diff options
Diffstat (limited to 'dynamic-layers/meta-perl/recipes-security/bastille/files/HPSpecific.pm')
| -rw-r--r-- | dynamic-layers/meta-perl/recipes-security/bastille/files/HPSpecific.pm | 1983 |
1 files changed, 1983 insertions, 0 deletions
diff --git a/dynamic-layers/meta-perl/recipes-security/bastille/files/HPSpecific.pm b/dynamic-layers/meta-perl/recipes-security/bastille/files/HPSpecific.pm new file mode 100644 index 0000000..7e7d709 --- /dev/null +++ b/dynamic-layers/meta-perl/recipes-security/bastille/files/HPSpecific.pm @@ -0,0 +1,1983 @@ +package Bastille::API::HPSpecific; + +use strict; +use Bastille::API; +use Bastille::API::FileContent; + +require Exporter; +our @ISA = qw(Exporter); +our @EXPORT_OK = qw( +getIPFLocation +getGlobalSwlist +B_check_system +B_swmodify +B_load_ipf_rules +B_Schedule +B_ch_rc +B_set_value +B_chperm +B_install_jail +B_list_processes +B_list_full_processes +B_deactivate_inetd_service +B_get_rc +B_set_rc +B_chrootHPapache +isSystemTrusted +isTrustedMigrationAvailable +checkServiceOnHPUX +B_get_path +convertToTrusted +isOKtoConvert +convertToShadow +getSupportedSettings +B_get_sec_value +secureIfNoNameService +isUsingRemoteNameService +remoteServiceCheck +remoteNISPlusServiceCheck +B_create_nsswitch_file +B_combine_service_results + +%priorBastilleNDD +%newNDD +); +our @EXPORT = @EXPORT_OK; + + + +# "Constants" for use both in testing and in lock-down +our %priorBastilleNDD = ( + "ip_forward_directed_broadcasts" =>["ip", "0"], + "ip_forward_src_routed" =>["ip", "0"], + "ip_forwarding" =>["ip", "0"], + "ip_ire_gw_probe" =>["ip", "0"], + "ip_pmtu_strategy" =>["ip", "1"], + "ip_respond_to_echo_broadcast" =>["ip", "0"], + "ip_send_redirects" =>["ip", "0"], + "ip_send_source_quench" =>["ip", "0"], + "tcp_syn_rcvd_max" =>["tcp","1000"], + "tcp_conn_request_max" =>["tcp","4096"] ); + +our %newNDD = ( + "ip_forward_directed_broadcasts" =>["ip", "0"], + "ip_forward_src_routed" =>["ip", "0"], + "ip_forwarding" =>["ip", "0"], + "ip_ire_gw_probe" =>["ip", "0"], + "ip_pmtu_strategy" =>["ip", "1"], + "ip_respond_to_echo_broadcast" =>["ip", "0"], + "ip_send_redirects" =>["ip", "0"], + "ip_send_source_quench" =>["ip", "0"], + "tcp_syn_rcvd_max" =>["tcp","4096"], + "tcp_conn_request_max" =>["tcp","4096"], + "arp_cleanup_interval" =>["arp","60000"], + "ip_respond_to_timestamp" =>["ip", "0"], + "ip_respond_to_timestamp_broadcast" => ["ip","0"] ); + + +#################################################################### +# +# This module makes up the HP-UX specific API routines. +# +#################################################################### +# +# Subroutine Listing: +# &HP_ConfigureForDistro: adds all used file names to global +# hashes and generates a global IPD +# hash for SD modification lookup. +# +# &getGlobalSwlist($): Takes a fully qualified file name +# and returns product:filset info +# for that file. returns undef if +# the file is not present in the IPD +# +# &B_check_system: Runs a series of system queries to +# determine if Bastille can be safely +# ran on the current system. +# +# &B_swmodify($): Takes a file name and runs the +# swmodify command on it so that the +# IPD is updated after changes +# +# &B_System($$): Takes a system command and the system +# command that should be used to revert +# whatever was done. Returns 1 on +# success and 0 on failure +# +# &B_Backtick($) Takes a command to run and returns its stdout +# to be used in place of the prior prevelent use +# of un-error-handled backticks +# +# &B_load_ipf_rules($): Loads a set of ipfrules into ipf, storing +# current rules for later reversion. +# +# &B_Schedule($$): Takes a pattern and a crontab line. +# Adds or replaces the crontab line to +# the crontab file, depending on if a +# line matches the pattern +# +# &B_ch_rc($$): Takes a the rc.config.d flag name and +# new value as well as the init script +# location. This will stop a services +# and set the service so that it will +# not be restarted. +# +# &B_set_value($$$): Takes a param, value, and a filename +# and sets the given value in the file. +# Uses ch_rc, but could be rewritten using +# Bastille API calls to make it work on Linux +# +# &B_TODO($): Appends the give string to the TODO.txt +# file. +# +# &B_chperm($$$$): Takes new perm owner and group of given +# file. TO BE DEPRECATED!!! +# +# &B_install_jail($$): Takes the jail name and the jail config +# script location for a give jail... +# These scripts can be found in the main +# directory e.g. jail.bind.hpux +# +##################################################################### + +############################################################################## +# +# HP-UX Bastille directory structure +# +############################################################################## +# +# /opt/sec_mgmt/bastille/bin/ -- location of Bastille binaries +# /opt/sec_mgmt/bastille/lib/ -- location of Bastille modules +# /opt/sec_mgmt/bastille/doc/ -- location of Bastille doc files +# +# /etc/opt/sec_mgmt/bastille/ -- location of Bastille config files +# +# /var/opt/sec_mgmt/bastille/log -- location of Bastille log files +# /var/opt/sec_mgmt/bastille/revert -- directory holding all Bastille- +# created revert scripts +# /var/opt/sec_mgmt/bastille/revert/backup -- directory holding the original +# files that Bastille modifies, +# with permissions intact +# +############################################################################## + +sub getIPFLocation () { # Temporary until we get defined search space support + my $ipf=&getGlobal('BIN','ipf_new'); + my $ipfstat=&getGlobal('BIN','ipfstat_new'); + if (not(-e $ipf)) { # Detect if the binaries moved + $ipf = &getGlobal('BIN','ipf'); + $ipfstat=&getGlobal('BIN','ipfstat'); + } + return ($ipf, $ipfstat); +} + +############################################## +# Given a combination of service results, provided +# in an array, this function combines the result into +# a reasonable aggregate result +############################################## + +sub B_combine_service_results(@){ + my @results = @_; + + #TODO: Consider greater sophistication wrt inconsistent, or not installed. + + foreach my $result (@results) { + if (not(($result == SECURE_CAN_CHANGE) or + ($result == SECURE_CANT_CHANGE) or + ($result == NOT_INSTALLED()))) { + return NOTSECURE_CAN_CHANGE(); + } + } + return SECURE_CANT_CHANGE(); +} + +#################################################################### +# &getGlobalSwlist ($file); +# This function returns the product and fileset information for +# a given file or directory if it exists in the IPD otherwise +# it returns undefined "undef" +# +# uses $GLOBAL_SWLIST{"$FILE"} +#################################################################### +sub getGlobalSwlist($){ + no strict; + my $file = $_[0]; + + + if(! %GLOBAL_SWLIST) { + # Generating swlist database for swmodify changes that will be required + # The database will be a hash of fully qualified file names that reference + # the files product name and fileset. These values are required to use + # swmodify... + + # Files tagged 'is_volatile' in the IPD are not entered in the swlist database + # in order to avoid invoking swmodify if the file is changed later. Attempting to + # swmodify 'volatile' files is both unneccessary and complicated since swverify will + # not evaluate volatile files anyway, and adding another value to the swlist database + # would require complex code changes. + + # temp variable to keep swlist command /usr/sbin/swlist + my $swlist = &getGlobal('BIN',"swlist"); + + # listing of each directory and file that was installed by SD on the target machine + my @fileList = `$swlist -a is_volatile -l file`; + + # listing of each patch and the patches that supersede each. + # hash which is indexed by patch.fileset on the system + my %patchSuperseded; + + my @patchList = `${swlist} -l fileset -a superseded_by *.*,c=patch 2>&1`; + # check to see if any patches are present on the system + if(($? >> 8) == 0) { + + # determining patch suppression for swmodify. + foreach my $patchState (@patchList) { + # removing empty lines and commented lines. + if($patchState !~ /^\s*\#/ && $patchState !~ /^\s*$/) { + + # removing leading white space + $patchState =~ s/^\s+//; + my @patches = split /\s+/, $patchState; + if($#patches == 0){ + # patch is not superseded + $patchSuperseded{$patches[0]} = 0; + } + else { + # patch is superseded + $patchSuperseded{$patches[0]} = 1; + } + } + } + } + else { + &B_log("DEBUG","No patches found on the system.