diff options
Diffstat (limited to 'recipes-security/bastille/files/HPSpecific.pm')
-rw-r--r-- | recipes-security/bastille/files/HPSpecific.pm | 1983 |
1 files changed, 0 insertions, 1983 deletions
diff --git a/recipes-security/bastille/files/HPSpecific.pm b/recipes-security/bastille/files/HPSpecific.pm deleted file mode 100644 index 7e7d709..0000000 --- a/recipes-security/bastille/files/HPSpecific.pm +++ /dev/null @@ -1,1983 +0,0 @@ -package Bastille::API::HPSpecific; - -use strict; -use Bastille::API; -use Bastille::API::FileContent; - -require Exporter; -our @ISA = qw(Exporter); -our @EXPORT_OK = qw( -getIPFLocation -getGlobalSwlist -B_check_system -B_swmodify -B_load_ipf_rules -B_Schedule -B_ch_rc -B_set_value -B_chperm -B_install_jail -B_list_processes -B_list_full_processes -B_deactivate_inetd_service -B_get_rc -B_set_rc -B_chrootHPapache -isSystemTrusted -isTrustedMigrationAvailable -checkServiceOnHPUX -B_get_path -convertToTrusted -isOKtoConvert -convertToShadow -getSupportedSettings -B_get_sec_value -secureIfNoNameService -isUsingRemoteNameService -remoteServiceCheck -remoteNISPlusServiceCheck -B_create_nsswitch_file -B_combine_service_results - -%priorBastilleNDD -%newNDD -); -our @EXPORT = @EXPORT_OK; - - - -# "Constants" for use both in testing and in lock-down -our %priorBastilleNDD = ( - "ip_forward_directed_broadcasts" =>["ip", "0"], - "ip_forward_src_routed" =>["ip", "0"], - "ip_forwarding" =>["ip", "0"], - "ip_ire_gw_probe" =>["ip", "0"], - "ip_pmtu_strategy" =>["ip", "1"], - "ip_respond_to_echo_broadcast" =>["ip", "0"], - "ip_send_redirects" =>["ip", "0"], - "ip_send_source_quench" =>["ip", "0"], - "tcp_syn_rcvd_max" =>["tcp","1000"], - "tcp_conn_request_max" =>["tcp","4096"] ); - -our %newNDD = ( - "ip_forward_directed_broadcasts" =>["ip", "0"], - "ip_forward_src_routed" =>["ip", "0"], - "ip_forwarding" =>["ip", "0"], - "ip_ire_gw_probe" =>["ip", "0"], - "ip_pmtu_strategy" =>["ip", "1"], - "ip_respond_to_echo_broadcast" =>["ip", "0"], - "ip_send_redirects" =>["ip", "0"], - "ip_send_source_quench" =>["ip", "0"], - "tcp_syn_rcvd_max" =>["tcp","4096"], - "tcp_conn_request_max" =>["tcp","4096"], - "arp_cleanup_interval" =>["arp","60000"], - "ip_respond_to_timestamp" =>["ip", "0"], - "ip_respond_to_timestamp_broadcast" => ["ip","0"] ); - - -#################################################################### -# -# This module makes up the HP-UX specific API routines. -# -#################################################################### -# -# Subroutine Listing: -# &HP_ConfigureForDistro: adds all used file names to global -# hashes and generates a global IPD -# hash for SD modification lookup. -# -# &getGlobalSwlist($): Takes a fully qualified file name -# and returns product:filset info -# for that file. returns undef if -# the file is not present in the IPD -# -# &B_check_system: Runs a series of system queries to -# determine if Bastille can be safely -# ran on the current system. -# -# &B_swmodify($): Takes a file name and runs the -# swmodify command on it so that the -# IPD is updated after changes -# -# &B_System($$): Takes a system command and the system -# command that should be used to revert -# whatever was done. Returns 1 on -# success and 0 on failure -# -# &B_Backtick($) Takes a command to run and returns its stdout -# to be used in place of the prior prevelent use -# of un-error-handled backticks -# -# &B_load_ipf_rules($): Loads a set of ipfrules into ipf, storing -# current rules for later reversion. -# -# &B_Schedule($$): Takes a pattern and a crontab line. -# Adds or replaces the crontab line to -# the crontab file, depending on if a -# line matches the pattern -# -# &B_ch_rc($$): Takes a the rc.config.d flag name and -# new value as well as the init script -# location. This will stop a services -# and set the service so that it will -# not be restarted. -# -# &B_set_value($$$): Takes a param, value, and a filename -# and sets the given value in the file. -# Uses ch_rc, but could be rewritten using -# Bastille API calls to make it work on Linux -# -# &B_TODO($): Appends the give string to the TODO.txt -# file. -# -# &B_chperm($$$$): Takes new perm owner and group of given -# file. TO BE DEPRECATED!!! -# -# &B_install_jail($$): Takes the jail name and the jail config -# script location for a give jail... -# These scripts can be found in the main -# directory e.g. jail.bind.hpux -# -##################################################################### - -############################################################################## -# -# HP-UX Bastille directory structure -# -############################################################################## -# -# /opt/sec_mgmt/bastille/bin/ -- location of Bastille binaries -# /opt/sec_mgmt/bastille/lib/ -- location of Bastille modules -# /opt/sec_mgmt/bastille/doc/ -- location of Bastille doc files -# -# /etc/opt/sec_mgmt/bastille/ -- location of Bastille config files -# -# /var/opt/sec_mgmt/bastille/log -- location of Bastille log files -# /var/opt/sec_mgmt/bastille/revert -- directory holding all Bastille- -# created revert scripts -# /var/opt/sec_mgmt/bastille/revert/backup -- directory holding the original -# files that Bastille modifies, -# with permissions intact -# -############################################################################## - -sub getIPFLocation () { # Temporary until we get defined search space support - my $ipf=&getGlobal('BIN','ipf_new'); - my $ipfstat=&getGlobal('BIN','ipfstat_new'); - if (not(-e $ipf)) { # Detect if the binaries moved - $ipf = &getGlobal('BIN','ipf'); - $ipfstat=&getGlobal('BIN','ipfstat'); - } - return ($ipf, $ipfstat); -} - -############################################## -# Given a combination of service results, provided -# in an array, this function combines the result into -# a reasonable aggregate result -############################################## - -sub B_combine_service_results(@){ - my @results = @_; - - #TODO: Consider greater sophistication wrt inconsistent, or not installed. - - foreach my $result (@results) { - if (not(($result == SECURE_CAN_CHANGE) or - ($result == SECURE_CANT_CHANGE) or - ($result == NOT_INSTALLED()))) { - return NOTSECURE_CAN_CHANGE(); - } - } - return SECURE_CANT_CHANGE(); -} - -#################################################################### -# &getGlobalSwlist ($file); -# This function returns the product and fileset information for -# a given file or directory if it exists in the IPD otherwise -# it returns undefined "undef" -# -# uses $GLOBAL_SWLIST{"$FILE"} -#################################################################### -sub getGlobalSwlist($){ - no strict; - my $file = $_[0]; - - - if(! %GLOBAL_SWLIST) { - # Generating swlist database for swmodify changes that will be required - # The database will be a hash of fully qualified file names that reference - # the files product name and fileset. These values are required to use - # swmodify... - - # Files tagged 'is_volatile' in the IPD are not entered in the swlist database - # in order to avoid invoking swmodify if the file is changed later. Attempting to - # swmodify 'volatile' files is both unneccessary and complicated since swverify will - # not evaluate volatile files anyway, and adding another value to the swlist database - # would require complex code changes. - - # temp variable to keep swlist command /usr/sbin/swlist - my $swlist = &getGlobal('BIN',"swlist"); - - # listing of each directory and file that was installed by SD on the target machine - my @fileList = `$swlist -a is_volatile -l file`; - - # listing of each patch and the patches that supersede each. - # hash which is indexed by patch.fileset on the system - my %patchSuperseded; - - my @patchList = `${swlist} -l fileset -a superseded_by *.*,c=patch 2>&1`; - # check to see if any patches are present on the system - if(($? >> 8) == 0) { - - # determining patch suppression for swmodify. - foreach my $patchState (@patchList) { - # removing empty lines and commented lines. - if($patchState !~ /^\s*\#/ && $patchState !~ /^\s*$/) { - - # removing leading white space - $patchState =~ s/^\s+//; - my @patches = split /\s+/, $patchState; - if($#patches == 0){ - # patch is not superseded - $patchSuperseded{$patches[0]} = 0; - } - else { - # patch is superseded - $patchSuperseded{$patches[0]} = 1; - } - } - } - } - else { - &B_log("DEBUG","No patches found on the system.