def scan(self, option=None):
if sb_utils.os.info.is_solaris() == True:
msg = "The 'nodev' mount option is not available in the "\
"standard Solaris distribution."
self.logger.notice(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.OSNotApplicable('%s %s' % (self.module_name, msg))
try:
in_obj = open(self.__target_file, 'r')
except IOError, err:
msg = 'Unable to read %s: %s' % (self.__target_file, err)
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def apply(self, option=None):
if sb_utils.os.info.is_solaris() == True:
msg = "Yahoo IM client is not part of the standard Solaris distribution."
self.logger.notice(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.OSNotApplicable('%s %s' % (self.module_name, msg))
try:
result, reason = self.scan()
if result == 'Pass':
return 0, ''
except tcs_utils.ScanNotApplicable, err:
msg = 'module is not applicable for this system'
self.logger.error(self.module_name, 'Apply Error: ' + msg)
return 0, msg
def undo(self, change_record=None):
"""Undo the previous action."""
if sb_utils.os.info.is_solaris() == True:
msg = "Yahoo IM client is not part of the standard Solaris distribution."
self.logger.notice(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.OSNotApplicable('%s %s' % (self.module_name, msg))
try:
result, reason = self.scan()
if result == 'Fail':
return 0
except tcs_utils.ScanNotApplicable, err:
msg = 'module is not applicable for this system'
self.logger.error(self.module_name, 'Undo Error: ' + msg)
return 0
def scan(self, option=None):
if sb_utils.os.info.is_solaris() == True:
msg = "This NFS mount option are not available in the "\
"standard Solaris distribution."
self.logger.notice(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.OSNotApplicable('%s %s' % (self.module_name, msg))
msg = "Checking %s to see if the 'insecure_locks' option is set "\
"on anything" % self.__target_file
self.logger.info(self.module_name, 'Scan: ' + msg)
try:
infile = open(self.__target_file, 'r')
except (OSError, IOError), err:
msg = "Unable to open file %s: %s" % (self.__target_file, err)
self.logger.error(self.module_name, 'Scan Error: ' + msg)
raise tcs_utils.ScanError('%s %s' % (self.module_name, msg))
def apply(self, optionsDict=None):
messages = []
self.validate_options(optionsDict)
changeRec = {}
retval = False
#=============================================
# Step 1: Does this platform support SELinux?
#
results = sb_utils.SELinux.isSELinuxSupportedOnBox()
if results == False:
msg = "SELinux is not supported"
raise tcs_utils.OSNotApplicable('%s %s' % (self.module_name, msg))
# If we're going to enforcing, *and* we are currently in disabled mode, than downgrade the mode to permissive.
# Bad things can happen trying to boot a box in enforcing mode which does not have correct security contexts
# Note this with a message, and carry on.
currentMode = sb_utils.SELinux.SELinuxMode()
if self.settings[
'SELINUX'] == 'enforcing' and currentMode == 'disabled':
msg = "OS Lockdown will not implement a transition from 'disabled' to 'enforcing' mode.. " + \
"Altering the desired mode on the fly to 'permissive'. Please reboot, reapply this profile, and reboot again to finish the transistion to 'enforcing'."
self.logger.warning(self.module_name, msg)
messages.append("Warning: %s " % msg)
self.settings['SELINUX'] = 'permissive'
paramlist = sb_utils.os.config.get_list(configfile=self.__config,
delim='=')
for key, val in self.settings.iteritems():
try:
if paramlist[key] == self.settings[key]:
continue
except KeyError, err:
pass
retval = True
oldParam = sb_utils.os.config.setparam(configfile=self.__config,
delim='=',
param=key,
value=val)
changeRec[key] = oldParam
def scan(self, option=None):
"""Check for rpm and file permissions"""
if option != None:
option = None
if sb_utils.os.info.is_solaris() == True:
msg = "Yahoo IM client is not part of the standard Solaris distribution."
self.logger.notice(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.OSNotApplicable('%s %s' % (self.module_name, msg))
results = sb_utils.os.software.is_installed(pkgname='ymessenger')
if results != True:
msg = "ymessenger is not installed on the system"
self.logger.warn(self.module_name, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' %
(self.module_name, msg))
try:
statinfo = os.stat('/usr/bin/ymessenger')
except (OSError, IOError), err:
reason = "Unable to stat /usr/bin/ymessenger: %s" % err
self.logger.error(self.module_name, 'Scan Error: ' + reason)
raise tcs_utils.ScanError("%s %s" % (self.module_name, reason))
def scan(self, optionsDict=None):
messages = []
self.validate_options(optionsDict)
results = True
#=============================================
# Step 1: Does this platform support SELinux?
#
results = sb_utils.SELinux.isSELinuxSupportedOnBox()
if results == False:
msg = "SELinux is not supported"
raise tcs_utils.OSNotApplicable('%s %s' % (self.module_name, msg))
#=============================================
# Step 2: Is SELinux Enabled?
#
results = sb_utils.SELinux.isSELinuxEnabled()
if results == False:
msg = "(CCE-3977-6) SELinux is not enabled."