\n"); + } + + if($#fileList >= 0){ + # foreach line of swlist output + foreach my $fileEntry ( @fileList ){ + #filter out commented portions + if( $fileEntry !~ /^\s*\#/ ){ + chomp $fileEntry; + # split the output into three fields: product.fileset, filename, flag_isvolatile + my( $productInfo, $file, $is_volatile ) = $fileEntry =~ /^\s*(\S+): (\S+)\t(\S+)/ ; + # do not register volatile files + next if ($is_volatile =~ /true/); # skip to next file entry + $productInfo =~ s/\s+//; + $file =~ s/\s+//; + # if the product is a patch + if($productInfo =~ /PH(CO|KL|NE|SS)/){ + # if the patch is not superseded by another patch + if($patchSuperseded{$productInfo} == 0){ + # add the patch to the list of owner for this file + push @{$GLOBAL_SWLIST{"$file"}}, $productInfo; + } + } + # not a patch. + else { + # add the product to the list of owners for this file + push @{$GLOBAL_SWLIST{"$file"}}, $productInfo; + } + + } + } + } + else{ + # defining GLOBAL_SWLIST in error state. + $GLOBAL_SWLIST{"ERROR"} = "ERROR"; + &B_log("ERROR","Could not execute swlist. Swmodifys will not be attempted"); + } + } + + if(exists $GLOBAL_SWLIST{"$file"}){ + return $GLOBAL_SWLIST{"$file"}; + } + else { + return undef; + } +} + +################################################################### +# &B_check_system; +# This subroutine is called to validate that bastille may be +# safely run on the current system. It will check to insure +# that there is enough file system space, mounts are rw, nfs +# mounts are not mounted noroot, and swinstall, swremove and +# swmodify are not running +# +# uses ErrorLog +# +################################################################## +sub B_check_system { + # exitFlag is one if a conflict with the successful execution + # of bastille is found. + my $exitFlag = 0; + + my $ignoreCheck = &getGlobal("BDIR","config") . "/.no_system_check"; + if( -e $ignoreCheck ) { + return $exitFlag; + } + + # first check for swinstall, swmodify, or swremove processes + my $ps = &getGlobal('BIN',"ps") . " -el"; + my @processTable = `$ps`; + foreach my $process (@processTable) { + if($process =~ /swinstall/ ) { + &B_log("ERROR","Bastille cannot run while a swinstall is in progress.\n" . + "Complete the swinstall operation and then run Bastille.\n\n"); + $exitFlag = 1; + } + + if($process =~ /swremove/ ) { + &B_log("ERROR","Bastille cannot run while a swremove is in progress.\n" . + "Complete the swremove operation and then run Bastille.\n\n"); + $exitFlag = 1; + } + + if($process =~ /swmodify/ ) { + &B_log("ERROR","Bastille cannot run while a swmodify is in progress.\n" . + "Complete the swmodify operation and then run Bastille.\n\n"); + $exitFlag = 1; + } + + } + + # check for root read only mounts for /var /etc /stand / + # Bastille is required to make changes to these file systems. + my $mount = &getGlobal('BIN',"mount"); + my $rm = &getGlobal('BIN',"rm"); + my $touch = &getGlobal('BIN',"touch"); + + my @mnttab = `$mount`; + + if(($? >> 8) != 0) { + &B_log("WARNING","Unable to use $mount to determine if needed partitions\n" . + "are root writable, based on disk mount options.\n" . + "Bastille will continue but note that disk\n" . + "mount checks were skipped.\n\n"); + } + else { + foreach my $record (@mnttab) { + my @fields = split /\s+/, $record; + if ((defined $fields[0]) && (defined $fields[2]) && (defined $fields[3])) { + my $mountPoint = $fields[0]; + my $mountType = $fields[2]; + my $mountOptions = $fields[3]; + + # checks for /stand and /var/* removed + if($mountPoint =~ /^\/$|^\/etc|^\/var$/) { + + if($mountOptions =~ /^ro,|,ro,|,ro$/) { + &B_log("ERROR","$mountPoint is mounted read-only. Bastille needs to make\n" . + "modifications to this file system. Please remount\n" . + "$mountPoint read-write and then run Bastille again.\n\n"); + $exitFlag = 1; + } + # looking for an nfs mounted file system + if($mountType =~/.+:\//){ + my $fileExisted=0; + if(-e "$mountPoint/.bastille") { + $fileExisted=1; + } + + `$touch $mountPoint/.bastille 1>/dev/null 2>&1`; + + if( (! -e "$mountPoint/.bastille") || (($? >> 8) != 0) ) { + &B_log("ERROR","$mountPoint is an nfs mounted file system that does\n" . + "not allow root to write to. Bastille needs to make\n" . + "modifications to this file system. Please remount\n" . + "$mountPoint giving root access and then run Bastille\n" . + "again.\n\n"); + + $exitFlag = 1; + } + # if the file did not exist befor the touch then remove the generated file + if(! $fileExisted) { + `$rm -f $mountPoint/.bastille 1>/dev/null 2>&1`; + } + } + } + } + else { + &B_log("WARNING","Unable to use $mount to determine if needed partitions\n" . + "are root writable, based on disk mount options.\n" . + "Bastille will continue but note that disk\n" . + "mount checks were skipped.\n\n"); + } + } + + } + + # checks for enough disk space in directories that Bastille writes to. + my $bdf = &getGlobal('BIN',"bdf"); + #directories that Bastille writes to => required space in kilobytes. + my %bastilleDirs = ( "/etc/opt/sec_mgmt/bastille" => "4", "/var/opt/sec_mgmt/bastille"=> "1000"); + for my $directory (sort keys %bastilleDirs) { + my @diskUsage = `$bdf $directory`; + + if(($? >> 8) != 0) { + &B_log("WARNING","Unable to use $bdf to determine disk usage for\n" . + "$directory\n" . + "Bastille will continue but note that disk\n" . + "usage checks were skipped.\n\n"); + + } + else { + # removing bdf header line from usage information. + shift @diskUsage; + my $usageString= ""; + + foreach my $usageRecord (@diskUsage) { + chomp $usageRecord; + $usageString .= $usageRecord; + } + + $usageString =~ s/^\s+//; + + my @fields = split /\s+/, $usageString; + if($#fields != 5) { + &B_log("WARNING","Unable to use $bdf to determine disk usage for\n" . + "$directory\n" . + "Bastille will continue but note that disk\n" . + "usage checks were skipped.\n\n"); + } + else { + + my $mountPoint = $fields[5]; + my $diskAvail = $fields[3]; + + if($diskAvail <= $bastilleDirs{"$directory"}) { + &B_log("ERROR","$mountPoint does not contain enough available space\n" . + "for Bastille to run properly. $directory needs\n" . + "at least $bastilleDirs{$directory} kilobytes of space.\n" . + "Please clear at least that amount of space from\n" . + "$mountPoint and run Bastille again.\n" . + "Current Free Space available = ${diskAvail} k\n\n"); + $exitFlag = 1; + } + } + } + } + + # check to make sure that we are in at least run level 2 before we attempt to run + my $who = &getGlobal('BIN', "who") . " -r"; + my $levelInfo = `$who`; + if(($? >> 8) != 0 ) { + &B_log("WARNING","Unable to use \"$who\" to determine system run.\n" . + "level Bastille will continue but note that the run\n" . + "level check was skipped.\n\n"); + } + else { + chomp $levelInfo; + my @runlevel = split /\s+/, $levelInfo; + if ((! defined $runlevel[3]) or ($runlevel[3] < 2)) { + &B_log("WARNING","Bastille requires a run-level of 2 or more to run properly.\n" . + "Please move your system to a higher run level and then\n" . + "run 'bastille -b'.\n\n"); + if(defined $runlevel[3]) { + &B_log("ERROR","Current run-level is '$runlevel[3]'.\n\n"); + $exitFlag=1; + } + else { + &B_log("WARNING","Unable to use \"$who\" to determine system run.\n" . + "level Bastille will continue but note that the run\n" . + "level check was skipped.