\n"); - } - - if($#fileList >= 0){ - # foreach line of swlist output - foreach my $fileEntry ( @fileList ){ - #filter out commented portions - if( $fileEntry !~ /^\s*\#/ ){ - chomp $fileEntry; - # split the output into three fields: product.fileset, filename, flag_isvolatile - my( $productInfo, $file, $is_volatile ) = $fileEntry =~ /^\s*(\S+): (\S+)\t(\S+)/ ; - # do not register volatile files - next if ($is_volatile =~ /true/); # skip to next file entry - $productInfo =~ s/\s+//; - $file =~ s/\s+//; - # if the product is a patch - if($productInfo =~ /PH(CO|KL|NE|SS)/){ - # if the patch is not superseded by another patch - if($patchSuperseded{$productInfo} == 0){ - # add the patch to the list of owner for this file - push @{$GLOBAL_SWLIST{"$file"}}, $productInfo; - } - } - # not a patch. - else { - # add the product to the list of owners for this file - push @{$GLOBAL_SWLIST{"$file"}}, $productInfo; - } - - } - } - } - else{ - # defining GLOBAL_SWLIST in error state. - $GLOBAL_SWLIST{"ERROR"} = "ERROR"; - &B_log("ERROR","Could not execute swlist. Swmodifys will not be attempted"); - } - } - - if(exists $GLOBAL_SWLIST{"$file"}){ - return $GLOBAL_SWLIST{"$file"}; - } - else { - return undef; - } -} - -################################################################### -# &B_check_system; -# This subroutine is called to validate that bastille may be -# safely run on the current system. It will check to insure -# that there is enough file system space, mounts are rw, nfs -# mounts are not mounted noroot, and swinstall, swremove and -# swmodify are not running -# -# uses ErrorLog -# -################################################################## -sub B_check_system { - # exitFlag is one if a conflict with the successful execution - # of bastille is found. - my $exitFlag = 0; - - my $ignoreCheck = &getGlobal("BDIR","config") . "/.no_system_check"; - if( -e $ignoreCheck ) { - return $exitFlag; - } - - # first check for swinstall, swmodify, or swremove processes - my $ps = &getGlobal('BIN',"ps") . " -el"; - my @processTable = `$ps`; - foreach my $process (@processTable) { - if($process =~ /swinstall/ ) { - &B_log("ERROR","Bastille cannot run while a swinstall is in progress.\n" . - "Complete the swinstall operation and then run Bastille.\n\n"); - $exitFlag = 1; - } - - if($process =~ /swremove/ ) { - &B_log("ERROR","Bastille cannot run while a swremove is in progress.\n" . - "Complete the swremove operation and then run Bastille.\n\n"); - $exitFlag = 1; - } - - if($process =~ /swmodify/ ) { - &B_log("ERROR","Bastille cannot run while a swmodify is in progress.\n" . - "Complete the swmodify operation and then run Bastille.\n\n"); - $exitFlag = 1; - } - - } - - # check for root read only mounts for /var /etc /stand / - # Bastille is required to make changes to these file systems. - my $mount = &getGlobal('BIN',"mount"); - my $rm = &getGlobal('BIN',"rm"); - my $touch = &getGlobal('BIN',"touch"); - - my @mnttab = `$mount`; - - if(($? >> 8) != 0) { - &B_log("WARNING","Unable to use $mount to determine if needed partitions\n" . - "are root writable, based on disk mount options.\n" . - "Bastille will continue but note that disk\n" . - "mount checks were skipped.\n\n"); - } - else { - foreach my $record (@mnttab) { - my @fields = split /\s+/, $record; - if ((defined $fields[0]) && (defined $fields[2]) && (defined $fields[3])) { - my $mountPoint = $fields[0]; - my $mountType = $fields[2]; - my $mountOptions = $fields[3]; - - # checks for /stand and /var/* removed - if($mountPoint =~ /^\/$|^\/etc|^\/var$/) { - - if($mountOptions =~ /^ro,|,ro,|,ro$/) { - &B_log("ERROR","$mountPoint is mounted read-only. Bastille needs to make\n" . - "modifications to this file system. Please remount\n" . - "$mountPoint read-write and then run Bastille again.\n\n"); - $exitFlag = 1; - } - # looking for an nfs mounted file system - if($mountType =~/.+:\//){ - my $fileExisted=0; - if(-e "$mountPoint/.bastille") { - $fileExisted=1; - } - - `$touch $mountPoint/.bastille 1>/dev/null 2>&1`; - - if( (! -e "$mountPoint/.bastille") || (($? >> 8) != 0) ) { - &B_log("ERROR","$mountPoint is an nfs mounted file system that does\n" . - "not allow root to write to. Bastille needs to make\n" . - "modifications to this file system. Please remount\n" . - "$mountPoint giving root access and then run Bastille\n" . - "again.\n\n"); - - $exitFlag = 1; - } - # if the file did not exist befor the touch then remove the generated file - if(! $fileExisted) { - `$rm -f $mountPoint/.bastille 1>/dev/null 2>&1`; - } - } - } - } - else { - &B_log("WARNING","Unable to use $mount to determine if needed partitions\n" . - "are root writable, based on disk mount options.\n" . - "Bastille will continue but note that disk\n" . - "mount checks were skipped.\n\n"); - } - } - - } - - # checks for enough disk space in directories that Bastille writes to. - my $bdf = &getGlobal('BIN',"bdf"); - #directories that Bastille writes to => required space in kilobytes. - my %bastilleDirs = ( "/etc/opt/sec_mgmt/bastille" => "4", "/var/opt/sec_mgmt/bastille"=> "1000"); - for my $directory (sort keys %bastilleDirs) { - my @diskUsage = `$bdf $directory`; - - if(($? >> 8) != 0) { - &B_log("WARNING","Unable to use $bdf to determine disk usage for\n" . - "$directory\n" . - "Bastille will continue but note that disk\n" . - "usage checks were skipped.\n\n"); - - } - else { - # removing bdf header line from usage information. - shift @diskUsage; - my $usageString= ""; - - foreach my $usageRecord (@diskUsage) { - chomp $usageRecord; - $usageString .= $usageRecord; - } - - $usageString =~ s/^\s+//; - - my @fields = split /\s+/, $usageString; - if($#fields != 5) { - &B_log("WARNING","Unable to use $bdf to determine disk usage for\n" . - "$directory\n" . - "Bastille will continue but note that disk\n" . - "usage checks were skipped.\n\n"); - } - else { - - my $mountPoint = $fields[5]; - my $diskAvail = $fields[3]; - - if($diskAvail <= $bastilleDirs{"$directory"}) { - &B_log("ERROR","$mountPoint does not contain enough available space\n" . - "for Bastille to run properly. $directory needs\n" . - "at least $bastilleDirs{$directory} kilobytes of space.\n" . - "Please clear at least that amount of space from\n" . - "$mountPoint and run Bastille again.\n" . - "Current Free Space available = ${diskAvail} k\n\n"); - $exitFlag = 1; - } - } - } - } - - # check to make sure that we are in at least run level 2 before we attempt to run - my $who = &getGlobal('BIN', "who") . " -r"; - my $levelInfo = `$who`; - if(($? >> 8) != 0 ) { - &B_log("WARNING","Unable to use \"$who\" to determine system run.\n" . - "level Bastille will continue but note that the run\n" . - "level check was skipped.\n\n"); - } - else { - chomp $levelInfo; - my @runlevel = split /\s+/, $levelInfo; - if ((! defined $runlevel[3]) or ($runlevel[3] < 2)) { - &B_log("WARNING","Bastille requires a run-level of 2 or more to run properly.\n" . - "Please move your system to a higher run level and then\n" . - "run 'bastille -b'.\n\n"); - if(defined $runlevel[3]) { - &B_log("ERROR","Current run-level is '$runlevel[3]'.\n\n"); - $exitFlag=1; - } - else { - &B_log("WARNING","Unable to use \"$who\" to determine system run.\n" . - "level Bastille will continue but note that the run\n" . - "level check was skipped.