr/bin/apt-get'):
command = '/usr/bin/apt-get update &> && ' + \
'/usr/bin/apt-get -y upgrade'
elif os.path.exists('/usr/bin/emerge'):
command = '/usr/bin/emerge --sync &> && ' + \
'/usr/bin/emerge --NuD &> && /usr/bin/revdep-rebuild &>'
elif os.path.exists('/usr/bin/zypper'):
command = '/usr/bin/zypper -n up -l &>'
else:
command = ''
if len(command) != 0:
for line in crondata:
if not re.search(command, line):
newcron.append(line)
whandle = open(rootcron, 'w')
whandle.writelines(newcron)
whandle.close()
os.chown(rootcron, 0, 0)
os.chmod(rootcron, 384)
resetsecon(rootcron)
except (KeyboardInterrupt, SystemExit):
# User initiated exit
raise
except KeyError:
# Key not found in statechglogger
return
except Exception:
self.detailedresults = traceback.format_exc()
self.rulesuccess = False
self.logger.log(LogPriority.ERROR,
['SoftwarePatching.undo', self.detailedresults])
self.report()
if self.currstate == self.targetstate:
self.detailedresults = '''SoftwarePatching: Some changes successfully reverted'''
def fix(self):
''' '''
self.detailedresults = ""
self.iditerator = 0
self.rulesuccess = True
success = True
consoleaccess = self.consoleCi.getcurrvalue()
autofs = self.autofsCi.getcurrvalue()
gnomeautomount = self.gnomeCi.getcurrvalue()
mylist = [consoleaccess, autofs, gnomeautomount]
try:
# if none of the CIs are enabled, skip fix
if not any(mylist):
self.detailedresults += "\nNone of the CI's were enabled. Nothing was done."
self.formatDetailedResults("fix", self.rulesuccess, self.detailedresults)
self.logdispatch.log(LogPriority.INFO, self.detailedresults)
return self.rulesuccess
# clear event list data
eventlist = self.statechglogger.findrulechanges(self.rulenumber)
for event in eventlist:
self.statechglogger.deleteentry(event)
# if restrict console access CI is enabled, restrict console access
if self.consoleCi.getcurrvalue():
if os.path.exists(self.sec_console_perms1):
tmpfile = self.sec_console_perms1 + ".stonixtmp"
defaultPerms = open(self.sec_console_perms1, "r").read()
defaultPerms = re.sub("(<[x]?console>)", r"#\1", defaultPerms)
if writeFile(tmpfile, defaultPerms, self.logger):
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
event = {"eventtype": "conf", "filepath": self.sec_console_perms1}
self.statechglogger.recordchgevent(myid, event)
self.statechglogger.recordfilechange(self.sec_console_perms1, tmpfile, myid)
os.rename(tmpfile, self.sec_console_perms1)
resetsecon(self.sec_console_perms1)
else:
success = False
self.detailedresults += "Problem writing new contents to " + \
"temporary file"
if os.path.exists(self.sec_console_perms2):
self.editor = KVEditorStonix(self.statechglogger, self.logger, "conf", self.sec_console_perms2, self.console_perms_temppath, self.data, "present", "closedeq")
self.editor.report()
if self.editor.fixables:
if self.editor.fix():
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
self.editor.setEventID(myid)
if self.editor.commit():
debug = self.sec_console_perms2 + "'s contents have been " \
+ "corrected\n"
self.logger.log(LogPriority.DEBUG, debug)
resetsecon(self.sec_console_perms2)
else:
debug = "kveditor commit not successful\n"
self.logger.log(LogPriority.DEBUG, debug)
success = False
self.detailedresults += self.sec_console_perms2 + \
" properties could not be set\n"
else:
debug = "kveditor fix not successful\n"
self.logger.log(LogPriority.DEBUG, debug)
success = False
self.detailedresults += self.sec_console_perms2 + \
" properties could not be set\n"
# if autofs CI is enabled, disable autofs
if self.autofsCi.getcurrvalue():
if self.ph.check(self.autofspkg) and \
self.sh.auditService(self.autofssvc, _="_"):
if self.sh.disableService(self.autofssvc, _="_"):
debug = "autofs service successfully disabled\n"
self.logger.log(LogPriority.DEBUG, debug)
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
event = {"eventtype": "servicehelper", "servicename":
self.autofssvc, "startstate": "enabled",
"endstate": "disabled"}
self.statechglogger.recordchgevent(myid, event)
else:
success = False
debug = "Unable to disable autofs service\n"
self.logger.log(LogPriority.DEBUG, debug)
returnCode = 0
if self.gnomeCi.getcurrvalue():
if os.path.exists(self.gsettings):