\n\n"); + } + } + else { + &B_log("DEBUG","System run-level is $runlevel[3]\n"); + } + } + + if($exitFlag) { + exit(1); + } + +} + +################################################################### +# &B_swmodify($file); +# This subroutine is called after a file is modified. It will +# redefine the file in the IPD with it's new properties. If +# the file is not in the IPD it does nothing. +# +# uses B_System to make the swmodifications. +################################################################## +sub B_swmodify($){ + my $file = $_[0]; + if(defined &getGlobalSwlist($file)){ + my $swmodify = &getGlobal('BIN',"swmodify"); + my @productsInfo = @{&getGlobalSwlist($file)}; + # running swmodify on files that were altered by this function but + # were created and maintained by SD + foreach my $productInfo (@productsInfo) { + &B_System("$swmodify -x files='$file' $productInfo", + "$swmodify -x files='$file' $productInfo"); + } + } +} + +#################################################################### +# &B_load_ipf_rules($ipfruleset); +# This function enables an ipfruleset. It's a little more +# specific than most API functions, but necessary because +# ipf doesn't return correct exit codes (syntax error results +# in a 0 exit code) +# +# uses ActionLog and ErrorLog to log +# calls crontab directly (to list and to read in new jobs) +################################################################### +sub B_load_ipf_rules ($) { + my $ipfruleset=$_[0]; + + &B_log("DEBUG","# sub B_load_ipf_rules"); + + # TODO: grab ipf.conf dynamically from the rc.config.d files + my $ipfconf = &getGlobal('FILE','ipf.conf'); + + # file system changes - these are straightforward, and the API + # will take care of the revert + &B_create_file($ipfconf); + &B_blank_file($ipfconf, 'a$b'); + &B_append_line($ipfconf, 'a$b', $ipfruleset); + + # runtime changes + + # define binaries + my $grep = &getGlobal('BIN', 'grep'); + my ($ipf, $ipfstat) = &getIPFLocation; + # create backup rules + # This will exit with a non-zero exit code because of the grep + my @oldrules = `$ipfstat -io 2>&1 | $grep -v empty`; + + my @errors=`$ipf -I -Fa -f $ipfconf 2>&1`; + + if(($? >> 8) == 0) { + + &B_set_rc("IPF_START","1"); + &B_set_rc("IPF_CONF","$ipfconf"); + + # swap the rules in + &B_System("$ipf -s","$ipf -s"); + + # now create a "here" document with the previous version of + # the rules and put it into the revert-actions script + &B_revert_log("$ipf -I -Fa -f - <<EOF\n@{oldrules}EOF"); + + if (@errors) { + &B_log("ERROR","ipfilter produced the following errors when\n" . + " loading $ipfconf. You probably had an invalid\n" . + " rule in ". &getGlobal('FILE','customipfrules') ."\n". + "@errors\n"); + } + + } else { + &B_log("ERROR","Unable to run $ipf\n"); + } + +} + + + +#################################################################### +# &B_Schedule($pattern,$cronjob); +# This function schedules a cronjob. If $pattern exists in the +# crontab file, that job will be replaced. Otherwise, the job +# will be appended. +# +# uses ActionLog and ErrorLog to log +# calls crontab directly (to list and to read in new jobs) +################################################################### +sub B_Schedule ($$) { + my ($pattern,$cronjob)=@_; + $cronjob .= "\n"; + + &B_log("DEBUG","# sub B_Schedule"); + my $crontab = &getGlobal('BIN','crontab'); + + my @oldjobs = `$crontab -l 2>/dev/null`; + my @newjobs; + my $patternfound=0; + + foreach my $oldjob (@oldjobs) { + if (($oldjob =~ m/$pattern/ ) and (not($patternfound))) { + push @newjobs, $cronjob; + $patternfound=1; + &B_log("ACTION","changing existing cron job which matches $pattern with\n" . + "$cronjob"); + } elsif ($oldjob !~ m/$pattern/ ) { + &B_log("ACTION","keeping existing cron job $oldjob"); + push @newjobs, $oldjob; + } #implied: else if pattern matches, but we've + #already replaced one, then toss the others. + } + + unless ($patternfound) { + &B_log("ACTION","adding cron job\n$cronjob\n"); + push @newjobs, $cronjob; + } + + if(open(CRONTAB, "|$crontab - 2> /dev/null")) { + print CRONTAB @newjobs; + + # now create a "here" document with the previous version of + # the crontab file and put it into the revert-actions script + &B_revert_log("$crontab <<EOF\n" . "@oldjobs" . "EOF"); + close CRONTAB; + } + + # Now check to make sure it happened, since cron will exit happily + # (retval 0) with no changes if there are any syntax errors + my @editedjobs = `$crontab -l 2>/dev/null`; + + if (@editedjobs ne @newjobs) { + &B_log("ERROR","failed to add cron job:\n$cronjob\n" . + " You probably had an invalid crontab file to start with."); + } + +} + + +#This function turns off a service, given a service name defined in HP-UX.service + +sub B_ch_rc($) { + + my ($service_name)=@_; + + if (&GetDistro != "^HP-UX") { + &B_log("ERROR","Tried to call ch_rc $service_name on a non-HP-UX\n". + " system! Internal Bastille error."); + return undef; + } + my $configfile=""; + my $command = &getGlobal('BIN', 'ch_rc'); + + my $startup_script=&getGlobal('DIR','initd') . "/". $service_name; + my @rc_parameters= @{ &getGlobal('SERVICE',$service_name) }; + my @rcFiles=@{ &getGlobal('RCCONFIG',$service_name) }; + my $rcFile=''; + if (@rcFiles == 1){ + $rcFile=$rcFiles[0]; + } else { + &B_log("FATAL","Multiple RC Files not yet supported... internal error."); + } + + # if the service-related process is not run, and the control variable is stilll 1 + # there is a inconsistency. in this case we only need to change the control variable + my @psnames=@{ &getGlobal('PROCESS',$service_name)}; + my @processes; + foreach my $psname (@psnames) { + $psname .= '\b'; # avoid embedded match; anchor search pattern to trailing word boundry + my @procList = &isProcessRunning($psname); + if(@procList >= 0){ + splice @processes,$#processes+1,0,@procList; + } + } +#Actually set the rc variable + foreach my $rcVariable (@rc_parameters){ + my $orig_value = &B_get_rc($rcVariable); + if ($orig_value eq "" ) { #If variable not set, used the defined file + $configfile=&getGlobal("DIR","rc.config.d") . "/" . $rcFile; + if (not( -f $configfile )) { + &B_create_file($configfile); + } + } + &B_log("DEBUG","In B_ch_rc (no procs), setting $rcVariable to 0 in $configfile" . + ", with an original value of $orig_value with rcfile: $rcFile"); + if ( ! @processes) { # IF there are no processes we don't neet to perform a "stop" + &B_set_rc($rcVariable, "0", $configfile); + } else { + if ( $orig_value !~ "1" ) { #If param is not already 1, the "stop" script won't work + &B_set_rc($rcVariable, "1",$configfile); + } + &B_System ($startup_script . " stop", #stop service, then restart if the user runs bastille -r + $startup_script . " start"); + # set parameter, so that service will stay off after reboots + &B_set_rc($rcVariable, "0", $configfile); + } + } +} + + +# This routine sets a value in a given file +sub B_set_value($$$) { + my ($param, $value, $file)=@_; + + &B_log("DEBUG","B_set_value: $param, $value, $file"); + if (! -e $file ) { + &B_create_file("$file"); + } + + # If a value is already set to something other than $value then reset it. + #Note that though this tests for "$value ="the whole line gets replaced, so + #any pre-existing values are also replaced. + &B_replace_line($file,"^$param\\s*=\\s*","$param=$value\n"); + # If the value is not already set to something then set it. + &B_append_line($file,"^$param\\s*=\\s*$value","$param=$value\n"); + +} + + +################################################################################## +# &B_chperm($owner,$group,$mode,$filename(s)) +# This function changes ownership and mode of a list of files. Takes four +# arguments first the owner next the group and third the new mode in oct and +# last a list of files that the permissions changes should take affect on. +# +# uses: &swmodify and &B_revert_log +################################################################################## +sub B_chperm($$$$) { + my ($newown, $newgrp, $newmode, $file_expr) = @_; + my @files = glob($file_expr); + + my $return = 1; + + foreach my $file (@files){ + my @filestat = stat $file; + my $oldmode = (($filestat[2]/512) % 8) . + (($filestat[2]/64) % 8) . + (($filestat[2]/8) % 8) . + (($filestat[2]) % 8); + + if((chown $newown, $newgrp, $file) != 1 ){ + &B_log("ERROR","Could not change ownership of $file to $newown:$newgrp\n"); + $return = 0; + } + else{ + &B_log("ACTION","Changed ownership of $file to $newown:$newgrp\n"); + # swmodifying file if possible... + &B_swmodify($file); + &B_revert_log(&getGlobal('BIN',"chown") . " $filestat[4]:$filestat[5] $file\n"); + } + + my $newmode_formatted=sprintf "%5lo",$newmode; + + if((chmod $newmode, $file) != 1){ + &B_log("ERROR","Could not change mode of $file to $newmode_formatted\n"); + $return = 0; + } + else{ + &B_log("ACTION","Changed mode of $file to $newmode_formatted\n"); + &B_revert_log(&getGlobal('BIN',"chmod") . " $oldmode $file\n"); + } + + + } + return $return; +} + +############################################################################ +# &B_install_jail($jailname, $jailconfigfile); +# This function takes two arguments ( jail_name, jail_config ) +# It's purpose is to take read in config files that define a +# chroot jail and then generate it bases on that specification +############################################################################ +sub B_install_jail($$) { + + my $jailName = $_[0]; # Name of the jail e.g bind + my $jailConfig = $_[1]; # Name of the jails configuration file + # create the root directory of the jail if it does not exist + &B_create_dir( &getGlobal('BDIR','jail')); + &B_chperm(0,0,0555,&getGlobal('BDIR','jail')); + + # create the Jail dir if it does not exist + &B_create_dir( &getGlobal('BDIR','jail') . "/" . $jailName); + &B_chperm(0,0,0555,&getGlobal('BDIR','jail') . "/". $jailName); + + + my $jailPath = &getGlobal('BDIR','jail') . "/" . $jailName; + my @lines; # used to store no commented no empty config file lines + # open configuration file for desired jail and parse in commands + if(open(JAILCONFIG,"< $jailConfig")) { + while(my $line=<JAILCONFIG>){ + if($line !