\n\n"); - } - } - else { - &B_log("DEBUG","System run-level is $runlevel[3]\n"); - } - } - - if($exitFlag) { - exit(1); - } - -} - -################################################################### -# &B_swmodify($file); -# This subroutine is called after a file is modified. It will -# redefine the file in the IPD with it's new properties. If -# the file is not in the IPD it does nothing. -# -# uses B_System to make the swmodifications. -################################################################## -sub B_swmodify($){ - my $file = $_[0]; - if(defined &getGlobalSwlist($file)){ - my $swmodify = &getGlobal('BIN',"swmodify"); - my @productsInfo = @{&getGlobalSwlist($file)}; - # running swmodify on files that were altered by this function but - # were created and maintained by SD - foreach my $productInfo (@productsInfo) { - &B_System("$swmodify -x files='$file' $productInfo", - "$swmodify -x files='$file' $productInfo"); - } - } -} - -#################################################################### -# &B_load_ipf_rules($ipfruleset); -# This function enables an ipfruleset. It's a little more -# specific than most API functions, but necessary because -# ipf doesn't return correct exit codes (syntax error results -# in a 0 exit code) -# -# uses ActionLog and ErrorLog to log -# calls crontab directly (to list and to read in new jobs) -################################################################### -sub B_load_ipf_rules ($) { - my $ipfruleset=$_[0]; - - &B_log("DEBUG","# sub B_load_ipf_rules"); - - # TODO: grab ipf.conf dynamically from the rc.config.d files - my $ipfconf = &getGlobal('FILE','ipf.conf'); - - # file system changes - these are straightforward, and the API - # will take care of the revert - &B_create_file($ipfconf); - &B_blank_file($ipfconf, 'a$b'); - &B_append_line($ipfconf, 'a$b', $ipfruleset); - - # runtime changes - - # define binaries - my $grep = &getGlobal('BIN', 'grep'); - my ($ipf, $ipfstat) = &getIPFLocation; - # create backup rules - # This will exit with a non-zero exit code because of the grep - my @oldrules = `$ipfstat -io 2>&1 | $grep -v empty`; - - my @errors=`$ipf -I -Fa -f $ipfconf 2>&1`; - - if(($? >> 8) == 0) { - - &B_set_rc("IPF_START","1"); - &B_set_rc("IPF_CONF","$ipfconf"); - - # swap the rules in - &B_System("$ipf -s","$ipf -s"); - - # now create a "here" document with the previous version of - # the rules and put it into the revert-actions script - &B_revert_log("$ipf -I -Fa -f - <<EOF\n@{oldrules}EOF"); - - if (@errors) { - &B_log("ERROR","ipfilter produced the following errors when\n" . - " loading $ipfconf. You probably had an invalid\n" . - " rule in ". &getGlobal('FILE','customipfrules') ."\n". - "@errors\n"); - } - - } else { - &B_log("ERROR","Unable to run $ipf\n"); - } - -} - - - -#################################################################### -# &B_Schedule($pattern,$cronjob); -# This function schedules a cronjob. If $pattern exists in the -# crontab file, that job will be replaced. Otherwise, the job -# will be appended. -# -# uses ActionLog and ErrorLog to log -# calls crontab directly (to list and to read in new jobs) -################################################################### -sub B_Schedule ($$) { - my ($pattern,$cronjob)=@_; - $cronjob .= "\n"; - - &B_log("DEBUG","# sub B_Schedule"); - my $crontab = &getGlobal('BIN','crontab'); - - my @oldjobs = `$crontab -l 2>/dev/null`; - my @newjobs; - my $patternfound=0; - - foreach my $oldjob (@oldjobs) { - if (($oldjob =~ m/$pattern/ ) and (not($patternfound))) { - push @newjobs, $cronjob; - $patternfound=1; - &B_log("ACTION","changing existing cron job which matches $pattern with\n" . - "$cronjob"); - } elsif ($oldjob !~ m/$pattern/ ) { - &B_log("ACTION","keeping existing cron job $oldjob"); - push @newjobs, $oldjob; - } #implied: else if pattern matches, but we've - #already replaced one, then toss the others. - } - - unless ($patternfound) { - &B_log("ACTION","adding cron job\n$cronjob\n"); - push @newjobs, $cronjob; - } - - if(open(CRONTAB, "|$crontab - 2> /dev/null")) { - print CRONTAB @newjobs; - - # now create a "here" document with the previous version of - # the crontab file and put it into the revert-actions script - &B_revert_log("$crontab <<EOF\n" . "@oldjobs" . "EOF"); - close CRONTAB; - } - - # Now check to make sure it happened, since cron will exit happily - # (retval 0) with no changes if there are any syntax errors - my @editedjobs = `$crontab -l 2>/dev/null`; - - if (@editedjobs ne @newjobs) { - &B_log("ERROR","failed to add cron job:\n$cronjob\n" . - " You probably had an invalid crontab file to start with."); - } - -} - - -#This function turns off a service, given a service name defined in HP-UX.service - -sub B_ch_rc($) { - - my ($service_name)=@_; - - if (&GetDistro != "^HP-UX") { - &B_log("ERROR","Tried to call ch_rc $service_name on a non-HP-UX\n". - " system! Internal Bastille error."); - return undef; - } - my $configfile=""; - my $command = &getGlobal('BIN', 'ch_rc'); - - my $startup_script=&getGlobal('DIR','initd') . "/". $service_name; - my @rc_parameters= @{ &getGlobal('SERVICE',$service_name) }; - my @rcFiles=@{ &getGlobal('RCCONFIG',$service_name) }; - my $rcFile=''; - if (@rcFiles == 1){ - $rcFile=$rcFiles[0]; - } else { - &B_log("FATAL","Multiple RC Files not yet supported... internal error."); - } - - # if the service-related process is not run, and the control variable is stilll 1 - # there is a inconsistency. in this case we only need to change the control variable - my @psnames=@{ &getGlobal('PROCESS',$service_name)}; - my @processes; - foreach my $psname (@psnames) { - $psname .= '\b'; # avoid embedded match; anchor search pattern to trailing word boundry - my @procList = &isProcessRunning($psname); - if(@procList >= 0){ - splice @processes,$#processes+1,0,@procList; - } - } -#Actually set the rc variable - foreach my $rcVariable (@rc_parameters){ - my $orig_value = &B_get_rc($rcVariable); - if ($orig_value eq "" ) { #If variable not set, used the defined file - $configfile=&getGlobal("DIR","rc.config.d") . "/" . $rcFile; - if (not( -f $configfile )) { - &B_create_file($configfile); - } - } - &B_log("DEBUG","In B_ch_rc (no procs), setting $rcVariable to 0 in $configfile" . - ", with an original value of $orig_value with rcfile: $rcFile"); - if ( ! @processes) { # IF there are no processes we don't neet to perform a "stop" - &B_set_rc($rcVariable, "0", $configfile); - } else { - if ( $orig_value !~ "1" ) { #If param is not already 1, the "stop" script won't work - &B_set_rc($rcVariable, "1",$configfile); - } - &B_System ($startup_script . " stop", #stop service, then restart if the user runs bastille -r - $startup_script . " start"); - # set parameter, so that service will stay off after reboots - &B_set_rc($rcVariable, "0", $configfile); - } - } -} - - -# This routine sets a value in a given file -sub B_set_value($$$) { - my ($param, $value, $file)=@_; - - &B_log("DEBUG","B_set_value: $param, $value, $file"); - if (! -e $file ) { - &B_create_file("$file"); - } - - # If a value is already set to something other than $value then reset it. - #Note that though this tests for "$value ="the whole line gets replaced, so - #any pre-existing values are also replaced. - &B_replace_line($file,"^$param\\s*=\\s*","$param=$value\n"); - # If the value is not already set to something then set it. - &B_append_line($file,"^$param\\s*=\\s*$value","$param=$value\n"); - -} - - -################################################################################## -# &B_chperm($owner,$group,$mode,$filename(s)) -# This function changes ownership and mode of a list of files. Takes four -# arguments first the owner next the group and third the new mode in oct and -# last a list of files that the permissions changes should take affect on. -# -# uses: &swmodify and &B_revert_log -################################################################################## -sub B_chperm($$$$) { - my ($newown, $newgrp, $newmode, $file_expr) = @_; - my @files = glob($file_expr); - - my $return = 1; - - foreach my $file (@files){ - my @filestat = stat $file; - my $oldmode = (($filestat[2]/512) % 8) . - (($filestat[2]/64) % 8) . - (($filestat[2]/8) % 8) . - (($filestat[2]) % 8); - - if((chown $newown, $newgrp, $file) != 1 ){ - &B_log("ERROR","Could not change ownership of $file to $newown:$newgrp\n"); - $return = 0; - } - else{ - &B_log("ACTION","Changed ownership of $file to $newown:$newgrp\n"); - # swmodifying file if possible... - &B_swmodify($file); - &B_revert_log(&getGlobal('BIN',"chown") . " $filestat[4]:$filestat[5] $file\n"); - } - - my $newmode_formatted=sprintf "%5lo",$newmode; - - if((chmod $newmode, $file) != 1){ - &B_log("ERROR","Could not change mode of $file to $newmode_formatted\n"); - $return = 0; - } - else{ - &B_log("ACTION","Changed mode of $file to $newmode_formatted\n"); - &B_revert_log(&getGlobal('BIN',"chmod") . " $oldmode $file\n"); - } - - - } - return $return; -} - -############################################################################ -# &B_install_jail($jailname, $jailconfigfile); -# This function takes two arguments ( jail_name, jail_config ) -# It's purpose is to take read in config files that define a -# chroot jail and then generate it bases on that specification -############################################################################ -sub B_install_jail($$) { - - my $jailName = $_[0]; # Name of the jail e.g bind - my $jailConfig = $_[1]; # Name of the jails configuration file - # create the root directory of the jail if it does not exist - &B_create_dir( &getGlobal('BDIR','jail')); - &B_chperm(0,0,0555,&getGlobal('BDIR','jail')); - - # create the Jail dir if it does not exist - &B_create_dir( &getGlobal('BDIR','jail') . "/" . $jailName); - &B_chperm(0,0,0555,&getGlobal('BDIR','jail') . "/". $jailName); - - - my $jailPath = &getGlobal('BDIR','jail') . "/" . $jailName; - my @lines; # used to store no commented no empty config file lines - # open configuration file for desired jail and parse in commands - if(open(JAILCONFIG,"< $jailConfig")) { - while(my $line=<JAILCONFIG>){ - if($line !