# gsettings requires a D-Bus session bus in order to make
# any changes. This is because the dconf daemon must be
# activated using D-Bus.
if not os.path.exists(self.dbuslaunch):
self.ph.install("dbus-x11")
if os.path.exists(self.dbuslaunch):
if not self.automountOff:
cmd = [self.dbuslaunch, self.gsettings, "set",
"org.gnome.desktop.media-handling",
"automount", "false"]
self.ch.executeCommand(cmd)
returnCode = self.ch.getReturnCode()
if not returnCode:
self.iditerator += 1
myid = iterate(self.iditerator,
self.rulenumber)
event = {"eventtype": "comm", "command":
["dbus-launch", "gsettings", "set",
"org.gnome.desktop.media-handling",
"automount", "true"]}
self.statechglogger.recordchgevent(myid, event)
if not self.autorunNever:
cmd = [self.dbuslaunch, "gsettings", "set",
"org.gnome.desktop.media-handling",
"autorun-never", "true"]
self.ch.executeCommand(cmd)
returnCode += self.ch.getReturnCode()
if not self.ch.getReturnCode():
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
event = {"eventtype": "comm", "command":
[self.dbuslaunch, self.gsettings, "set",
"org.gnome.desktop.media-handling",
"autorun-never", "false"]}
self.statechglogger.recordchgevent(myid, event)
else:
success = False
debug = "Unable to disable GNOME automounting: " + \
"dbus-x11 is not installed"
self.logger.log(LogPriority.DEBUG, debug)
if os.path.exists(self.gconftool):
if self.automountMedia:
cmd = [self.gconftool, "--direct", "--config-source",
"xml:readwrite:/etc/gconf/gconf.xml.mandatory",
"--type", "bool", "--set",
"/desktop/gnome/volume_manager/automount_media",
"false"]
self.ch.executeCommand(cmd)
returnCode = self.ch.getReturnCode()
if not returnCode:
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
event = {"eventtype": "comm", "command":
[self.gconftool, "--direct",
"--config-source", "xml:readwrite:" +
"/etc/gconf/gconf.xml.mandatory",
"--type", "bool", "--set",
"/desktop/gnome/volume_manager/" +
"automount_media", "true"]}
self.statechglogger.recordchgevent(myid, event)
if self.automountDrives:
cmd = [self.gconftool, "--direct", "--config-source",
"xml:readwrite:/etc/gconf/gconf.xml.mandatory",
"--type", "bool", "--set",
"/desktop/gnome/volume_manager/automount_drives",
"false"]
self.ch.executeCommand(cmd)
returnCode += self.ch.getReturnCode()
if not self.ch.getReturnCode():
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
event = {"eventtype": "comm", "command":
[self.gconftool, "--direct",
"--config-source", "xml:readwrite:" +
"/etc/gconf/gconf.xml.mandatory",
"--type", "bool", "--set",
"/desktop/gnome/volume_manager/" +
"automount_drives",
"true"]}
self.statechglogger.recordchgevent(myid, event)
if returnCode:
success = False
self.detailedresults += "Fix failed to disable GNOME automounting\n"
# reset these directories to be owned by their respective users
dirs = ''
if os.path.exists('/run/user'):
dirs = os.listdir('/run/user')
if dirs:
for d in dirs:
# check if the directory is an integer representing a uid
if re.search('^([+-]?[1-9]\d*|0)$', d, re.IGNORECASE):
self.logger.log(LogPriority.DEBUG, "Found UID directory")
try:
os.chown('/run/user/' + d + '/dconf/user', int(d), int(d))
except Exception as errmsg:
self.logger.log(LogPriority.DEBUG, str(errmsg))
continue
else:
self.logger.log(LogPriority.DEBUG, "no directories in /run/user")
self.rulesuccess = success
except (KeyboardInterrupt, SystemExit):
raise
except Exception:
self.rulesuccess = False
self.detailedresults += "\n" + traceback.format_exc()
self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
self.formatDetailedResults("fix", self.rulesuccess, self.detailedresults)
self.logdispatch.log(LogPriority.INFO, self.detailedresults)
return self.rulesuccess
def writeFile(self, path, contents):
'''write given contents to a given file path
record undo action
return true if successful
return false if failed
:param path: string; full path to the file to write to
:param contents: list; list of strings to write to file
:returns: success
:rtype: bool
@author: Breen Malmberg
'''
success = True
tmppath = path + ".stonixtmp"
try:
if not contents:
self.logger.log(LogPriority.DEBUG, "Contents was empty")
success = False
return success
if not os.path.exists(
os.path.abspath(os.path.join(path, os.pardir))):
self.logger.log(LogPriority.DEBUG,
"Parent directory does not exist")
success = False
return success
elif os.path.exists(path):
tf = open(tmppath, 'w')
tf.writelines(contents)
tf.close()