~ /^\s*\#|^\s*$/){ + chomp $line; + push(@lines,$line); + } + } + close JAILCONFIG; + } + else{ + &B_log("ERROR","Open Failed on filename: $jailConfig\n"); + return 0; + } + # read through commands and execute + foreach my $line (@lines){ + &B_log("ACTION","Install jail: $line\n"); + my @confCmd = split /\s+/,$line; + if($confCmd[0] =~ /dir/){ # if the command say to add a directory + if($#confCmd == 4) { # checking dir Cmd form + if(! (-d $jailPath . "/" . $confCmd[1])){ + #add a directory and change its permissions according + #to the conf file + &B_create_dir( $jailPath . "/" . $confCmd[1]); + &B_chperm((getpwnam($confCmd[3]))[2], + (getgrnam($confCmd[4]))[2], + oct($confCmd[2]), + $jailPath . "/" . $confCmd[1]); + } + } + else { + &B_log("ERROR","Badly Formed Configuration Line:\n$line\n\n"); + } + } + elsif($confCmd[0] =~ /file/) { + if($#confCmd == 5) { # checking file cmd form + if(&B_cp($confCmd[1],$jailPath . "/" . $confCmd[2])){ + # for copy command cp file and change perms + &B_chperm($confCmd[4],$confCmd[5],oct($confCmd[3]),$jailPath . "/" . $confCmd[2]); + } + else { + &B_log("ERROR","Could not complete copy on specified files:\n" . + "$line\n"); + } + } + else { + &B_log("ERROR","Badly Formed Configuration Line:\n" . + "$line\n\n"); + } + } + elsif($confCmd[0] =~ /slink/) { + if($#confCmd == 2) { # checking file cmd form + if(!(-e $jailPath . "/" . $confCmd[2])){ + #for symlink command create the symlink + &B_symlink($jailPath . "/" . $confCmd[1], $confCmd[2]); + } + } + else { + &B_log("ERROR","Badly Formed Configuration Line:\n" . + "$line\n\n"); + } + } + else { + &B_log("ERROR","Unrecognized Configuration Line:\n" . + "$line\n\n"); + } + } + return 1; +} + + + +########################################################################### +# &B_list_processes($service) # +# # +# This subroutine uses the GLOBAL_PROCESS hash to determine if a # +# service's corresponding processes are running on the system. # +# If any of the processes are found to be running then the process # +# name(s) is/are returned by this subroutine in the form of an list # +# If none of the processes that correspond to the service are running # +# then an empty list is returned. # +########################################################################### +sub B_list_processes($) { + + # service name + my $service = $_[0]; + # list of processes related to the service + my @processes=@{ &getGlobal('PROCESS',$service)}; + + # current systems process information + my $ps = &getGlobal('BIN',"ps"); + my $psTable = `$ps -elf`; + + # the list to be returned from the function + my @running_processes; + + # for every process associated with the service + foreach my $process (@processes) { + # if the process is in the process table then + if($psTable =~ m/$process/) { + # add the process to the list, which will be returned + push @running_processes, $process; + } + + } + + # return the list of running processes + return @running_processes; + +} + +############################################################################# +# &B_list_full_processes($service) # +# # +# This subroutine simply grep through the process table for those matching # +# the input argument TODO: Allow B_list process to levereage this code # +# ... Not done this cycle to avoid release risk (late in cycle) # +############################################################################# +sub B_list_full_processes($) { + + # service name + my $procName = $_[0]; + my $ps = &getGlobal('BIN',"ps"); + my @psTable = split(/\n/,`$ps -elf`); + + # for every process associated with the service + my @runningProcessLines = grep(/$procName/ , @psTable); + # return the list of running processes + return @runningProcessLines; +} + +################################################################################ +# &B_deactivate_inetd_service($service); # +# # +# This subroutine will disable all inetd services associated with the input # +# service name. Service name must be a reference to the following hashes # +# GLOBAL_SERVICE GLOBAL_SERVTYPE and GLOBAL_PROCESSES. If processes are left # +# running it will note these services in the TODO list as well as instruct the# +# user in how they remaining processes can be disabled. # +################################################################################ +sub B_deactivate_inetd_service($) { + my $service = $_[0]; + my $servtype = &getGlobal('SERVTYPE',"$service"); + my $inetd_conf = &getGlobal('FILE',"inetd.conf"); + + # check the service type to ensure that it can be configured by this subroutine. + if($servtype ne 'inet') { + &B_log("ACTION","The service \"$service\" is not an inet service so it cannot be\n" . + "configured by this subroutine\n"); + return 0; + } + + # check for the inetd configuration files existence so it may be configured by + # this subroutine. + if(! -e $inetd_conf ) { + &B_log("ACTION","The file \"$inetd_conf\" cannot be located.\n" . + "Unable to configure inetd\n"); + return 0; + } + + # list of service identifiers present in inetd.conf file. + my @inetd_entries = @{ &getGlobal('SERVICE',"$service") }; + + foreach my $inetd_entry (@inetd_entries) { + &B_hash_comment_line($inetd_conf, "^\\s*$inetd_entry"); + } + + # list of processes associated with this service which are still running + # on the system + my @running_processes = &B_list_processes($service); + + if($#running_processes >= 0) { + my $todoString = "\n" . + "---------------------------------------\n" . + "Deactivating Inetd Service: $service\n" . + "---------------------------------------\n" . + "The following process(es) are associated with the inetd service \"$service\".\n" . + "They are most likely associated with a session which was initiated prior to\n" . + "running Bastille. To disable a process see \"kill(1)\" man pages or reboot\n" . + "the system\n" . + "Active Processes:\n" . + "###################################\n"; + foreach my $running_process (@running_processes) { + $todoString .= "\t$running_process\n"; + } + $todoString .= "###################################\n"; + + &B_TODO($todoString); + } + +} + + +################################################################################ +# B_get_rc($key); # +# # +# This subroutine will use the ch_rc binary to get rc.config.d variables # +# values properly escaped and quoted. # +################################################################################ +sub B_get_rc($) { + + my $key=$_[0]; + my $ch_rc = &getGlobal('BIN',"ch_rc"); + + # get the current value of the given parameter. + my $currentValue=`$ch_rc -l -p $key`; + chomp $currentValue; + + if(($? >> 8) == 0 ) { + # escape all meta characters. + # $currentValue =~ s/([\"\`\$\\])/\\$1/g; + # $currentValue = '"' . $currentValue . '"'; + } + else { + return undef; + } + + return $currentValue; +} + + + +################################################################################ +# B_set_rc($key,$value); # +# # +# This subroutine will use the ch_rc binary to set rc.config.d variables. As # +# well as setting the variable this subroutine will set revert strings. # +# # +################################################################################ +sub B_set_rc($$;$) { + + my ($key,$value,$configfile)=@_; + my $ch_rc = &getGlobal('BIN',"ch_rc"); + + # get the current value of the given parameter. + my $currentValue=&B_get_rc($key); + if(defined $currentValue ) { + if ($currentValue =~ /^\"(.*)\"$/ ) { + $currentValue = '"\"' . $1 . '\""'; + } + if ($value =~ /^\"(.