def fix_group_allow(self, element):
if not files.contains(element['name'], '"domain admins"'):
files.append(element['name'], '\n"domain admins"')
if CONFIG.is_set('site','ldap_dev_team'):
ldap_dev_team_val = '\n%s' % CONF_MAP('site','ldap_dev_team')
if not files.contains(element['name'], ldap_dev_team_val):
files.append(element['name'], ldap_dev_team_val)
def check_secure_php(self, element):
is_ok = True
is_ok &= files.contains(element['name'], '\nexpose_php = Off\n')
if CONF_MAP('site', 'php_enhanced_security'):
is_ok &= files.contains(element['name'], self.dis_fun)
else:
is_ok &= files.contains(element['name'], self.org_dis_fun)
return is_ok
def fix_centrify_conf(self, element):
if CONF_MAP('centrify', 'pam_allow_enabled'):
if not files.contains(element['name'], '\npam.allow.users: file:/etc/centrifydc/users.allow\n'):
files.replace_in(element['name'],
'\n# pam.allow.users: file:/etc/centrifydc/users.allow\n',
'\npam.allow.users: file:/etc/centrifydc/users.allow\n')
if not files.contains(element['name'], '\npam.allow.groups: file:/etc/centrifydc/groups.allow\n'):
files.replace_in(element['name'],
'\n# pam.allow.groups: file:/etc/centrifydc/groups.allow\n',
'\npam.allow.groups: file:/etc/centrifydc/groups.allow\n')
def fix_secure_php(self, element):
if not files.contains(element['name'], '\nexpose_php = Off\n'):
files.replace_in(element['name'],
'\nexpose_php = On\n',
'\nexpose_php = Off\n')
if CONF_MAP('site', 'php_enhanced_security'):
if not files.contains(element['name'], self.dis_fun ):
files.replace_in(element['name'], self.org_dis_fun, self.dis_fun)
else:
files.replace_in(element['name'], self.dis_fun, self.org_dis_fun)
def check_secure(self, element):
is_secure = True
is_secure &= files.contains(element['name'],
'\nServerTokens Prod')
is_secure &= files.contains(element['name'],
'\nServerSignature Off')
is_secure &= files.contains(element['name'],
'\n#ServerSignature On')
is_secure &= files.contains(element['name'],
self.root_directive)
return is_secure
def check_munin_master_ip(self, element):
is_ok = True
if self.master_ip:
mip = "\nallow ^%s$\n" % self.master_ip.replace('.','\.')
is_ok &= files.contains(element['name'],mip)
return is_ok
def check_mysql(self, element):
is_ok = True
is_ok &= files.contains('/etc/apparmor.d/usr.sbin.mysqld', '/data/mysql/')
is_ok &= files.realpath('/var/lib/mysql/') == '/data/mysql'
return is_ok
def fix_munin_master_ip(self, element):
if self.master_ip:
mip = "allow ^%s$\n" % self.master_ip.replace('.','\.')
loc_n_mip = LOCIP + mip
if not files.contains(element['name'], loc_n_mip):
files.replace_in(element['name'],
self.LOCIP,
loc_n_mip)
def fix_ssh(self, element):
if not files.contains(element['name'], self.CHROOT_RULE):
files.append(element['name'], "\n%s\n" % self.CHROOT_RULE)
cmd_list = [
"service ssh restart",
]
completed, pinfo = core.exec_cmd_list(cmd_list)
if not completed:
raise Exception(t("Error in installation!"), element['name'])
def fix_secure(self, element):
if not files.contains(element['name'], '\nServerTokens Prod'):
files.replace_in(element['name'],
'ServerTokens OS',
'ServerTokens Prod')
if not files.contains(element['name'], '\nServerSignature Off'):
files.replace_in(element['name'],
'#ServerSignature Off',
'ServerSignature Off')
if not files.contains(element['name'], '\n#ServerSignature On'):
files.replace_in(element['name'],
'ServerSignature On',
'#ServerSignature On')
if not files.contains(element['name'], self.root_directive):
files.append(element['name'], self.root_directive)
def move_mysql(self, element):
if not files.contains('/etc/apparmor.d/usr.sbin.mysqld', '/data/mysql/'):
files.replace_in('/etc/apparmor.d/usr.sbin.mysqld',
'/var/lib/mysql/',
'/data/mysql/')
if not files.realpath('/var/lib/mysql/') == '/data/mysql':
cmd_list = [
"/etc/init.d/mysql stop",
"mv /var/lib/mysql/ /data/",
"ln -s /data/mysql /var/lib/mysql",
"chown -h mysql:mysql /var/lib/mysql",
"service apparmor reload",
"/etc/init.d/mysql start",
]
completed, pinfo = core.exec_cmd_list(cmd_list)
if not completed:
raise Exception(t("Error in installation!"), element['name'])
def fix_common_session(self, element):