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
event = {"eventtype": "conf", "filepath": path}
self.statechglogger.recordchgevent(myid, event)
self.statechglogger.recordfilechange(path, tmppath, myid)
os.rename(tmppath, path)
else:
f = open(path, 'w')
f.writelines(contents)
f.close()
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
event = {"eventtype": "creation", "filepath": path}
self.statechglogger.recordchgevent(myid, event)
os.chmod(path, 384)
os.chown(path, 0, 0)
resetsecon(path)
except Exception:
success = False
raise
return success
def fix(self):
try:
if not self.ci.getcurrvalue():
return
self.iditerator = 0
# clear out event history so only the latest fix is recorded
eventlist = self.statechglogger.findrulechanges(self.rulenumber)
for event in eventlist:
self.statechglogger.deleteentry(event)
success = True
index = {
"/etc/X11/gdm/gdm.conf":
"command = /usr/X11R6/bin/X -nolisten tcp",
"/usr/share/gdm/defaults.conf":
"DisallowTCP = true",
"/etc/gdm/custom.conf":
"DisallowTCP = true",
"/etc/X11/xinit/xserverrc":
"exec /usr/X11R6/bin/X -nolisten tcp",
"/etc/kde/kdm/kdmrc":
"ServerArgsLocal = -nolisten tcp",
"/etc/kde4/kdm/kdmrc":
"ServerArgsLocal = -nolisten tcp",
"/usr/share/config/kdm/kdmrc":
"ServerArgsLocal = -nolisten tcp",
"/etc/sysconfig/displaymanager":
'DISPLAYMANAGER_XSERVER_TCP_PORT_6000_OPEN=NO',
"/etc/dt/config/Xservers":
":0 Local local_uid@console root /usr/X11/bin/Xserver :0 -nobanner -nolisten tcp",
"/usr/dt/config/Xservers":
":0 Local local_uid@console root /usr/X11/bin/Xserver :0 -nobanner -nolisten tcp"
}
for item in self.fp1:
if os.path.exists(item[1]):
if item[1] == "/etc/X11/xdm/Xservers" or \
item[1] == "/usr/X11R6/lib/X11/xdm/Xservers":
if not checkPerms(item[1], [0, 0, 292], self.logger):
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
if not setPerms(item[1], [0, 0, 292], self.logger,
self.statechglogger, myid):
success = False
else:
if not checkPerms(item[1], [0, 3, 292], self.logger):
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
if not setPerms(item[1], [0, 3, 292], self.logger,
self.statechglogger, myid):
success = False
for item in self.fp2:
if os.path.exists(item[1]):
if item[1] == "/etc/X11/xinit/xserverrc":
if not checkPerms(item[1], [0, 0, 493], self.logger):
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
if not setPerms(item[1], [0, 0, 493], self.logger,
self.statechglogger, myid):
success = False
elif not checkPerms(item[1], [0, 0, 420], self.logger):
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
if not setPerms(item[1], [0, 0, 420], self.logger,
self.statechglogger, myid):
success = False
for item in self.fixables1:
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
if self.writeConfig(item[1], myid, item[0], item[2]):
os.chown(item[1], 0, 0)
os.chmod(item[1], 292)
resetsecon(item[1])
else:
success = False
for item in self.fixables2:
for item2 in index:
if item[1] == item2:
item[0] = index[item2]
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
if self.writeConfig(item[1], myid, item[0], item[2]):
if item[1] == "/etc/X11/xinit/xserverrc":
os.chmod(item[1], 493)
else:
os.chmod(item[1], 420)
os.chown(item[1], 0, 0)
resetsecon(item[1])
else:
success = False
if self.environ.getosfamily() == "solaris":
fp3 = "/etc/X11/gdm/gdm.conf"
if self.editor.fixables():
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
self.editor.setEventID(myid)
if self.editor.fix():
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
self.editor.setEventID(myid)
if self.editor.commit():
self.detailedresults += "/etc/X11/gdm/gdm.conf \
file has been fixed\n"
os.chown(fp3, 0, 0)
os.chmod(fp3, 292)
resetsecon(fp3)
else:
debug = "kveditor commit did not run successfully, must return"
self.logger.log(LogPriority.DEBUG, debug)
success = False
else:
debug = "kveditor fix did not run successfully, must return"
self.logger.log(LogPriority.DEBUG, debug)
success = False
self.rulesuccess = success
except (KeyboardInterrupt, SystemExit):
# User initiated exit
raise
except Exception:
self.rulesuccess = False
self.detailedresults += "\n" + traceback.format_exc()
self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
self.formatDetailedResults("fix", self.rulesuccess,
self.detailedresults)
self.logdispatch.log(LogPriority.INFO, self.detailedresults)
return self.rulesuccess
def fix_sysctl(self):
'''set the systemd configuration setting fs.suid_dumpable
to 0
:returns: success
:rtype: bool
@author: ???