*)\"$/ ) { + $value = '"\"' . $1 . '\""'; + } + if ( &B_System("$ch_rc -a -p $key=$value $configfile", + "$ch_rc -a -p $key=$currentValue $configfile") ) { + #ch_rc success + return 1; + } + else { + #ch_rc failure. + return 0; + } + } + else { + &B_log("ERROR","ch_rc was unable to lookup $key\n"); + return 0; + } + +} + + +################################################################################ +# &ChrootHPApache($chrootScript,$httpd_conf,$httpd_bin, +# $apachectl,$apacheJailDir,$serverString); +# +# This subroutine given an chroot script, supplied by the vendor, a +# httpd.conf file, the binary location of httpd, the control script, +# the jail directory, and the servers identification string, descriptive +# string for TODO etc. It makes modifications to httpd.conf so that when +# Apache starts it will chroot itself into the jail that the above +# mentions script creates. +# +# uses B_replace_line B_create_dir B_System B_TODO +# +############################################################################### +sub B_chrootHPapache($$$$$$) { + + my ($chrootScript,$httpd_conf,$httpd_bin,$apachectl,$apacheJailDir,$serverString)= @_; + + my $exportpath = "export PATH=/usr/bin;"; + my $ps = &getGlobal('BIN',"ps"); + my $isRunning = 0; + my $todo_header = 0; + + # checking for a 2.0 version of the apache chroot script. + if(-e $chrootScript ) { + + if(open HTTPD, $httpd_conf) { + while (my $line = <HTTPD>){ + if($line =~ /^\s*Chroot/) { + &B_log("DEBUG","Apache is already running in a chroot as specified by the following line:\n$line\n" . + "which appears in the httpd.conf file. No Apache Chroot action was taken.\n"); + return; + } + } + close(HTTPD); + } + + if(`$ps -ef` =~ $httpd_bin ) { + $isRunning=1; + &B_System("$exportpath " . $apachectl . " stop","$exportpath " . $apachectl . " start"); + } + &B_replace_line($httpd_conf, '^\s*#\s*Chroot' , + "Chroot " . $apacheJailDir); + if(-d &getGlobal('BDIR',"jail")){ + &B_log("DEBUG","Jail directory already exists. No action taken.\n"); + } + else{ + &B_log("ACTION","Jail directory was created.\n"); + &B_create_dir( &getGlobal('BDIR','jail')); + } + + if(-d $apacheJailDir){ + &B_log("DEBUG","$serverString jail already exists. No action taken.\n"); + } + else{ + &B_System(&getGlobal('BIN',"umask") . " 022; $exportpath " . $chrootScript, + &getGlobal('BIN',"echo") . " \"Your $serverString is now running outside of it's\\n" . + "chroot jail. You must manually migrate your web applications\\n" . + "back to your Apache server's httpd.conf defined location(s).\\n". + "After you have completed this, feel free to remove the jail directories\\n" . + "from your machine. Your apache jail directory is located in\\n" . + &getGlobal('BDIR',"jail") . "\\n\" >> " . &getGlobal('BFILE',"TOREVERT")); + + } + if($isRunning){ + &B_System("$exportpath " . $apachectl . " start","$exportpath " . $apachectl . " stop"); + &B_log("ACTION","$serverString is now running in an chroot jail.\n"); + } + + &B_log("ACTION","The jail is located in " . $apacheJailDir . "\n"); + + if ($todo_header !=1){ + &B_TODO("\n---------------------------------\nApache Chroot:\n" . + "---------------------------------\n"); + } + &B_TODO("$serverString Chroot Jail:\n" . + "httpd.conf contains the Apache dependencies. You should\n" . + "review this file to ensure that the dependencies made it\n" . + "into the jail. Otherwise, you run a risk of your Apache server\n" . + "not having access to all its modules and functionality.\n"); + + + } + +} + + +sub isSystemTrusted { + my $getprdef = &getGlobal('BIN',"getprdef"); + my $definition = &B_Backtick("$getprdef -t 2>&1"); + if($definition =~ "System is not trusted.") { + return 0; + } else { + return 1; + } +} + + +sub isTrustedMigrationAvailable { + my $distroVersion=''; + + if (&GetDistro =~ '^HP-UX11.(\d*)') { + $distroVersion=$1; + if ($distroVersion < 23) { # Not available before 11.23 + return 0; #FALSE + } elsif ($distroVersion >= 31) { #Bundled with 11.31 and after + &B_log('DEBUG','isTrustedMigrationAvailable: HP-UX 11.31 always has trusted mode extensions'); + return 1; + } elsif ($distroVersion == 23) { # Optional on 11.23 if filesets installed + if ( -x &getGlobal('BIN',"userdbget") ) { + &B_log('DEBUG','isTrustedMigrationAvailable: Trusted Extensions Installed'); + return 1; + } else { + &B_log('DEBUG','isTrustedMigrationAvailable: Trusted Extensions Not Installed'); + return 0; #FALSE + } + } else { + &B_log('DEBUG','isTrustedMigrationAvailable: ' . &GetDistro . + ' not currently supported for trusted extentions.'); + return 0; #FALSE + } + } else { + &B_log('WARNING','isTrustedMigrationAvailable: HP-UX routine called on Linux system'); + return 0; #FALSE + } +} + + + +########################################################################### +# &checkServiceOnHPUX($service); +# +# Checks if the given service is running on an HP/UX system. This is +# called by B_is_Service_Off(), which is the function that Bastille +# modules should call. +# +# Return values: +# NOTSECURE_CAN_CHANGE() if the service is on +# SECURE_CANT_CHANGE() if the service is off +# INCONSISTENT() if the state of the service cannot be determined +# NOT_INSTALLED() if the s/w isn't insalled +# +########################################################################### +sub checkServiceOnHPUX($) { + my $service=$_[0]; + + # get the list of parameters which could be used to initiate the service + # (could be in /etc/rc.config.d, /etc/inetd.conf, or /etc/inittab, so we + # check all of them) + my @params= @{ &getGlobal('SERVICE',$service) }; + my $grep =&getGlobal('BIN', 'grep'); + my $inetd=&getGlobal('FILE', 'inetd.conf'); + my $inittab=&getGlobal('FILE', 'inittab'); + my $retVals; + my $startup=&getGlobal('DIR','initd') ; + my @inet_bins= @{ &getGlobal('PROCESS',$service) }; + + my $entry_found = 0; + + &B_log("DEBUG","CheckHPUXservice: $service"); + my $full_initd_path = $startup . "/" . $service; + if ($GLOBAL_SERVTYPE{$service} eq "rc") { # look for the init script in /sbin/init.d + if (not(-e $full_initd_path )) { + return NOT_INSTALLED(); + } + } else { #inet-based service, so look for inetd.conf entries. + &B_log("DEBUG","Checking inet service $service"); + my @inet_entries= @{ &getGlobal('SERVICE',$service) }; + foreach my $service (@inet_entries) { + &B_log('DEBUG',"Checking for inetd.conf entry of $service in checkService on HPUX"); + my $service_regex = '^[#\s]*' . $service . '\s+'; + if ( &B_match_line($inetd, $service_regex) ) { # inet entry search + &B_log('DEBUG',"$service present, entry exists"); + $entry_found = 1 ; + } + } + if ($entry_found == 0 ) { + return NOT_INSTALLED(); + } + } + + foreach my $param (@params) { + &B_log("DEBUG","Checking to see if service $service is off.\n"); + if (&getGlobal('SERVTYPE', $service) =~ /rc/) { + my $ch_rc=&getGlobal('BIN', 'ch_rc'); + my $on=&B_Backtick("$ch_rc -l -p $param"); + + $on =~ s/\s*\#.*$//; # remove end-of-line comments + $on =~ s/^\s*\"(.+)\"\s*$/$1/; # remove surrounding double quotes + $on =~ s/^\s*\'(.+)\'\s*$/$1/; # remove surrounding single quotes + $on =~ s/^\s*\"(.+)\"\s*$/$1/; # just in case someone did '"blah blah"' + + chomp $on; + &B_log("DEBUG","ch_rc returned: $param=$on in checkServiceOnHPUX"); + + if ($on =~ /^\d+$/ && $on != 0) { + # service is on + &B_log("DEBUG","CheckService found $param service is set to \'on\' in scripts."); + return NOTSECURE_CAN_CHANGE(); + } + elsif($on =~ /^\s*$/) { + # if the value returned is an empty string return + # INCONSISTENT(), since we don't know what the hard-coded default is. + return INCONSISTENT(); + } + } else { + # those files which rely on comments to determine what gets + # turned on, such as inetd.conf and inittab + my $inettabs=&B_Backtick("$grep -e '^[[:space:]]*$param' $inetd $inittab"); + if ($inettabs =~ /.+/) { # . matches anything except newlines + # service is not off + &B_log("DEBUG","Checking inetd.conf and inittab; found $inettabs"); + ########################### BREAK out, don't skip question + return NOTSECURE_CAN_CHANGE(); + } + } + } # foreach $param + + # boot-time parameters are not set; check processes + # checkprocs for services returns INCONSISTENT() if a service is found + # since a found-service is inconsistent with the above checks. + B_log("DEBUG","Boot-Parameters not set, checking processes."); + if (&runlevel < 2) { # Below runlevel 2, it is unlikely that + #services will be running, so just check "on-disk" state + &B_log("NOTE","Running during boot sequence, so skipping process checks"); + return SECURE_CANT_CHANGE(); + } else { + return &checkProcsForService($service); + } +} + +sub runlevel { + my $who = &getGlobal("BIN", "who"); + my $runlevel = &B_Backtick("$who -r"); + if ($runlevel =~ s/.