if not files.contains(element['name'], '\nsession\trequired\tpam_script.so\trunas=root\n'):
files.replace_in(element['name'],
'session\trequired\tpam_unix.so',
'session\trequired\tpam_script.so\trunas=root\nsession\trequired\tpam_unix.so\n')
def check_ses_open(self, element):
is_ok = True
with open(files.get_rel_path("data/pam_script_ses_open.py")) as f:
is_ok &= files.contains(element['name'], f.read())
return is_ok
def fix_centrify_allow(self):
g_allow = '/etc/centrifydc/groups.allow'
ldap_group = self.conf.get('access','ldap_group')
if ldap_group and not files.contains(g_allow, ldap_group):
files.append(g_allow, '\n%s' % ldap_group)
def check_common_session(self, element):
is_ok = True
is_ok &= files.contains(element['name'], '\nsession\trequired\tpam_script.so\trunas=root\n')
return is_ok
def check_acl_crontab(self, element):
is_ok = True
is_ok &= files.contains('/etc/crontab', self.RESTORE_OWNERSHIP)
return is_ok
def check_centrify_allow(self, group):
is_ok = True
is_ok &= files.contains('/etc/centrifydc/groups.allow', group)
return is_ok
def check_ufw(self, element):
is_ok = True
is_ok &= files.contains(element['name'], '\n& ~\n')
return is_ok
def check_backup(self, element):
is_ok = True
is_ok &= files.contains(element['name'], 'BACKUPDIR="/data/automysqlbackup"')
return is_ok
def check_perm_dev_team(self, element):
is_ok = False
is_ok = files.contains(element['name'], self.cron_acl_dev_team)
return is_ok
def fix_perm_dev_team(self, element):
if not files.contains(element['name'], self.cron_acl_dev_team):
files.create(element['name'], self.cron_acl_dev_team)
files.chmod(element['name'], u='rx',g='rx',o='rx')
def check_sudoers(self, element):
is_ok = True
is_ok &= files.contains(element['name'], '%domain\ admins ALL=(ALL) ALL')
return is_ok
def check_perm_cron(self, element):
is_ok = False
is_ok = files.contains(element['name'], self.cron_acl_sudo)
return is_ok
def fix_acl_crontab(self, element):
message = t("#Reapply ACL periodically to prevent wordpress like auto update errors.")
if not files.contains('/etc/crontab', self.RESTORE_OWNERSHIP):
files.append('/etc/crontab', "\n" + message + "\n" + self.RESTORE_OWNERSHIP + "\n")
def fix_ses_open(self, element):
with open(files.get_rel_path("data/pam_script_ses_open.py")) as f:
content = f.read()
if not files.contains(element['name'], content):
files.create(element['name'], content)
def check_group_allow(self, element):
is_ok = True
if CONFIG.is_set('site','ldap_dev_team'):
is_ok &= files.contains(element['name'], '%s' % CONF_MAP('site','ldap_dev_team'))
is_ok &= files.contains(element['name'], '"domain admins"')
return is_ok
if __name__ == '__main__':
site_name = "${site_name}"
site_path = "${site_path}"
ldap_group = "${ldap_group}"
ldap_dev_team = CONF_MAP('site','ldap_dev_team')
unix_group = "${unix_group}"
pam_user = os.getenv('PAM_USER')
site_home_path = "/home/%s/%s" % (pam_user, site_name)
is_member = False
if ldap_group:
is_member |= ldap.is_member_of(pam_user,ldap_group)
if ldap_dev_team:
is_member |= ldap.is_member_of(pam_user,ldap_dev_team,'')
#L.info("%s, is_member:%s of %s" % (pam_user,is_member,ldap_dev_team))
if unix_group:
is_member |= unix.is_member_of(pam_user,unix_group)
if is_member:
files.mkdir(site_home_path)
files.chown(site_home_path)
cmd_list = [
'mount --bind %s %s' % (site_path, site_home_path),
]
if not files.contains("/proc/mounts", site_home_path):
core.exec_cmd_list(cmd_list)
def check_centrify_conf(self, element):
is_ok = True
if CONF_MAP('centrify', 'pam_allow_enabled'):
is_ok &= files.contains(element['name'], '\npam.allow.users: file:/etc/centrifydc/users.allow\n')
is_ok &= files.contains(element['name'], '\npam.allow.groups: file:/etc/centrifydc/groups.allow\n')
return is_ok
def fix_perm_cron(self, element):
if not files.contains(element['name'], self.cron_acl_sudo):
files.create(element['name'], self.cron_acl_sudo)
files.chmod(element['name'], u='rx',g='rx',o='rx')
def fix_sudoers(self, element):
if not files.contains(element['name'], '%domain\ admins ALL=(ALL) ALL'):
files.append(element['name'], '%domain\ admins ALL=(ALL) ALL')
files.chmod(element['name'], **element['perm'])