'''
success = True
# manually writing key and value to /etc/sysctl.conf
sysctl = "/etc/sysctl.conf"
created = False
if not os.path.exists(sysctl):
if createFile(sysctl, self.logger):
created = True
setPerms(sysctl, [0, 0, 0o644], self.logger)
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
event = {"eventtype": "creation", "filepath": sysctl}
self.statechglogger.recordchgevent(myid, event)
else:
success = False
debug = "Unable to create " + sysctl + "\n"
self.logger.log(LogPriority.DEBUG, debug)
if os.path.exists(sysctl):
if not checkPerms(sysctl, [0, 0, 0o644], self.logger):
if not created:
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
if not setPerms(sysctl, [0, 0, 0o644], self.logger,
self.statechglogger, myid):
success = False
tmpfile = sysctl + ".tmp"
editor = KVEditorStonix(self.statechglogger, self.logger, "conf",
sysctl, tmpfile, {"fs.suid_dumpable": "0"},
"present", "openeq")
if not editor.report():
if editor.fixables:
# If we did not create the file, set an event ID for the
# KVEditor's undo event
if not created:
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
editor.setEventID(myid)
if not editor.fix():
success = False
debug = "Unable to complete kveditor fix method" + \
"for /etc/sysctl.conf file\n"
self.logger.log(LogPriority.DEBUG, debug)
elif not editor.commit():
success = False
debug = "Unable to complete kveditor commit " + \
"method for /etc/sysctl.conf file\n"
self.logger.log(LogPriority.DEBUG, debug)
if not checkPerms(sysctl, [0, 0, 0o644], self.logger):
if not setPerms(sysctl, [0, 0, 0o644], self.logger):
self.detailedresults += "Could not set permissions on " + \
self.path + "\n"
success = False
resetsecon(sysctl)
# using sysctl -w command
self.logger.log(LogPriority.DEBUG,
"Configuring /etc/sysctl fs.suid_dumpable directive")
self.ch.executeCommand("/sbin/sysctl -w fs.suid_dumpable=0")
retcode = self.ch.getReturnCode()
if retcode != 0:
success = False
self.detailedresults += "Failed to set core dumps variable suid_dumpable to 0\n"
errmsg = self.ch.getErrorString()
self.logger.log(LogPriority.DEBUG, errmsg)
else:
self.logger.log(LogPriority.DEBUG,
"Re-reading sysctl configuration from files")
self.ch.executeCommand("/sbin/sysctl -q -e -p")
retcode2 = self.ch.getReturnCode()
if retcode2 != 0:
success = False
self.detailedresults += "Failed to load new sysctl configuration from config file\n"
errmsg2 = self.ch.getErrorString()
self.logger.log(LogPriority.DEBUG, errmsg2)
else:
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
command = "/sbin/sysctl -w fs.suid_dumpable=1"
event = {"eventtype": "commandstring", "command": command}
self.statechglogger.recordchgevent(myid, event)
return success
def fix(self):
''' '''
try:
if not self.ci.getcurrvalue():
return
self.detailedresults = ""
success = True
created = False
self.iditerator = 0
eventlist = self.statechglogger.findrulechanges(self.rulenumber)
for event in eventlist:
self.statechglogger.deleteentry(event)
if self.installed:
if not os.path.exists(self.squidfile):
if not createFile(self.squidfile, self.logger):
success = False
else:
created = True
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
event = {"eventtype": "creation",
"filepath": self.squidfile}
self.statechglogger.recordchgevent(myid, event)
if not checkPerms(self.squidfile, [0, 0, 420], self.logger):
if not created:
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
if not setPerms(self.squidfile, [0, 0, 420], self.logger,
self.statechglogger, myid):
success = False
else:
if not setPerms(self.squidfile, [0, 0, 420], self.logger):
success = False
tempstring = ""
contents = readFile(self.squidfile, self.logger)
newcontents = []
if contents:
'''Remove any undesired acl lines'''
for line in contents:
if re.match('^#', line) or re.match(r'^\s*$', line):
newcontents.append(line)
elif re.search("^acl Safe_ports port ", line.strip()):
m = re.search("acl Safe_ports port ([0-9]+).*", line)
if m.group(1):
item = "acl Safe_ports port " + m.group(1)
if item in self.denied:
continue
else:
newcontents.append(line)
else:
newcontents.append(line)
'''removeables list holds key vals we find in the file
that we can remove from self.data'''
removeables = []
'''deleteables list holds key vals we can delete from
newcontents list if it's incorrect.'''