~ /^\s*\#|^\s*$/){ - chomp $line; - push(@lines,$line); - } - } - close JAILCONFIG; - } - else{ - &B_log("ERROR","Open Failed on filename: $jailConfig\n"); - return 0; - } - # read through commands and execute - foreach my $line (@lines){ - &B_log("ACTION","Install jail: $line\n"); - my @confCmd = split /\s+/,$line; - if($confCmd[0] =~ /dir/){ # if the command say to add a directory - if($#confCmd == 4) { # checking dir Cmd form - if(! (-d $jailPath . "/" . $confCmd[1])){ - #add a directory and change its permissions according - #to the conf file - &B_create_dir( $jailPath . "/" . $confCmd[1]); - &B_chperm((getpwnam($confCmd[3]))[2], - (getgrnam($confCmd[4]))[2], - oct($confCmd[2]), - $jailPath . "/" . $confCmd[1]); - } - } - else { - &B_log("ERROR","Badly Formed Configuration Line:\n$line\n\n"); - } - } - elsif($confCmd[0] =~ /file/) { - if($#confCmd == 5) { # checking file cmd form - if(&B_cp($confCmd[1],$jailPath . "/" . $confCmd[2])){ - # for copy command cp file and change perms - &B_chperm($confCmd[4],$confCmd[5],oct($confCmd[3]),$jailPath . "/" . $confCmd[2]); - } - else { - &B_log("ERROR","Could not complete copy on specified files:\n" . - "$line\n"); - } - } - else { - &B_log("ERROR","Badly Formed Configuration Line:\n" . - "$line\n\n"); - } - } - elsif($confCmd[0] =~ /slink/) { - if($#confCmd == 2) { # checking file cmd form - if(!(-e $jailPath . "/" . $confCmd[2])){ - #for symlink command create the symlink - &B_symlink($jailPath . "/" . $confCmd[1], $confCmd[2]); - } - } - else { - &B_log("ERROR","Badly Formed Configuration Line:\n" . - "$line\n\n"); - } - } - else { - &B_log("ERROR","Unrecognized Configuration Line:\n" . - "$line\n\n"); - } - } - return 1; -} - - - -########################################################################### -# &B_list_processes($service) # -# # -# This subroutine uses the GLOBAL_PROCESS hash to determine if a # -# service's corresponding processes are running on the system. # -# If any of the processes are found to be running then the process # -# name(s) is/are returned by this subroutine in the form of an list # -# If none of the processes that correspond to the service are running # -# then an empty list is returned. # -########################################################################### -sub B_list_processes($) { - - # service name - my $service = $_[0]; - # list of processes related to the service - my @processes=@{ &getGlobal('PROCESS',$service)}; - - # current systems process information - my $ps = &getGlobal('BIN',"ps"); - my $psTable = `$ps -elf`; - - # the list to be returned from the function - my @running_processes; - - # for every process associated with the service - foreach my $process (@processes) { - # if the process is in the process table then - if($psTable =~ m/$process/) { - # add the process to the list, which will be returned - push @running_processes, $process; - } - - } - - # return the list of running processes - return @running_processes; - -} - -############################################################################# -# &B_list_full_processes($service) # -# # -# This subroutine simply grep through the process table for those matching # -# the input argument TODO: Allow B_list process to levereage this code # -# ... Not done this cycle to avoid release risk (late in cycle) # -############################################################################# -sub B_list_full_processes($) { - - # service name - my $procName = $_[0]; - my $ps = &getGlobal('BIN',"ps"); - my @psTable = split(/\n/,`$ps -elf`); - - # for every process associated with the service - my @runningProcessLines = grep(/$procName/ , @psTable); - # return the list of running processes - return @runningProcessLines; -} - -################################################################################ -# &B_deactivate_inetd_service($service); # -# # -# This subroutine will disable all inetd services associated with the input # -# service name. Service name must be a reference to the following hashes # -# GLOBAL_SERVICE GLOBAL_SERVTYPE and GLOBAL_PROCESSES. If processes are left # -# running it will note these services in the TODO list as well as instruct the# -# user in how they remaining processes can be disabled. # -################################################################################ -sub B_deactivate_inetd_service($) { - my $service = $_[0]; - my $servtype = &getGlobal('SERVTYPE',"$service"); - my $inetd_conf = &getGlobal('FILE',"inetd.conf"); - - # check the service type to ensure that it can be configured by this subroutine. - if($servtype ne 'inet') { - &B_log("ACTION","The service \"$service\" is not an inet service so it cannot be\n" . - "configured by this subroutine\n"); - return 0; - } - - # check for the inetd configuration files existence so it may be configured by - # this subroutine. - if(! -e $inetd_conf ) { - &B_log("ACTION","The file \"$inetd_conf\" cannot be located.\n" . - "Unable to configure inetd\n"); - return 0; - } - - # list of service identifiers present in inetd.conf file. - my @inetd_entries = @{ &getGlobal('SERVICE',"$service") }; - - foreach my $inetd_entry (@inetd_entries) { - &B_hash_comment_line($inetd_conf, "^\\s*$inetd_entry"); - } - - # list of processes associated with this service which are still running - # on the system - my @running_processes = &B_list_processes($service); - - if($#running_processes >= 0) { - my $todoString = "\n" . - "---------------------------------------\n" . - "Deactivating Inetd Service: $service\n" . - "---------------------------------------\n" . - "The following process(es) are associated with the inetd service \"$service\".\n" . - "They are most likely associated with a session which was initiated prior to\n" . - "running Bastille. To disable a process see \"kill(1)\" man pages or reboot\n" . - "the system\n" . - "Active Processes:\n" . - "###################################\n"; - foreach my $running_process (@running_processes) { - $todoString .= "\t$running_process\n"; - } - $todoString .= "###################################\n"; - - &B_TODO($todoString); - } - -} - - -################################################################################ -# B_get_rc($key); # -# # -# This subroutine will use the ch_rc binary to get rc.config.d variables # -# values properly escaped and quoted. # -################################################################################ -sub B_get_rc($) { - - my $key=$_[0]; - my $ch_rc = &getGlobal('BIN',"ch_rc"); - - # get the current value of the given parameter. - my $currentValue=`$ch_rc -l -p $key`; - chomp $currentValue; - - if(($? >> 8) == 0 ) { - # escape all meta characters. - # $currentValue =~ s/([\"\`\$\\])/\\$1/g; - # $currentValue = '"' . $currentValue . '"'; - } - else { - return undef; - } - - return $currentValue; -} - - - -################################################################################ -# B_set_rc($key,$value); # -# # -# This subroutine will use the ch_rc binary to set rc.config.d variables. As # -# well as setting the variable this subroutine will set revert strings. # -# # -################################################################################ -sub B_set_rc($$;$) { - - my ($key,$value,$configfile)=@_; - my $ch_rc = &getGlobal('BIN',"ch_rc"); - - # get the current value of the given parameter. - my $currentValue=&B_get_rc($key); - if(defined $currentValue ) { - if ($currentValue =~ /^\"(.*)\"$/ ) { - $currentValue = '"\"' . $1 . '\""'; - } - if ($value =~ /^\"(.