* run-level (\S).*/$1/) { + &B_log("DEBUG","Runlevel is: $runlevel"); + return $runlevel; + } else { + &B_log("WARNING","Can not determine runlevel, assuming runlevel 3"); + &B_log("DEBUG","Runlevel command output: $runlevel"); + return "3"; #safer since the who command didn't work, we'll assume + # runlevel 3 since that provides more checks. + } +} + +# +# given a profile file, it will return a PATH array set by the file. +# +sub B_get_path($) { + my $file = $_[0]; + my $sh = &getGlobal("BIN", "sh"); + # use (``)[0] is becuase, signal 0 maybe trapped which will produce some stdout + my $path = (`$sh -c '. $file 1>/dev/null 2>&1 < /dev/null ; echo \$PATH'`)[0]; + my @path_arr = split(":", $path); + my %tmp_path; + my %path; + for my $tmpdir (@path_arr) { + chomp $tmpdir; + if ($tmpdir ne "" && ! $tmp_path{$tmpdir}) { + $tmp_path{$tmpdir}++; + } + } + return keys %tmp_path; +} + +# Convert to trusted mode if it's not already +sub convertToTrusted { + &B_log("DEBUG","# sub convertToTrusted \n"); + if( ! &isSystemTrusted) { + + my ($ok, $message) = &isOKtoConvert; + + my $ts_header="\n---------------------------------\nTrusted Systems:\n" . + "---------------------------------\n"; + + if ($ok) { + # actually do the conversion + if(&B_System(&getGlobal('BIN','tsconvert'), &getGlobal('BIN','tsconvert') . " -r")){ + # adjust change times for user passwords to keep them valid + # default is to expire them when converting to a trusted system, + # which can be problematic, especially since some older versions of + # SecureShell do not allow the user to change the password + &B_System(&getGlobal('BIN','modprpw') . " -V", ""); + + my $getprdef = &getGlobal('BIN','getprdef'); + my $oldsettings = &B_Backtick("$getprdef -m lftm,exptm,mintm,expwarn,umaxlntr"); + $oldsettings =~ s/ //g; + + # remove password lifetime and increasing login tries so they + # don't lock themselves out of the system entirely. + # set default expiration time and the like. + my $newsettings="lftm=0,exptm=0,mintm=0,expwarn=0,umaxlntr=10"; + + &B_System(&getGlobal('BIN','modprdef') . " -m $newsettings", + &getGlobal('BIN','modprdef') . " -m $oldsettings"); + + &B_TODO($ts_header . + "Your system has been converted to a trusted system.\n" . + "You should review the security settings available on a trusted system.\n". + "$message"); + + # to get rid of "Cron: Your job did not contain a valid audit ID." + # error, we re-read the crontab file after converting to trusted mode + # Nothing is necessary in "revert" since we won't be in trusted mode + # at that time. + # crontab's errors can be spurious, and this will report an 'error' + # of the crontab file is missing, so we send stderr to the bit bucket + my $crontab = &getGlobal('BIN',"crontab"); + &B_System("$crontab -l 2>/dev/null | $crontab",""); + } + + } else { + &B_TODO($ts_header . $message); + return 0; # not ok to convert, so we didn't + } + } + else { + &B_log("DEBUG","System is already in trusted mode, no action taken.\n"); + return 1; + } + + # just to make sure + if( &isSystemTrusted ) { + return 1; + } else { + &B_log("ERROR","Trusted system conversion was unsuccessful for an unknown reason.\n" . + " You may try using SAM/SMH to do the conversion instead of Bastille.\n"); + return 0; + } +} + +# isOKtoConvert - check for conflicts between current system state and trusted +# mode +# +# Return values +# 0 - conflict found, see message for details +# 1 - no conflicts, see message for further instructions +# +sub isOKtoConvert { + &B_log("DEBUG","# sub isOKtoConvert \n"); + # initialize text for TODO instructions + my $specialinstructions=" - convert to trusted mode\n"; + + # These are somewhat out-of-place, but only affect the text of the message. + # Each of these messages is repeated in a separate TODO item in the + # appropriate subroutine. + if (&getGlobalConfig("AccountSecurity","single_user_password") eq "Y") { + if (&GetDistro =~ "^HP-UX11.(.*)" and $1<23 ) { + $specialinstructions .= " - set a single user password\n"; + } + } + + if (&getGlobalConfig("AccountSecurity","passwordpolicies") eq "Y") { + $specialinstructions .= " - set trusted mode password policies\n"; + } + + if (&getGlobalConfig("AccountSecurity", "PASSWORD_HISTORY_DEPTHyn") eq "Y") { + $specialinstructions .= " - set a password history depth\n"; + } + + if (&getGlobalConfig("AccountSecurity","system_auditing") eq "Y") { + $specialinstructions .= " - enable auditing\n"; + } + + my $saminstructions= + "The security settings can be modified by running SAM as follows:\n" . + "# sam\n" . + "Next, go to the \"Auditing and Security Area\" and review\n" . + "each sub-section. Make sure that you review all of your\n" . + "settings, as some policies may seem restrictive.\n\n" . + "On systems using the System Management Homepage, you can\n". + "change your settings via the Tools:Security Attributes Configuration\n". + "section. On some systems, you may also have the option of using SMH.\n\n"; + + # First, check for possible conflicts and corner cases + + # check nsswitch for possible conflicts + my $nsswitch = &getGlobal('FILE', 'nsswitch.conf'); + if ( -e $nsswitch) { + open(FILE, $nsswitch); + while (<FILE>) { + if (/nis/ or /compat/ or /ldap/) { + my $message = "Bastille found a possible conflict between trusted mode and\n" . + "$nsswitch. Please remove all references to\n" . + "\"compat\", \"nis\" and \"ldap\" in $nsswitch\n" . + "and rerun Bastille, or use SAM/SMH to\n" . + "$specialinstructions\n". + "$saminstructions"; + close(FILE); + return (0,$message); + } + } + close(FILE); + } + + # check the namesvrs config file for possible NIS conflicts + #Changed to unless "Y AND Y" since question can be skipped when nis is off + # but corner cases can still exist, so check then too. + unless ( &getGlobalConfig('MiscellaneousDaemons','nis_client') eq "Y" and + &getGlobalConfig('MiscellaneousDaemons','nis_server') eq "Y" ) { + my $namesvrs = &getGlobal('FILE', 'namesvrs'); + if (open(FILE, $namesvrs)) { + while (<FILE>) { + if (/^NIS.*=["]?1["]?$/) { + my $message= "Possible conflict between trusted mode and NIS found.\n". + "Please use SAM/SMH to\n" . + " - turn off NIS\n" . + "$specialinstructions\n". + "$saminstructions"; + close(FILE); + return (0,$message); + } + } + close(FILE); + } else { + &B_log("ERROR","Unable to open $namesvrs for reading."); + my $message= "Possible conflict between trusted mode and NIS found.\n". + "Please use SAM/SMH to\n" . + " - turn off NIS\n" . + "$specialinstructions\n". + "$saminstructions"; + return (0,$message); + } + if ( &B_match_line (&getGlobal("FILE","passwd"),"^\+:.*")) { + my $message= '"+" entry found in passwd file. These are not\n' . + "compatible with Trusted Mode. Either remove the entries\n" . + "and re-run Bastille, or re-run Bastille, and direct it to\n" . + "disable NIS client and server.\n"; + return (0,$message); + } + + } + + + # check for conflicts with DCE integrated login + my $authcmd = &getGlobal('BIN','auth.adm'); + if ( -e $authcmd ) { + my $retval = system("PATH=/usr/bin $authcmd -q 1>/dev/null 2>&1"); + if ($retval != 0 and $retval != 1) { + my $message="It appears that DCE integrated login is configured on this system.\n" . + "DCE integrated login is incompatible with trusted systems and\n" . + "auditing. Bastille is unable to\n" . + "$specialinstructions" . + "You will need to configure auditing and password policies using DCE.\n\n"; + return (0,$message); + } + } + + if ( -e &getGlobal('FILE','shadow') ) { + my $message="This system has already been converted to shadow passwords.\n" . + "Shadow passwords are incompatible with trusted mode.\n" . + "Bastille is unable to\n" . + "$specialinstructions" . + "If you desire these features, you should use\n". + "\'pwunconv\' to change back to standard passwords,\n". + "and then rerun Bastille.\n\n"; + return (0,$message); + } + + return (1,$saminstructions); +} + +# This routine allows Bastille to determine trusted-mode extension availability + +sub convertToShadow { + + if (&isSystemTrusted) { + # This is an internal error...Bastille should not call this routine + # in this case. Error is here for robustness against future changes. + &B_log("ERROR","This system is already converted to trusted mode.