deleteables = {}
for key in self.data1:
found = False
for line in reversed(newcontents):
if re.match('^#', line) or re.match(r'^\s*$', line):
continue
elif re.search("^" + key + " ", line) or re.search("^" + key, line):
temp = line.strip()
temp = re.sub("\s+", " ", temp)
temp = temp.split(" ")
if len(temp) >= 3:
joinlist = [temp[1], temp[2]]
joinstring = " ".join(joinlist)
if self.data1[key] == joinstring:
'''We already found this line and value
No need for duplicates'''
if found:
newcontents.remove(line)
continue
removeables.append(key)
found = True
else:
try:
deleteables[line] = ""
except Exception:
continue
continue
elif len(temp) == 2:
if self.data1[key] == temp[1]:
'''We already found this line and value
No need for duplicates'''
if found:
newcontents.remove(line)
continue
removeables.append(key)
found = True
else:
try:
deleteables[line] = ""
except Exception:
continue
continue
elif len(temp) == 1:
try:
deleteables[line] = ""
except Exception:
continue
continue
if deleteables:
for item in deleteables:
newcontents.remove(item)
'''anything in removeables we found in the file so
we will remove from the self.data1 dictionary'''
if removeables:
for item in removeables:
del(self.data1[item])
'''now check if there is anything left over in self.data1
if there is we need to add that to newcontents list'''
if self.data1:
for item in self.data1:
line = item + " " + self.data1[item] + "\n"
newcontents.append(line)
for line in newcontents:
found = False
if re.search("^http_access", line.strip()):
temp = line.strip()
temp = re.sub("\s+", " ", temp)
temp = re.sub("http_access\s+", "", temp)
if re.search("^deny to_localhost", temp):
found = True
break
if not found:
newcontents.append("http_access deny to_localhost\n")
for item in newcontents:
tempstring += item
tmpfile = self.squidfile + ".tmp"
if not writeFile(tmpfile, tempstring, self.logger):
success = False
else:
if not created:
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
event = {"eventtype": "conf",
"filepath": self.squidfile}
self.statechglogger.recordchgevent(myid, event)
self.statechglogger.recordfilechange(self.squidfile,
tmpfile, myid)
os.rename(tmpfile, self.squidfile)
os.chown(self.squidfile, 0, 0)
os.chmod(self.squidfile, 420)
resetsecon(self.squidfile)
else:
tempstring = ""
for item in self.data1:
tempstring += item + " " + self.data1[item] + "\n"
for item in self.data2:
tempstring += item + " " + self.data2[item] + "\n"
tmpfile = self.squidfile + ".tmp"
if not writeFile(tmpfile, tempstring, self.logger):
success = False
else:
if not created:
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
event = {"eventtype": "conf",
"filepath": self.squidfile}
self.statechglogger.recordchgevent(myid, event)
self.statechglogger.recordfilechange(self.squidfile,
tmpfile, myid)
os.rename(tmpfile, self.squidfile)
os.chown(self.squidfile, 0, 0)
os.chmod(self.squidfile, 420)
resetsecon(self.squidfile)
self.rulesuccess = success
except (KeyboardInterrupt, SystemExit):
# User initiated exit
raise
except Exception as err:
self.rulesuccess = False
self.detailedresults = self.detailedresults + "\n" + str(err) + \
" - " + str(traceback.format_exc())
self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
self.formatDetailedResults("fix", self.rulesuccess,
self.detailedresults)
self.logdispatch.log(LogPriority.INFO, self.detailedresults)
return self.rulesuccess
def fix(self):
'''The fix method will apply the required settings to the system.
self.rulesuccess will be updated if the rule does not succeed.