*)\"$/ ) { - $value = '"\"' . $1 . '\""'; - } - if ( &B_System("$ch_rc -a -p $key=$value $configfile", - "$ch_rc -a -p $key=$currentValue $configfile") ) { - #ch_rc success - return 1; - } - else { - #ch_rc failure. - return 0; - } - } - else { - &B_log("ERROR","ch_rc was unable to lookup $key\n"); - return 0; - } - -} - - -################################################################################ -# &ChrootHPApache($chrootScript,$httpd_conf,$httpd_bin, -# $apachectl,$apacheJailDir,$serverString); -# -# This subroutine given an chroot script, supplied by the vendor, a -# httpd.conf file, the binary location of httpd, the control script, -# the jail directory, and the servers identification string, descriptive -# string for TODO etc. It makes modifications to httpd.conf so that when -# Apache starts it will chroot itself into the jail that the above -# mentions script creates. -# -# uses B_replace_line B_create_dir B_System B_TODO -# -############################################################################### -sub B_chrootHPapache($$$$$$) { - - my ($chrootScript,$httpd_conf,$httpd_bin,$apachectl,$apacheJailDir,$serverString)= @_; - - my $exportpath = "export PATH=/usr/bin;"; - my $ps = &getGlobal('BIN',"ps"); - my $isRunning = 0; - my $todo_header = 0; - - # checking for a 2.0 version of the apache chroot script. - if(-e $chrootScript ) { - - if(open HTTPD, $httpd_conf) { - while (my $line = <HTTPD>){ - if($line =~ /^\s*Chroot/) { - &B_log("DEBUG","Apache is already running in a chroot as specified by the following line:\n$line\n" . - "which appears in the httpd.conf file. No Apache Chroot action was taken.\n"); - return; - } - } - close(HTTPD); - } - - if(`$ps -ef` =~ $httpd_bin ) { - $isRunning=1; - &B_System("$exportpath " . $apachectl . " stop","$exportpath " . $apachectl . " start"); - } - &B_replace_line($httpd_conf, '^\s*#\s*Chroot' , - "Chroot " . $apacheJailDir); - if(-d &getGlobal('BDIR',"jail")){ - &B_log("DEBUG","Jail directory already exists. No action taken.\n"); - } - else{ - &B_log("ACTION","Jail directory was created.\n"); - &B_create_dir( &getGlobal('BDIR','jail')); - } - - if(-d $apacheJailDir){ - &B_log("DEBUG","$serverString jail already exists. No action taken.\n"); - } - else{ - &B_System(&getGlobal('BIN',"umask") . " 022; $exportpath " . $chrootScript, - &getGlobal('BIN',"echo") . " \"Your $serverString is now running outside of it's\\n" . - "chroot jail. You must manually migrate your web applications\\n" . - "back to your Apache server's httpd.conf defined location(s).\\n". - "After you have completed this, feel free to remove the jail directories\\n" . - "from your machine. Your apache jail directory is located in\\n" . - &getGlobal('BDIR',"jail") . "\\n\" >> " . &getGlobal('BFILE',"TOREVERT")); - - } - if($isRunning){ - &B_System("$exportpath " . $apachectl . " start","$exportpath " . $apachectl . " stop"); - &B_log("ACTION","$serverString is now running in an chroot jail.\n"); - } - - &B_log("ACTION","The jail is located in " . $apacheJailDir . "\n"); - - if ($todo_header !=1){ - &B_TODO("\n---------------------------------\nApache Chroot:\n" . - "---------------------------------\n"); - } - &B_TODO("$serverString Chroot Jail:\n" . - "httpd.conf contains the Apache dependencies. You should\n" . - "review this file to ensure that the dependencies made it\n" . - "into the jail. Otherwise, you run a risk of your Apache server\n" . - "not having access to all its modules and functionality.\n"); - - - } - -} - - -sub isSystemTrusted { - my $getprdef = &getGlobal('BIN',"getprdef"); - my $definition = &B_Backtick("$getprdef -t 2>&1"); - if($definition =~ "System is not trusted.") { - return 0; - } else { - return 1; - } -} - - -sub isTrustedMigrationAvailable { - my $distroVersion=''; - - if (&GetDistro =~ '^HP-UX11.(\d*)') { - $distroVersion=$1; - if ($distroVersion < 23) { # Not available before 11.23 - return 0; #FALSE - } elsif ($distroVersion >= 31) { #Bundled with 11.31 and after - &B_log('DEBUG','isTrustedMigrationAvailable: HP-UX 11.31 always has trusted mode extensions'); - return 1; - } elsif ($distroVersion == 23) { # Optional on 11.23 if filesets installed - if ( -x &getGlobal('BIN',"userdbget") ) { - &B_log('DEBUG','isTrustedMigrationAvailable: Trusted Extensions Installed'); - return 1; - } else { - &B_log('DEBUG','isTrustedMigrationAvailable: Trusted Extensions Not Installed'); - return 0; #FALSE - } - } else { - &B_log('DEBUG','isTrustedMigrationAvailable: ' . &GetDistro . - ' not currently supported for trusted extentions.'); - return 0; #FALSE - } - } else { - &B_log('WARNING','isTrustedMigrationAvailable: HP-UX routine called on Linux system'); - return 0; #FALSE - } -} - - - -########################################################################### -# &checkServiceOnHPUX($service); -# -# Checks if the given service is running on an HP/UX system. This is -# called by B_is_Service_Off(), which is the function that Bastille -# modules should call. -# -# Return values: -# NOTSECURE_CAN_CHANGE() if the service is on -# SECURE_CANT_CHANGE() if the service is off -# INCONSISTENT() if the state of the service cannot be determined -# NOT_INSTALLED() if the s/w isn't insalled -# -########################################################################### -sub checkServiceOnHPUX($) { - my $service=$_[0]; - - # get the list of parameters which could be used to initiate the service - # (could be in /etc/rc.config.d, /etc/inetd.conf, or /etc/inittab, so we - # check all of them) - my @params= @{ &getGlobal('SERVICE',$service) }; - my $grep =&getGlobal('BIN', 'grep'); - my $inetd=&getGlobal('FILE', 'inetd.conf'); - my $inittab=&getGlobal('FILE', 'inittab'); - my $retVals; - my $startup=&getGlobal('DIR','initd') ; - my @inet_bins= @{ &getGlobal('PROCESS',$service) }; - - my $entry_found = 0; - - &B_log("DEBUG","CheckHPUXservice: $service"); - my $full_initd_path = $startup . "/" . $service; - if ($GLOBAL_SERVTYPE{$service} eq "rc") { # look for the init script in /sbin/init.d - if (not(-e $full_initd_path )) { - return NOT_INSTALLED(); - } - } else { #inet-based service, so look for inetd.conf entries. - &B_log("DEBUG","Checking inet service $service"); - my @inet_entries= @{ &getGlobal('SERVICE',$service) }; - foreach my $service (@inet_entries) { - &B_log('DEBUG',"Checking for inetd.conf entry of $service in checkService on HPUX"); - my $service_regex = '^[#\s]*' . $service . '\s+'; - if ( &B_match_line($inetd, $service_regex) ) { # inet entry search - &B_log('DEBUG',"$service present, entry exists"); - $entry_found = 1 ; - } - } - if ($entry_found == 0 ) { - return NOT_INSTALLED(); - } - } - - foreach my $param (@params) { - &B_log("DEBUG","Checking to see if service $service is off.\n"); - if (&getGlobal('SERVTYPE', $service) =~ /rc/) { - my $ch_rc=&getGlobal('BIN', 'ch_rc'); - my $on=&B_Backtick("$ch_rc -l -p $param"); - - $on =~ s/\s*\#.*$//; # remove end-of-line comments - $on =~ s/^\s*\"(.+)\"\s*$/$1/; # remove surrounding double quotes - $on =~ s/^\s*\'(.+)\'\s*$/$1/; # remove surrounding single quotes - $on =~ s/^\s*\"(.+)\"\s*$/$1/; # just in case someone did '"blah blah"' - - chomp $on; - &B_log("DEBUG","ch_rc returned: $param=$on in checkServiceOnHPUX"); - - if ($on =~ /^\d+$/ && $on != 0) { - # service is on - &B_log("DEBUG","CheckService found $param service is set to \'on\' in scripts."); - return NOTSECURE_CAN_CHANGE(); - } - elsif($on =~ /^\s*$/) { - # if the value returned is an empty string return - # INCONSISTENT(), since we don't know what the hard-coded default is. - return INCONSISTENT(); - } - } else { - # those files which rely on comments to determine what gets - # turned on, such as inetd.conf and inittab - my $inettabs=&B_Backtick("$grep -e '^[[:space:]]*$param' $inetd $inittab"); - if ($inettabs =~ /.+/) { # . matches anything except newlines - # service is not off - &B_log("DEBUG","Checking inetd.conf and inittab; found $inettabs"); - ########################### BREAK out, don't skip question - return NOTSECURE_CAN_CHANGE(); - } - } - } # foreach $param - - # boot-time parameters are not set; check processes - # checkprocs for services returns INCONSISTENT() if a service is found - # since a found-service is inconsistent with the above checks. - B_log("DEBUG","Boot-Parameters not set, checking processes."); - if (&runlevel < 2) { # Below runlevel 2, it is unlikely that - #services will be running, so just check "on-disk" state - &B_log("NOTE","Running during boot sequence, so skipping process checks"); - return SECURE_CANT_CHANGE(); - } else { - return &checkProcsForService($service); - } -} - -sub runlevel { - my $who = &getGlobal("BIN", "who"); - my $runlevel = &B_Backtick("$who -r"); - if ($runlevel =~ s/.