self.logger.notice(self.module_name, "Scan Failed: %s " % msg)
messages.append("Fail: %s" % msg)
results = False
else:
msg = "(CCE-3977-6) SELinux is enabled"
self.logger.info(self.module_name, msg)
# messages.append("Okay: %s" % msg)
#=============================================
# Step 4: Check current running mode (enforcing or permissive)
#
selinux_mode = sb_utils.SELinux.SELinuxMode()
if selinux_mode != self.settings['SELINUX']:
msg = "SELinux is not currently in %s mode" % self.settings[
'SELINUX']
self.logger.notice(self.module_name, "Scan Failed: %s " % msg)
messages.append("Fail: %s" % msg)
results = False
else:
msg = "SELinux is currently in %s mode" % selinux_mode
self.logger.notice(self.module_name, msg)
messages.append("Okay: %s" % msg)
#=============================================
# Step 5: Check for Policy (targeted, mls, or strict)
#
try:
selinux_policy = sb_utils.SELinux.SELinuxPolicy()[0][1]
except:
selinux_policy = ''
if selinux_policy not in ['targeted', 'mls', 'strict']:
msg = "SELinux policy not currently set to targeted, mls, or strict"
self.logger.notice(self.module_name, "Scan Failed: %s " % msg)
messages.append("Fail: %s" % msg)
results = False
else:
msg = "SELinux policy is currently '%s'" % selinux_policy
self.logger.notice(self.module_name, msg)
messages.append("Okay: %s" % msg)
#=============================================
# Step 5: Check for what is in the config file
#
paramlist = sb_utils.os.config.get_list(configfile=self.__config,
delim='=')
for key, val in self.settings.iteritems():
try:
if paramlist[key] != self.settings[key]:
msg = "%s is set to %s instead of '%s' in %s" % (
key, paramlist[key], self.settings[key], self.__config)
self.logger.notice(self.module_name,
"Scan Failed: %s " % msg)
messages.append("Fail: %s" % msg)
results = False
else:
msg = "%s is set to %s in %s" % (key, paramlist[key],
self.__config)
self.logger.notice(self.module_name, msg)
except KeyError, err:
msg = "%s is not set at all in %s" % (key, self.__config)
self.logger.notice(self.module_name, "Scan Failed: %s " % msg)
messages.append("Fail: %s" % msg)
results = False
def scan(libraryName=None,
enable=False,
packageList=None,
serviceList=None,
option=None):
if serviceList == None:
(serviceList, serviceProps) = getServiceList(libraryName=libraryName)
elif type(serviceList) == type(""):
serviceList = [serviceList]
elif type(serviceList) != type([]):
msg = "Invalid service list detected"
logger.error(libraryName, "Scan Error: " + msg)
raise tcs_utils.ScanError('%s %s' % (libraryName, msg))
if packageList == None:
packageList = getPackageList(libraryName=libraryName)
elif type(packageList) == type(""):
packageList = [packageList]
elif type(packageList) != type([]):
msg = "Invalid package list detected"
logger.error(libraryName, "Scan Error: " + msg)
raise tcs_utils.ScanError('%s %s' % (libraryName, msg))
# print "ServiceList",serviceList
# print "PackageList",packageList
if not serviceList and not packageList:
msg = "No services or packages identified for this module"
raise tcs_utils.OSNotApplicable('%s %s' % (libraryName, msg))
messages = {}
messages['messages'] = []
# Check for each package in the list. If ONE package is missing,
# report a not applicable
for pkg_item in packageList:
results = sb_utils.os.software.is_installed(pkgname=pkg_item)
if results == False and enable == False:
msg = "'%s' package is not installed" % pkg_item
logger.warning(libraryName, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' % (libraryName, msg))
elif results == False and enable == True:
msg = "'%s' package is not installed" % pkg_item
logger.warning(libraryName,
'Admin must install required package first: ' + msg)
raise tcs_utils.ManualActionReqd('%s %s' % (libraryName, msg))
else:
msg = "'%s' package is installed" % pkg_item
logger.info(libraryName, msg)
messages['messages'].append(msg)
results_flag = True
for service_item in serviceList:
results = sb_utils.os.service.is_enabled(svcname=service_item)
if enable == False:
if results == True: # should be off and is on
msg = "'%s' service is enabled" % service_item
logger.notice(libraryName, 'Scan Failed: ' + msg)
messages['messages'].append("Fail: %s" % msg)
results_flag = False
else: # should be off and is off
msg = "'%s' service is disabled" % service_item
logger.notice(libraryName, msg)
messages['messages'].append(msg)
else:
if results == False: # should be on and is off
msg = "'%s' service is disabled" % service_item
logger.notice(libraryName, 'Scan Failed: ' + msg)
messages['messages'].append("Fail: %s" % msg)
results_flag = False
else: # should be on and is on
msg = "'%s' service is enabled" % service_item
logger.notice(libraryName, msg)
messages['messages'].append(msg)
if results_flag == False:
if enable == False:
results_msg = "One or more associated services are enabled"
else:
results_msg = "One or more associated services are disabled"
else:
if enable == False:
results_msg = "All associated services are enabled"
else:
results_msg = "All associated services are disabled"
return results_flag, results_msg, messages
def apply(libraryName=None,
enable=False,
packageList=None,
serviceList=None,
option=None):
"""
Disable services associated with this module.