Search for the /etc/sysconfig/init configuration file and set the
PROMPT setting to PROMPT=no
@author bemalmbe
@change: dwalker 4/8/2014 implementing KVEditorStonix
'''
try:
if not self.ci.getcurrvalue():
return
self.detailedresults = ""
# clear out event history so only the latest fix is recorded
self.iditerator = 0
eventlist = self.statechglogger.findrulechanges(self.rulenumber)
for event in eventlist:
self.statechglogger.deleteentry(event)
if os.path.exists(self.filepath):
if not checkPerms(self.filepath, self.perms, self.logger):
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
if not setPerms(self.filepath, self.perms, self.logger,
self.statechglogger, myid):
self.rulesuccess = False
if self.editor.fixables:
if not self.created:
self.iditerator += 1
myid = iterate(self.iditerator, self.rulenumber)
self.editor.setEventID(myid)
if self.editor.fix():
self.detailedresults += "kveditor fix ran successfully\n"
if self.editor.commit():
self.detailedresults += "kveditor commit ran " + \
"successfully\n"
else:
self.detailedresults += "kveditor commit did not " + \
"run successfully\n"
self.rulesuccess = False
else:
self.detailedresults += "kveditor fix did not run " + \
"successfully\n"
self.rulesuccess = False
os.chown(self.filepath, self.perms[0], self.perms[1])
os.chmod(self.filepath, self.perms[2])
resetsecon(self.filepath)
if self.restart:
self.ch.executeCommand(self.restart)
if self.ch.getReturnCode() != 0:
self.detailedresults += "Unable to restart Grub with " + \
"new changes\n"
self.rulesuccess = False
except (KeyboardInterrupt, SystemExit):
raise
except Exception:
self.rulesuccess = False
self.detailedresults += "\n" + traceback.format_exc()
self.logdispatch.log(LogPriority.ERROR, self.detailedresults)
self.formatDetailedResults("fix", self.rulesuccess,
self.detailedresults)
self.logdispatch.log(LogPriority.INFO, self.detailedresults)
return self.rulesuccess
def fix(self):
'''Main fix method. We update the current vaules in proc via shell
commands and set the correct settings in /etc/sysctl.conf since our
assumption is that if it didn't pass it's because it's been overridden
in sysctl.conf.
@author: dkennel
:returns: self.rulesuccess
:rtype: bool
@change: Breen Malmberg - 1/10/2017 - minor doc string edit; self.rulesuccess
now default init to True (only being set to False in the method);
method now returns self.rulesuccess; fixed perms on file sysctl.conf
(should be 0o600; was 420)
'''
self.detailedresults = ""
self.rulesuccess = True
if self.ExecCI.getcurrvalue():
try:
kvtype = "conf"
intent = "present"
self.editor = KVEditorStonix(self.statechglogger, self.logdispatch,
kvtype, self.sysctlconf, self.tmpPath,
self.directives, intent, "openeq")
if self.execshieldapplies:
cmdshield = '/sbin/sysctl -w kernel.exec-shield=1'
subprocess.call(cmdshield, shell=True)
cmdvarand = '/sbin/sysctl -w kernel.randomize_va_space=2'
subprocess.call(cmdvarand, shell=True)
if not self.editor.report():
if self.editor.fixables:
myid = '0063001'
self.editor.setEventID(myid)
if not self.editor.fix():
self.rulesuccess = False
elif not self.editor.commit():
self.rulesuccess = False
if self.rulesuccess:
os.chown(self.sysctlconf, 0, 0)
os.chmod(self.sysctlconf, 0o600)
resetsecon(self.sysctlconf)
except (KeyboardInterrupt, SystemExit):
# User initiated exit
raise
except Exception:
self.detailedresults = 'ExecShield.fix: '
self.detailedresults += traceback.format_exc()
self.rulesuccess = False
self.logdispatch.log(LogPriority.ERROR,
self.detailedresults)
self.formatDetailedResults("fix", self.rulesuccess,
self.detailedresults)
self.logdispatch.log(LogPriority.INFO, self.detailedresults)
return self.rulesuccess