* run-level (\S).*/$1/) { - &B_log("DEBUG","Runlevel is: $runlevel"); - return $runlevel; - } else { - &B_log("WARNING","Can not determine runlevel, assuming runlevel 3"); - &B_log("DEBUG","Runlevel command output: $runlevel"); - return "3"; #safer since the who command didn't work, we'll assume - # runlevel 3 since that provides more checks. - } -} - -# -# given a profile file, it will return a PATH array set by the file. -# -sub B_get_path($) { - my $file = $_[0]; - my $sh = &getGlobal("BIN", "sh"); - # use (``)[0] is becuase, signal 0 maybe trapped which will produce some stdout - my $path = (`$sh -c '. $file 1>/dev/null 2>&1 < /dev/null ; echo \$PATH'`)[0]; - my @path_arr = split(":", $path); - my %tmp_path; - my %path; - for my $tmpdir (@path_arr) { - chomp $tmpdir; - if ($tmpdir ne "" && ! $tmp_path{$tmpdir}) { - $tmp_path{$tmpdir}++; - } - } - return keys %tmp_path; -} - -# Convert to trusted mode if it's not already -sub convertToTrusted { - &B_log("DEBUG","# sub convertToTrusted \n"); - if( ! &isSystemTrusted) { - - my ($ok, $message) = &isOKtoConvert; - - my $ts_header="\n---------------------------------\nTrusted Systems:\n" . - "---------------------------------\n"; - - if ($ok) { - # actually do the conversion - if(&B_System(&getGlobal('BIN','tsconvert'), &getGlobal('BIN','tsconvert') . " -r")){ - # adjust change times for user passwords to keep them valid - # default is to expire them when converting to a trusted system, - # which can be problematic, especially since some older versions of - # SecureShell do not allow the user to change the password - &B_System(&getGlobal('BIN','modprpw') . " -V", ""); - - my $getprdef = &getGlobal('BIN','getprdef'); - my $oldsettings = &B_Backtick("$getprdef -m lftm,exptm,mintm,expwarn,umaxlntr"); - $oldsettings =~ s/ //g; - - # remove password lifetime and increasing login tries so they - # don't lock themselves out of the system entirely. - # set default expiration time and the like. - my $newsettings="lftm=0,exptm=0,mintm=0,expwarn=0,umaxlntr=10"; - - &B_System(&getGlobal('BIN','modprdef') . " -m $newsettings", - &getGlobal('BIN','modprdef') . " -m $oldsettings"); - - &B_TODO($ts_header . - "Your system has been converted to a trusted system.\n" . - "You should review the security settings available on a trusted system.\n". - "$message"); - - # to get rid of "Cron: Your job did not contain a valid audit ID." - # error, we re-read the crontab file after converting to trusted mode - # Nothing is necessary in "revert" since we won't be in trusted mode - # at that time. - # crontab's errors can be spurious, and this will report an 'error' - # of the crontab file is missing, so we send stderr to the bit bucket - my $crontab = &getGlobal('BIN',"crontab"); - &B_System("$crontab -l 2>/dev/null | $crontab",""); - } - - } else { - &B_TODO($ts_header . $message); - return 0; # not ok to convert, so we didn't - } - } - else { - &B_log("DEBUG","System is already in trusted mode, no action taken.\n"); - return 1; - } - - # just to make sure - if( &isSystemTrusted ) { - return 1; - } else { - &B_log("ERROR","Trusted system conversion was unsuccessful for an unknown reason.\n" . - " You may try using SAM/SMH to do the conversion instead of Bastille.\n"); - return 0; - } -} - -# isOKtoConvert - check for conflicts between current system state and trusted -# mode -# -# Return values -# 0 - conflict found, see message for details -# 1 - no conflicts, see message for further instructions -# -sub isOKtoConvert { - &B_log("DEBUG","# sub isOKtoConvert \n"); - # initialize text for TODO instructions - my $specialinstructions=" - convert to trusted mode\n"; - - # These are somewhat out-of-place, but only affect the text of the message. - # Each of these messages is repeated in a separate TODO item in the - # appropriate subroutine. - if (&getGlobalConfig("AccountSecurity","single_user_password") eq "Y") { - if (&GetDistro =~ "^HP-UX11.(.*)" and $1<23 ) { - $specialinstructions .= " - set a single user password\n"; - } - } - - if (&getGlobalConfig("AccountSecurity","passwordpolicies") eq "Y") { - $specialinstructions .= " - set trusted mode password policies\n"; - } - - if (&getGlobalConfig("AccountSecurity", "PASSWORD_HISTORY_DEPTHyn") eq "Y") { - $specialinstructions .= " - set a password history depth\n"; - } - - if (&getGlobalConfig("AccountSecurity","system_auditing") eq "Y") { - $specialinstructions .= " - enable auditing\n"; - } - - my $saminstructions= - "The security settings can be modified by running SAM as follows:\n" . - "# sam\n" . - "Next, go to the \"Auditing and Security Area\" and review\n" . - "each sub-section. Make sure that you review all of your\n" . - "settings, as some policies may seem restrictive.\n\n" . - "On systems using the System Management Homepage, you can\n". - "change your settings via the Tools:Security Attributes Configuration\n". - "section. On some systems, you may also have the option of using SMH.\n\n"; - - # First, check for possible conflicts and corner cases - - # check nsswitch for possible conflicts - my $nsswitch = &getGlobal('FILE', 'nsswitch.conf'); - if ( -e $nsswitch) { - open(FILE, $nsswitch); - while (<FILE>) { - if (/nis/ or /compat/ or /ldap/) { - my $message = "Bastille found a possible conflict between trusted mode and\n" . - "$nsswitch. Please remove all references to\n" . - "\"compat\", \"nis\" and \"ldap\" in $nsswitch\n" . - "and rerun Bastille, or use SAM/SMH to\n" . - "$specialinstructions\n". - "$saminstructions"; - close(FILE); - return (0,$message); - } - } - close(FILE); - } - - # check the namesvrs config file for possible NIS conflicts - #Changed to unless "Y AND Y" since question can be skipped when nis is off - # but corner cases can still exist, so check then too. - unless ( &getGlobalConfig('MiscellaneousDaemons','nis_client') eq "Y" and - &getGlobalConfig('MiscellaneousDaemons','nis_server') eq "Y" ) { - my $namesvrs = &getGlobal('FILE', 'namesvrs'); - if (open(FILE, $namesvrs)) { - while (<FILE>) { - if (/^NIS.*=["]?1["]?$/) { - my $message= "Possible conflict between trusted mode and NIS found.\n". - "Please use SAM/SMH to\n" . - " - turn off NIS\n" . - "$specialinstructions\n". - "$saminstructions"; - close(FILE); - return (0,$message); - } - } - close(FILE); - } else { - &B_log("ERROR","Unable to open $namesvrs for reading."); - my $message= "Possible conflict between trusted mode and NIS found.\n". - "Please use SAM/SMH to\n" . - " - turn off NIS\n" . - "$specialinstructions\n". - "$saminstructions"; - return (0,$message); - } - if ( &B_match_line (&getGlobal("FILE","passwd"),"^\+:.*")) { - my $message= '"+" entry found in passwd file. These are not\n' . - "compatible with Trusted Mode. Either remove the entries\n" . - "and re-run Bastille, or re-run Bastille, and direct it to\n" . - "disable NIS client and server.\n"; - return (0,$message); - } - - } - - - # check for conflicts with DCE integrated login - my $authcmd = &getGlobal('BIN','auth.adm'); - if ( -e $authcmd ) { - my $retval = system("PATH=/usr/bin $authcmd -q 1>/dev/null 2>&1"); - if ($retval != 0 and $retval != 1) { - my $message="It appears that DCE integrated login is configured on this system.\n" . - "DCE integrated login is incompatible with trusted systems and\n" . - "auditing. Bastille is unable to\n" . - "$specialinstructions" . - "You will need to configure auditing and password policies using DCE.\n\n"; - return (0,$message); - } - } - - if ( -e &getGlobal('FILE','shadow') ) { - my $message="This system has already been converted to shadow passwords.\n" . - "Shadow passwords are incompatible with trusted mode.\n" . - "Bastille is unable to\n" . - "$specialinstructions" . - "If you desire these features, you should use\n". - "\'pwunconv\' to change back to standard passwords,\n". - "and then rerun Bastille.\n\n"; - return (0,$message); - } - - return (1,$saminstructions); -} - -# This routine allows Bastille to determine trusted-mode extension availability - -sub convertToShadow { - - if (&isSystemTrusted) { - # This is an internal error...Bastille should not call this routine - # in this case. Error is here for robustness against future changes. - &B_log("ERROR","This system is already converted to trusted mode.\n" . - " Converting to shadow passwords will not be attempted.