\n" . + " Converting to shadow passwords will not be attempted.\n"); + return 0; + } + + # configuration files on which shadowed passwords depend + my $nsswitch_conf = &getGlobal('FILE',"nsswitch.conf"); + + # binaries used to convert to a shadowed password + my $pwconv = &getGlobal('BIN',"pwconv"); + my $echo = &getGlobal('BIN','echo'); # the echo is used to pipe a yes into the pwconv program as + # pwconv requires user interaction. + + # the binary used in a system revert. + my $pwunconv = &getGlobal('BIN',"pwunconv"); + #check the password file for nis usage and if the nis client + #or server is running. + if(-e $nsswitch_conf) { + # check the file for nis, nis+, compat, or dce usage. + if(&B_match_line($nsswitch_conf, '^\s*passwd:.+(nis|nisplus|dce|compat)')) { + my $shadowTODO = "\n---------------------------------\nHide encrypted passwords:\n" . + "---------------------------------\n" . + "This version of password shadowing does not support any repository other\n" . + "than files. In order to convert your password database to shadowed passwords\n" . + "there can be no mention of nis, nisplus, compat, or dce in the passwd\n" . + "field of the \"$nsswitch_conf\" file. Please make the necessary edits to\n" . + "the $nsswitch_conf file and run Bastille again using the command:\n" . + "\"bastille -b\"\n"; + # Adding the shadowTODO comment to the TODO list. + &B_TODO("$shadowTODO"); + # Notifing the user that the shadowed password coversion has failed. + &B_log("ERROR","Password Shadowing Conversion Failed\n" . + "$shadowTODO"); + # exiting the subroutine. + return 0; + } + + } + + # convert the password file to a shadowed repository. + if (( -e $pwconv ) and ( -e $pwunconv ) and + ( &B_System("$echo \"yes\" | $pwconv","$pwunconv") ) ){ + &B_TODO( "\n---------------------------------\nShadowing Password File:\n" . + "---------------------------------\n" . + "Your password file has been converted to use password shadowing.\n" . + "This version of password shadowing does not support any repository other\n" . + "than files. There can be no mention of nis, nisplus, compat, or dce\n" . + "in the passwd field of the \"$nsswitch_conf\" file.\n\n" ); + } else { + &B_log("ERROR","Conversion to shadow mode failed. The system may require ". + "a patch to be capable of switching to shadow mode, or the ". + "system my be in a state where conversion is not possible."); + } +} + + + +########################################################################## +# &getSupportedSettings(); +# Manipulates %trustedParameter and %isSupportedSetting, file-scoped variables +# +# Reads the password policy support matrix, which in-turn gives Bastille the +# places it should look for a given password policy setting. + +# Note the file was created like this so if could be maintained in an Excel(tm) +# spreadsheet, to optimize reviewability. TODO: consider other formats + +# File Format: +# HEADERS:<comment>,[<OS Version> <Mode> <Extensions>,]... +# [ +# :<label>:<trusted equivalent>,,,,,,,,,,,,<comment> +# <action> (comment), [<test value>,]... +# ] ... +# Example; +# HEADERS:Information Source (trusted equiv),11.11 Standard no-SMSE,11.11 Trusted no-SMSE,11.11 Shadow no-SMSE,11.23 Standard no-SMSE,11.23 Trusted no-SMSE,11.23 Shadow no-SMSE,11.23 Standard SMSE,11.23 Shadow SMSE,11.23 Trusted SMSE,11.31 Trusted SMSE,11.31 Shadow SMSE,11.31 Standard SMSE,Other Exceptions +#:ABORT_LOGIN_ON_MISSING_HOMEDIR,,,,,,,,,,,,,root +#/etc/security.dsc (search),x,,xx,x,x,x,!,!,!,!,!,!, +#/etc/default/security(search),y,y,y,y,y,y,y,y,y,y,y,y, +#getprdef (execute with <Trusted Equiv> argument),x,x,x,x,x,x,x,x,x,x,x,x, + +########################################################################### +our %trustedParameter = (); +our %isSupportedSetting = (); + +sub getSupportedSettings() { + + my $line; # For a config file line + my $linecount = 0; + my $currentsetting = ""; + my @fields; # Fields in a given line + my @columns; #Column Definitions + + + &B_open(*SETTINGSFILE,&getGlobal('BFILE','AccountSecSupport')); + my @settingLines=<SETTINGSFILE>; + &B_close(*SETTINGSFILE); + + #Remove blank-lines and comments + @settingLines = grep(!/^#/,@settingLines); + @settingLines = grep(!/^(\s*,+)*$/,@settingLines); + + foreach $line (@settingLines) { + ++$linecount; + @fields = split(/,/,$line); + if ($line =~ /^Information Source:/) { #Sets up colums + my $fieldcount = 1; #Skipping first field + while ((defined($fields[$fieldcount])) and + ($fields[$fieldcount] =~ /\d+\.\d+/)){ + my @subfields = split(/ /,$fields[$fieldcount]); + my $fieldsCount = @subfields; + if ($fieldsCount != 3){ + &B_log("ERROR","Invalid subfield count: $fieldsCount in:". + &getGlobal('BFILE','AccountSecSupport') . + " line: $linecount and field: $fieldcount"); + } + $columns[$fieldcount] = {OSVersion => $subfields[0], + Mode => $subfields[1], + Extension => $subfields[2] }; + &B_log("DEBUG","Found Header Column, $columns[$fieldcount]{'OSVersion'}, ". + $columns[$fieldcount]{'Mode'} ." , " . + $columns[$fieldcount]{'Extension'}); + ++$fieldcount; + } # New Account Seting ex: + } elsif ($line =~ /^:([^,:]+)(?::([^,]+))?/) { # :PASSWORD_WARNDAYS:expwarn,,,,,,,,,,,, + $currentsetting = $1; + if (defined($2)) { + $trustedParameter{"$currentsetting"}=$2; + } + &B_log("DEBUG","Found Current Setting: ". $currentsetting . + "/" . $trustedParameter{"$currentsetting"}); + } elsif (($line =~ /(^[^, :\)\(]+)[^,]*,((?:(?:[!y?nx]|!!),)+)/) and #normal line w/ in setting ex: + ($currentsetting ne "")){ # security.dsc (search),x,x,x,x,x,!,!!,!,!,!,!, + my $placeToLook = $1; + my $fieldcount = 1; #Skip the first one, which we used in last line + while (defined($fields[$fieldcount])) { + &B_log("DEBUG","Setting $currentsetting : $columns[$fieldcount]{OSVersion} , ". + "$columns[$fieldcount]{Mode} , ". + "$columns[$fieldcount]{Extension} , ". + "$placeToLook, to $fields[$fieldcount]"); + $isSupportedSetting{"$currentsetting"} + {"$columns[$fieldcount]{OSVersion}"} + {"$columns[$fieldcount]{Mode}"} + {"$columns[$fieldcount]{Extension}"} + {"$placeToLook"} = + $fields[$fieldcount]; + ++$fieldcount; + } + } else { + if ($line !~ /^,*/) { + &B_log("ERROR","Incorrectly Formatted Line at ". + &getGlobal('BFILE','AccountSecSupport') . ": $linecount"); + } + } + } +} + +########################################################################## +# &B_get_sec_value($param); +# This subroutine finds the value for a given user policy parameter. +# Specifically, it supports the parameters listed in the internal data structure + +# Return values: +# 'Not Defined' if the value is not present or not uniquely defined. +# $value if the value is present and unique +# +########################################################################### +sub B_get_sec_value($) { + my $param=$_[0]; + + my $os_version; + if (&GetDistro =~ /^HP-UX\D*(\d+\.\d+)/ ){ + $os_version=$1; + } else { + &B_log("ERROR","B_get_sec_value only supported on HP-UX"); + return undef; + } +# my $sec_dsc = &getGlobal('FILE', 'security.dsc'); + my $sec_file = &getGlobal('FILE', 'security'); + my $getprdef = &getGlobal('BIN','getprdef'); + my $getprpw = &getGlobal('BIN','getprpw'); + my $userdbget = &getGlobal('BIN','userdbget'); + my $passwd = &getGlobal('BIN','passwd'); + + my $sec_flags = ""; + my @sec_settings=(); + my $user_sec_setting=""; + + my $security_mode="Standard"; + my $security_extension="no-SMSE"; + + &B_log("DEBUG","Entering get_sec_value for: $param"); + + sub isok ($) { # Locally-scoped subroutine, takes supported-matrix entry as argument + my $supportedMatrixEntry = $_[0]; + + if ($supportedMatrixEntry =~ /!