Returns:
(update_flag, action_record, messages)
update_flag -- Boolean: True = StateHandler will record change record
action_record -- String: Change record the StateHandler will store
messages -- Dictionary: messages to embed into the repord
"""
# scan first to see if we need to do anything...and don't bother trying
# to turn things off if they already are
results, reason, messages = scan(libraryName,
enable=enable,
packageList=packageList,
serviceList=serviceList,
option=option)
if results == True:
return False, reason, messages
if serviceList == None:
(serviceList, serviceProps) = getServiceList(libraryName=libraryName)
elif type(serviceList) == type(""):
serviceList = [serviceList]
elif type(serviceList) != type([]):
msg = "Invalid service list detected"
logger.error(libraryName, "Scan Error: " + msg)
raise tcs_utils.ScanError('%s %s' % (libraryName, msg))
if packageList == None:
packageList = getPackageList(libraryName=libraryName)
elif type(packageList) == type(""):
packageList = [packageList]
elif type(packageList) != type([]):
msg = "Invalid package list detected"
logger.error(libraryName, "Scan Error: " + msg)
raise tcs_utils.ScanError('%s %s' % (libraryName, msg))
if len(serviceList) < 1:
msg = "No services identified for this module."
raise tcs_utils.OSNotApplicable('%s %s' % (libraryName, msg))
messages = {}
messages['messages'] = []
action_record = []
# Check for each package in the list. If ONE package is missing,
# report a not applicable
for pkg_item in packageList:
results = sb_utils.os.software.is_installed(pkgname=pkg_item)
if results == False:
msg = "'%s' package is not installed" % pkg_item
logger.warning(libraryName, 'Not Applicable: ' + msg)
raise tcs_utils.ScanNotApplicable('%s %s' % (libraryName, msg))
else:
msg = "'%s' package is installed" % pkg_item
logger.info(libraryName, msg)
messages['messages'].append(msg)
service_count = 0
all_services = len(serviceList)
update_flag = False
error_flag = False
for service_item in serviceList:
pre_change = ''
results = sb_utils.os.service.is_enabled(svcname=service_item)
if results == None:
msg = "Unable to determine status of the '%s' service" % service_item
logger.error(libraryName, msg)
error_flag = True
messages['messages'].append(msg)
continue
if enable == False:
# Record service's current state before we disable it
# but DO NOT add it to the change record until we are able
# actually perform the apply
if results == False:
msg = "'%s' service is already disabled" % service_item
messages['messages'].append(msg)
continue
pre_change = "%s|on\n" % service_item
# Try to disable the service
results = sb_utils.os.service.disable(svcname=service_item)
if results != True:
msg = "Unable to disable service '%s'" % service_item
logger.error(libraryName, msg)
error_flag = True
messages['messages'].append(msg)
else:
service_count = service_count + 1
msg = "'%s' service is now configured to not start during next system boot" % service_item
logger.notice(libraryName, "Apply Performed: %s" % msg)
action_record.append(pre_change)
messages['messages'].append(msg)
update_flag = True
if stop_service_now() == False:
msg = "To immediately disable the '%s' service either "\
"reboot or execute: service %s stop" % (service_item, service_item)
messages['messages'].append(msg)
else:
# Record service's current state before we disable it
# but DO NOT add it to the change record until we are able
# actually perform the apply
if results == True:
msg = "'%s' service is already enabled" % service_item
messages['messages'].append(msg)
continue
pre_change = "%s|off\n" % service_item
# Try to disable the service
results = sb_utils.os.service.enable(svcname=service_item)
if results != True:
msg = "Unable to enable service '%s'" % service_item
logger.error(libraryName, msg)
error_flag = True
messages['messages'].append(msg)
else:
service_count = service_count + 1
msg = "'%s' service is now configured to start during next system boot" % service_item
logger.notice(libraryName, "Apply Performed: %s" % msg)
action_record.append(pre_change)
messages['messages'].append(msg)
update_flag = True
if stop_service_now() == False:
msg = "To immediately enable the '%s' service either "\
"reboot or execute: service %s stop" % (service_item, service_item)
messages['messages'].append(msg)
if error_flag == True and service_count == 0:
if enable == False:
msg = "Unable to disable associated services"
else:
msg = "Unable to enable associated services"
raise tcs_utils.ActionError(msg)
if error_flag == True and service_count != all_services:
if enable == False:
msg = "Unable to disable all of the associated services"
else:
msg = "Unable to enable all of the associated services"
else:
if enable == False:
msg = "Disabled all of the associated services"
else:
msg = "Enabled all of the associated services"
# When returning our change record, we will reverse the order of the
# services. This way when the undo method receives it, they will be
# "undone" in reverse order.
action_record.reverse()
return update_flag, ''.join(action_record), messages