\n"); - return 0; - } - - # configuration files on which shadowed passwords depend - my $nsswitch_conf = &getGlobal('FILE',"nsswitch.conf"); - - # binaries used to convert to a shadowed password - my $pwconv = &getGlobal('BIN',"pwconv"); - my $echo = &getGlobal('BIN','echo'); # the echo is used to pipe a yes into the pwconv program as - # pwconv requires user interaction. - - # the binary used in a system revert. - my $pwunconv = &getGlobal('BIN',"pwunconv"); - #check the password file for nis usage and if the nis client - #or server is running. - if(-e $nsswitch_conf) { - # check the file for nis, nis+, compat, or dce usage. - if(&B_match_line($nsswitch_conf, '^\s*passwd:.+(nis|nisplus|dce|compat)')) { - my $shadowTODO = "\n---------------------------------\nHide encrypted passwords:\n" . - "---------------------------------\n" . - "This version of password shadowing does not support any repository other\n" . - "than files. In order to convert your password database to shadowed passwords\n" . - "there can be no mention of nis, nisplus, compat, or dce in the passwd\n" . - "field of the \"$nsswitch_conf\" file. Please make the necessary edits to\n" . - "the $nsswitch_conf file and run Bastille again using the command:\n" . - "\"bastille -b\"\n"; - # Adding the shadowTODO comment to the TODO list. - &B_TODO("$shadowTODO"); - # Notifing the user that the shadowed password coversion has failed. - &B_log("ERROR","Password Shadowing Conversion Failed\n" . - "$shadowTODO"); - # exiting the subroutine. - return 0; - } - - } - - # convert the password file to a shadowed repository. - if (( -e $pwconv ) and ( -e $pwunconv ) and - ( &B_System("$echo \"yes\" | $pwconv","$pwunconv") ) ){ - &B_TODO( "\n---------------------------------\nShadowing Password File:\n" . - "---------------------------------\n" . - "Your password file has been converted to use password shadowing.\n" . - "This version of password shadowing does not support any repository other\n" . - "than files. There can be no mention of nis, nisplus, compat, or dce\n" . - "in the passwd field of the \"$nsswitch_conf\" file.\n\n" ); - } else { - &B_log("ERROR","Conversion to shadow mode failed. The system may require ". - "a patch to be capable of switching to shadow mode, or the ". - "system my be in a state where conversion is not possible."); - } -} - - - -########################################################################## -# &getSupportedSettings(); -# Manipulates %trustedParameter and %isSupportedSetting, file-scoped variables -# -# Reads the password policy support matrix, which in-turn gives Bastille the -# places it should look for a given password policy setting. - -# Note the file was created like this so if could be maintained in an Excel(tm) -# spreadsheet, to optimize reviewability. TODO: consider other formats - -# File Format: -# HEADERS:<comment>,[<OS Version> <Mode> <Extensions>,]... -# [ -# :<label>:<trusted equivalent>,,,,,,,,,,,,<comment> -# <action> (comment), [<test value>,]... -# ] ... -# Example; -# HEADERS:Information Source (trusted equiv),11.11 Standard no-SMSE,11.11 Trusted no-SMSE,11.11 Shadow no-SMSE,11.23 Standard no-SMSE,11.23 Trusted no-SMSE,11.23 Shadow no-SMSE,11.23 Standard SMSE,11.23 Shadow SMSE,11.23 Trusted SMSE,11.31 Trusted SMSE,11.31 Shadow SMSE,11.31 Standard SMSE,Other Exceptions -#:ABORT_LOGIN_ON_MISSING_HOMEDIR,,,,,,,,,,,,,root -#/etc/security.dsc (search),x,,xx,x,x,x,!,!,!,!,!,!, -#/etc/default/security(search),y,y,y,y,y,y,y,y,y,y,y,y, -#getprdef (execute with <Trusted Equiv> argument),x,x,x,x,x,x,x,x,x,x,x,x, - -########################################################################### -our %trustedParameter = (); -our %isSupportedSetting = (); - -sub getSupportedSettings() { - - my $line; # For a config file line - my $linecount = 0; - my $currentsetting = ""; - my @fields; # Fields in a given line - my @columns; #Column Definitions - - - &B_open(*SETTINGSFILE,&getGlobal('BFILE','AccountSecSupport')); - my @settingLines=<SETTINGSFILE>; - &B_close(*SETTINGSFILE); - - #Remove blank-lines and comments - @settingLines = grep(!/^#/,@settingLines); - @settingLines = grep(!/^(\s*,+)*$/,@settingLines); - - foreach $line (@settingLines) { - ++$linecount; - @fields = split(/,/,$line); - if ($line =~ /^Information Source:/) { #Sets up colums - my $fieldcount = 1; #Skipping first field - while ((defined($fields[$fieldcount])) and - ($fields[$fieldcount] =~ /\d+\.\d+/)){ - my @subfields = split(/ /,$fields[$fieldcount]); - my $fieldsCount = @subfields; - if ($fieldsCount != 3){ - &B_log("ERROR","Invalid subfield count: $fieldsCount in:". - &getGlobal('BFILE','AccountSecSupport') . - " line: $linecount and field: $fieldcount"); - } - $columns[$fieldcount] = {OSVersion => $subfields[0], - Mode => $subfields[1], - Extension => $subfields[2] }; - &B_log("DEBUG","Found Header Column, $columns[$fieldcount]{'OSVersion'}, ". - $columns[$fieldcount]{'Mode'} ." , " . - $columns[$fieldcount]{'Extension'}); - ++$fieldcount; - } # New Account Seting ex: - } elsif ($line =~ /^:([^,:]+)(?::([^,]+))?/) { # :PASSWORD_WARNDAYS:expwarn,,,,,,,,,,,, - $currentsetting = $1; - if (defined($2)) { - $trustedParameter{"$currentsetting"}=$2; - } - &B_log("DEBUG","Found Current Setting: ". $currentsetting . - "/" . $trustedParameter{"$currentsetting"}); - } elsif (($line =~ /(^[^, :\)\(]+)[^,]*,((?:(?:[!y?nx]|!!),)+)/) and #normal line w/ in setting ex: - ($currentsetting ne "")){ # security.dsc (search),x,x,x,x,x,!,!!,!,!,!,!, - my $placeToLook = $1; - my $fieldcount = 1; #Skip the first one, which we used in last line - while (defined($fields[$fieldcount])) { - &B_log("DEBUG","Setting $currentsetting : $columns[$fieldcount]{OSVersion} , ". - "$columns[$fieldcount]{Mode} , ". - "$columns[$fieldcount]{Extension} , ". - "$placeToLook, to $fields[$fieldcount]"); - $isSupportedSetting{"$currentsetting"} - {"$columns[$fieldcount]{OSVersion}"} - {"$columns[$fieldcount]{Mode}"} - {"$columns[$fieldcount]{Extension}"} - {"$placeToLook"} = - $fields[$fieldcount]; - ++$fieldcount; - } - } else { - if ($line !~ /^,*/) { - &B_log("ERROR","Incorrectly Formatted Line at ". - &getGlobal('BFILE','AccountSecSupport') . ": $linecount"); - } - } - } -} - -########################################################################## -# &B_get_sec_value($param); -# This subroutine finds the value for a given user policy parameter. -# Specifically, it supports the parameters listed in the internal data structure - -# Return values: -# 'Not Defined' if the value is not present or not uniquely defined. -# $value if the value is present and unique -# -########################################################################### -sub B_get_sec_value($) { - my $param=$_[0]; - - my $os_version; - if (&GetDistro =~ /^HP-UX\D*(\d+\.\d+)/ ){ - $os_version=$1; - } else { - &B_log("ERROR","B_get_sec_value only supported on HP-UX"); - return undef; - } -# my $sec_dsc = &getGlobal('FILE', 'security.dsc'); - my $sec_file = &getGlobal('FILE', 'security'); - my $getprdef = &getGlobal('BIN','getprdef'); - my $getprpw = &getGlobal('BIN','getprpw'); - my $userdbget = &getGlobal('BIN','userdbget'); - my $passwd = &getGlobal('BIN','passwd'); - - my $sec_flags = ""; - my @sec_settings=(); - my $user_sec_setting=""; - - my $security_mode="Standard"; - my $security_extension="no-SMSE"; - - &B_log("DEBUG","Entering get_sec_value for: $param"); - - sub isok ($) { # Locally-scoped subroutine, takes supported-matrix entry as argument - my $supportedMatrixEntry = $_[0]; - - if ($supportedMatrixEntry =~ /!/) { #Matrix Entry for "Documented and/or tested" - &B_log("DEBUG","isOk TRUE: $supportedMatrixEntry"); - return 1; - } else { - &B_log("DEBUG","isOk FALSE: $supportedMatrixEntry"); - return 0; #FALSE - } - } #end local subroutine - - #Get Top Array item non-destructively - sub getTop (@) { - my @incomingArray = @_; - my $topval = pop(@incomingArray); - push(@incomingArray,$topval); #Probably redundant, but left in just in case. - return $topval; - } - - sub ifExistsPushOnSecSettings($$) { - my $sec_settings = $_[0]; - my $pushval = $_[1]; - - if ($pushval ne ""){ - push (@$sec_settings, $pushval); - } - } - - #prpw and prdef both use "YES" instead of "1" like the other settings. - sub normalizePolicy($){ - my $setting = $_[0]; - - $setting =~ s/YES/1/; - $setting =~ s/NO/1/; - - return $setting; - } - - - - if ((%trustedParameter == ()) or (%isSupportedSetting == ())) { - # Manipulates %trustedParameter and %isSupportedSetting - &getSupportedSettings; - } - - #First determine the security mode - my $shadowFile = &getGlobal("FILE","shadow"); - my $passwdFile = &getGlobal("FILE","passwd"); - - if (&isSystemTrusted) { - $security_mode = 'Trusted'; - } elsif ((-e $shadowFile) and #check file exist, and that passwd has no non-"locked" accounts - (not(&B_match_line($passwdFile,'^[^\:]+:[^:]*[^:*x]')))) { - $security_mode = 'Shadow'; - } else { - $security_mode = 'Standard'; - } - if (&isTrustedMigrationAvailable) { - $security_extension = 'SMSE'; - } else { - $security_extension = 'no-SMSE'; - } - &B_log("DEBUG","Security mode: $security_mode extension: $security_extension"); - # Now look up the value from each applicable database, from highest precedence - # to lowest: - &B_log("DEBUG","Checking $param in userdbget"); - if (&isok($isSupportedSetting{$param}{$os_version}{$security_mode} - {$security_extension}{"userdbget_-a"})) { - &ifExistsPushOnSecSettings(\@sec_settings, - &B_getValueFromString('\w+\s+\w+=(\S+)', - &B_Backtick("$userdbget -a $param"))); - &B_log("DEBUG", $param . ":userdbget setting: ". &getTop(@sec_settings)); - } - &B_log("DEBUG","Checking $param in passwd"); - if (&isok($isSupportedSetting{$param}{$os_version}{$security_mode} - {$security_extension}{"passwd_-sa"})) { - if ($param eq "PASSWORD_MINDAYS") { - &ifExistsPushOnSecSettings(\@sec_settings, - &B_getValueFromString('(?:\w+\s+){2}[\d\/]+\s+(\d+)\s+\d+', - &B_Backtick("$passwd -s -a"))); - } elsif ($param eq "PASSWORD_MAXDAYS") { - &ifExistsPushOnSecSettings(\@sec_settings, - &B_getValueFromString('(?:\w+\s+){2}[\d\/]+\s+\d+\s+(\d+)', - &B_Backtick("$passwd -s -a"))); - } elsif ($param eq "PASSWORD_WARNDAYS") { - &ifExistsPushOnSecSettings(\@sec_settings, - &B_getValueFromString('(?:\w+\s+){2}[\d\/]+(?:\s+\d+){2}\s+(\d+)', - &B_Backtick("$passwd -s -a"))); - } - &B_log("DEBUG", $param . ":passwd -sa setting: ". &getTop(@sec_settings)); - } - &B_log("DEBUG","Checking $param in get prpw"); - if (&isok($isSupportedSetting{$param}{$os_version}{$security_mode} - {$security_extension}{"getprpw"})) { - my $logins = &getGlobal("BIN","logins"); - my @userArray = split(/\n/,`$logins`); - my $userParamVals = ''; - foreach my $rawuser (@userArray) { - $rawuser =~ /^(\S+)/; - my $user = $1; - my $nextParamVal=&B_Backtick("$getprpw -l -m $trustedParameter{$param} $user"); - $nextParamVal =~ s/\w*=(-*[\w\d]*)/$1/; - if ($nextParamVal != -1) { #Don't count users for which the local DB is undefined - $userParamVals .= $user . "::::" . $nextParamVal ."\n"; - } - } #Note getValueFromStrings deals with duplicates, returning "Not Unigue" - my $policySetting = &B_getValueFromString('::::(\S+)',"$userParamVals"); - &ifExistsPushOnSecSettings (\@sec_settings, &normalizePolicy($policySetting)); - &B_log("DEBUG", $param . ":prpw setting: ". &getTop(@sec_settings)); - } - &B_log("DEBUG","Checking $param in get prdef"); - if (&isok($isSupportedSetting{$param}{$os_version}{$security_mode} - {$security_extension}{"getprdef"})) { - $_ = &B_Backtick ("$getprdef -m " . $trustedParameter{$param}); - /\S+=(\S+)/; - my $policySetting = $1; - &ifExistsPushOnSecSettings(\@sec_settings, &normalizePolicy($policySetting)); - &B_log("DEBUG", $param . ":prdef setting: ". &getTop(@sec_settings)); - - } - &B_log("DEBUG","Checking $param in default security"); - if (&isok($isSupportedSetting{$param}{$os_version}{$security_mode} - {$security_extension}{"/etc/default/security"})) { - &ifExistsPushOnSecSettings(\@sec_settings,&B_getValueFromFile('^\s*'. $param . - '\s*=\s*([^\s#]+)\s*$', $sec_file)); - &B_log("DEBUG", $param . ":default setting: ". &getTop(@sec_settings)); - } - #Commented below code in 3.0 release to avoid implication that bastille - #had ever set these values explicitly, and the implications to runnable - #config files where Bastille would then apply the defaults as actual policy - #with possible conversion to shadow or similar side-effect. - -# &B_log("DEBUG","Checking $param in security.dsc"); - #security.dsc, only added in if valid for OS/mode/Extension, and nothing else - #is defined (ie: @sec_settings=0) -# if ((&isok($isSupportedSetting{$param}{$os_version}{$security_mode} -# {$security_extension}{"/etc/security.dsc"})) and (@sec_settings == 0)) { -# &ifExistsPushOnSecSettings(\@sec_settings, &B_getValueFromFile('^' . $param . -# ';(?:[-\w/]*;){2}([-\w/]+);', $sec_dsc)); -# &B_log("DEBUG", $param . ":security.dsc: ". &getTop(@sec_settings)); -# } - - # Return what we found - my $last_setting=undef; - my $current_setting=undef; - while (@sec_settings > 0) { - $current_setting = pop(@sec_settings); - &B_log("DEBUG","Comparing $param configuration for identity: " . - $current_setting); - if ((defined($current_setting)) and ($current_setting ne '')) { - if (not(defined($last_setting))){ - $last_setting=$current_setting; - } elsif (($last_setting ne $current_setting) or - ($current_setting eq 'Not Unique')){ - &B_log("DEBUG","$param setting not unique."); - return 'Not Unique'; # Inconsistent state found, return 'Not Unique' - } - } - } - if ((not(defined($last_setting))) or ($last_setting eq '')) { - return undef; - } else { - return $last_setting; - } - -} #End B_get_sec_value - -sub secureIfNoNameService($){ - my $retval = $_[0]; - - if (&isUsingRemoteNameService) { - return MANUAL(); - } else { - return $retval; - } -} - -#Specifically for cleartext protocols like NIS, which are not "secure" -sub isUsingRemoteNameService(){ - - if (&remoteServiceCheck('nis|nisplus|dce') == SECURE_CAN_CHANGE()){ - return 0; #false - } else { - return 1; - } -} - - - -########################################### -## This is a wrapper for two functions that -## test the existence of nis-like configurations -## It is used by both the front end test and the back-end run -############################################## -sub remoteServiceCheck($){ - my $regex = $_[0]; - - my $nsswitch_conf = &getGlobal('FILE',"nsswitch.conf"); - my $passwd = &getGlobal('FILE',"passwd"); - - # check the file for nis usage. - if (-e $nsswitch_conf) { - if (&B_match_line($nsswitch_conf, '^\s*passwd:.*('. $regex . ')')) { - return NOTSECURE_CAN_CHANGE(); - } elsif ((&B_match_line($nsswitch_conf, '^\s*passwd:.*(compat)')) and - (&B_match_line($passwd, '^\s*\+'))) { - return NOTSECURE_CAN_CHANGE(); # true - } - } elsif ((&B_match_line($passwd, '^\s*\+'))) { - return NOTSECURE_CAN_CHANGE(); - } - - my $oldnisdomain=&B_get_rc("NIS_DOMAIN"); - if ((($oldnisdomain eq "") or ($oldnisdomain eq '""')) and (&checkServiceOnHPUX('nis.client'))){ - return SECURE_CAN_CHANGE(); - } - return NOTSECURE_CAN_CHANGE(); -} - -############################################# -# remoteNISPlusServiceCheck -# test the existence of nis+ configuration -############################################# -sub remoteNISPlusServiceCheck () { - - my $nsswitch_conf = &getGlobal('FILE',"nsswitch.conf"); - - # check the file for nis+ usage. - if (-e $nsswitch_conf) { - if (&B_match_line($nsswitch_conf, 'nisplus')) { - return NOTSECURE_CAN_CHANGE(); - } - } - - return &checkServiceOnHPUX('nisp.client'); -} - - -########################################################################## -# This subroutine creates nsswitch.conf file if the file not exists, -# and then append serveral services into the file if the service not -# exists in the file. -########################################################################## -sub B_create_nsswitch_file ($) { - my $regex = $_[0]; - - my $nsswitch = &getGlobal('FILE',"nsswitch.conf"); - - if( ! -f $nsswitch ) { - &B_create_file($nsswitch); - # we don't need to revert the permissions change because we just - # created the file - chmod(0444, $nsswitch); - - &B_append_line($nsswitch,'\s*passwd:', "passwd: $regex\n"); - &B_append_line($nsswitch,'\s*group:', "group: $regex\n"); - &B_append_line($nsswitch,'\s*hosts:', "hosts: $regex\n"); - &B_append_line($nsswitch,'\s*networks:', "networks: $regex\n"); - &B_append_line($nsswitch,'\s*protocols:', "protocols: $regex\n"); - &B_append_line($nsswitch,'\s*rpc:', "rpc: $regex\n"); - &B_append_line($nsswitch,'\s*publickey:', "publickey: $regex\n"); - &B_append_line($nsswitch,'\s*netgroup:', "netgroup: $regex\n"); - &B_append_line($nsswitch,'\s*automount:', "automount: $regex\n"); - &B_append_line($nsswitch,'\s*aliases:', "aliases: $regex\n"); - &B_append_line($nsswitch,'\s*services:', "services: $regex\n"); - } -} - -1; - |