/) { #Matrix Entry for "Documented and/or tested" + &B_log("DEBUG","isOk TRUE: $supportedMatrixEntry"); + return 1; + } else { + &B_log("DEBUG","isOk FALSE: $supportedMatrixEntry"); + return 0; #FALSE + } + } #end local subroutine + + #Get Top Array item non-destructively + sub getTop (@) { + my @incomingArray = @_; + my $topval = pop(@incomingArray); + push(@incomingArray,$topval); #Probably redundant, but left in just in case. + return $topval; + } + + sub ifExistsPushOnSecSettings($$) { + my $sec_settings = $_[0]; + my $pushval = $_[1]; + + if ($pushval ne ""){ + push (@$sec_settings, $pushval); + } + } + + #prpw and prdef both use "YES" instead of "1" like the other settings. + sub normalizePolicy($){ + my $setting = $_[0]; + + $setting =~ s/YES/1/; + $setting =~ s/NO/1/; + + return $setting; + } + + + + if ((%trustedParameter == ()) or (%isSupportedSetting == ())) { + # Manipulates %trustedParameter and %isSupportedSetting + &getSupportedSettings; + } + + #First determine the security mode + my $shadowFile = &getGlobal("FILE","shadow"); + my $passwdFile = &getGlobal("FILE","passwd"); + + if (&isSystemTrusted) { + $security_mode = 'Trusted'; + } elsif ((-e $shadowFile) and #check file exist, and that passwd has no non-"locked" accounts + (not(&B_match_line($passwdFile,'^[^\:]+:[^:]*[^:*x]')))) { + $security_mode = 'Shadow'; + } else { + $security_mode = 'Standard'; + } + if (&isTrustedMigrationAvailable) { + $security_extension = 'SMSE'; + } else { + $security_extension = 'no-SMSE'; + } + &B_log("DEBUG","Security mode: $security_mode extension: $security_extension"); + # Now look up the value from each applicable database, from highest precedence + # to lowest: + &B_log("DEBUG","Checking $param in userdbget"); + if (&isok($isSupportedSetting{$param}{$os_version}{$security_mode} + {$security_extension}{"userdbget_-a"})) { + &ifExistsPushOnSecSettings(\@sec_settings, + &B_getValueFromString('\w+\s+\w+=(\S+)', + &B_Backtick("$userdbget -a $param"))); + &B_log("DEBUG", $param . ":userdbget setting: ". &getTop(@sec_settings)); + } + &B_log("DEBUG","Checking $param in passwd"); + if (&isok($isSupportedSetting{$param}{$os_version}{$security_mode} + {$security_extension}{"passwd_-sa"})) { + if ($param eq "PASSWORD_MINDAYS") { + &ifExistsPushOnSecSettings(\@sec_settings, + &B_getValueFromString('(?:\w+\s+){2}[\d\/]+\s+(\d+)\s+\d+', + &B_Backtick("$passwd -s -a"))); + } elsif ($param eq "PASSWORD_MAXDAYS") { + &ifExistsPushOnSecSettings(\@sec_settings, + &B_getValueFromString('(?:\w+\s+){2}[\d\/]+\s+\d+\s+(\d+)', + &B_Backtick("$passwd -s -a"))); + } elsif ($param eq "PASSWORD_WARNDAYS") { + &ifExistsPushOnSecSettings(\@sec_settings, + &B_getValueFromString('(?:\w+\s+){2}[\d\/]+(?:\s+\d+){2}\s+(\d+)', + &B_Backtick("$passwd -s -a"))); + } + &B_log("DEBUG", $param . ":passwd -sa setting: ". &getTop(@sec_settings)); + } + &B_log("DEBUG","Checking $param in get prpw"); + if (&isok($isSupportedSetting{$param}{$os_version}{$security_mode} + {$security_extension}{"getprpw"})) { + my $logins = &getGlobal("BIN","logins"); + my @userArray = split(/\n/,`$logins`); + my $userParamVals = ''; + foreach my $rawuser (@userArray) { + $rawuser =~ /^(\S+)/; + my $user = $1; + my $nextParamVal=&B_Backtick("$getprpw -l -m $trustedParameter{$param} $user"); + $nextParamVal =~ s/\w*=(-*[\w\d]*)/$1/; + if ($nextParamVal != -1) { #Don't count users for which the local DB is undefined + $userParamVals .= $user . "::::" . $nextParamVal ."\n"; + } + } #Note getValueFromStrings deals with duplicates, returning "Not Unigue" + my $policySetting = &B_getValueFromString('::::(\S+)',"$userParamVals"); + &ifExistsPushOnSecSettings (\@sec_settings, &normalizePolicy($policySetting)); + &B_log("DEBUG", $param . ":prpw setting: ". &getTop(@sec_settings)); + } + &B_log("DEBUG","Checking $param in get prdef"); + if (&isok($isSupportedSetting{$param}{$os_version}{$security_mode} + {$security_extension}{"getprdef"})) { + $_ = &B_Backtick ("$getprdef -m " . $trustedParameter{$param}); + /\S+=(\S+)/; + my $policySetting = $1; + &ifExistsPushOnSecSettings(\@sec_settings, &normalizePolicy($policySetting)); + &B_log("DEBUG", $param . ":prdef setting: ". &getTop(@sec_settings)); + + } + &B_log("DEBUG","Checking $param in default security"); + if (&isok($isSupportedSetting{$param}{$os_version}{$security_mode} + {$security_extension}{"/etc/default/security"})) { + &ifExistsPushOnSecSettings(\@sec_settings,&B_getValueFromFile('^\s*'. $param . + '\s*=\s*([^\s#]+)\s*$', $sec_file)); + &B_log("DEBUG", $param . ":default setting: ". &getTop(@sec_settings)); + } + #Commented below code in 3.0 release to avoid implication that bastille + #had ever set these values explicitly, and the implications to runnable + #config files where Bastille would then apply the defaults as actual policy + #with possible conversion to shadow or similar side-effect. + +# &B_log("DEBUG","Checking $param in security.dsc"); + #security.dsc, only added in if valid for OS/mode/Extension, and nothing else + #is defined (ie: @sec_settings=0) +# if ((&isok($isSupportedSetting{$param}{$os_version}{$security_mode} +# {$security_extension}{"/etc/security.dsc"})) and (@sec_settings == 0)) { +# &ifExistsPushOnSecSettings(\@sec_settings, &B_getValueFromFile('^' . $param . +# ';(?:[-\w/]*;){2}([-\w/]+);', $sec_dsc)); +# &B_log("DEBUG", $param . ":security.dsc: ". &getTop(@sec_settings)); +# } + + # Return what we found + my $last_setting=undef; + my $current_setting=undef; + while (@sec_settings > 0) { + $current_setting = pop(@sec_settings); + &B_log("DEBUG","Comparing $param configuration for identity: " . + $current_setting); + if ((defined($current_setting)) and ($current_setting ne '')) { + if (not(defined($last_setting))){ + $last_setting=$current_setting; + } elsif (($last_setting ne $current_setting) or + ($current_setting eq 'Not Unique')){ + &B_log("DEBUG","$param setting not unique."); + return 'Not Unique'; # Inconsistent state found, return 'Not Unique' + } + } + } + if ((not(defined($last_setting))) or ($last_setting eq '')) { + return undef; + } else { + return $last_setting; + } + +} #End B_get_sec_value + +sub secureIfNoNameService($){ + my $retval = $_[0]; + + if (&isUsingRemoteNameService) { + return MANUAL(); + } else { + return $retval; + } +} + +#Specifically for cleartext protocols like NIS, which are not "secure" +sub isUsingRemoteNameService(){ + + if (&remoteServiceCheck('nis|nisplus|dce') == SECURE_CAN_CHANGE()){ + return 0; #false + } else { + return 1; + } +} + + + +########################################### +## This is a wrapper for two functions that +## test the existence of nis-like configurations +## It is used by both the front end test and the back-end run +############################################## +sub remoteServiceCheck($){ + my $regex = $_[0]; + + my $nsswitch_conf = &getGlobal('FILE',"nsswitch.conf"); + my $passwd = &getGlobal('FILE',"passwd"); + + # check the file for nis usage. + if (-e $nsswitch_conf) { + if (&B_match_line($nsswitch_conf, '^\s*passwd:.*('. $regex . ')')) { + return NOTSECURE_CAN_CHANGE(); + } elsif ((&B_match_line($nsswitch_conf, '^\s*passwd:.*(compat)')) and + (&B_match_line($passwd, '^\s*\+'))) { + return NOTSECURE_CAN_CHANGE(); # true + } + } elsif ((&B_match_line($passwd, '^\s*\+'))) { + return NOTSECURE_CAN_CHANGE(); + } + + my $oldnisdomain=&B_get_rc("NIS_DOMAIN"); + if ((($oldnisdomain eq "") or ($oldnisdomain eq '""')) and (&checkServiceOnHPUX('nis.client'))){ + return SECURE_CAN_CHANGE(); + } + return NOTSECURE_CAN_CHANGE(); +} + +############################################# +# remoteNISPlusServiceCheck +# test the existence of nis+ configuration +############################################# +sub remoteNISPlusServiceCheck () { + + my $nsswitch_conf = &getGlobal('FILE',"nsswitch.conf"); + + # check the file for nis+ usage. + if (-e $nsswitch_conf) { + if (&B_match_line($nsswitch_conf, 'nisplus')) { + return NOTSECURE_CAN_CHANGE(); + } + } + + return &checkServiceOnHPUX('nisp.client'); +} + + +########################################################################## +# This subroutine creates nsswitch.conf file if the file not exists, +# and then append serveral services into the file if the service not +# exists in the file. +########################################################################## +sub B_create_nsswitch_file ($) { + my $regex = $_[0]; + + my $nsswitch = &getGlobal('FILE',"nsswitch.conf"); + + if( ! -f $nsswitch ) { + &B_create_file($nsswitch); + # we don't need to revert the permissions change because we just + # created the file + chmod(0444, $nsswitch); + + &B_append_line($nsswitch,'\s*passwd:', "passwd: $regex\n"); + &B_append_line($nsswitch,'\s*group:', "group: $regex\n"); + &B_append_line($nsswitch,'\s*hosts:', "hosts: $regex\n"); + &B_append_line($nsswitch,'\s*networks:', "networks: $regex\n"); + &B_append_line($nsswitch,'\s*protocols:', "protocols: $regex\n"); + &B_append_line($nsswitch,'\s*rpc:', "rpc: $regex\n"); + &B_append_line($nsswitch,'\s*publickey:', "publickey: $regex\n"); + &B_append_line($nsswitch,'\s*netgroup:', "netgroup: $regex\n"); + &B_append_line($nsswitch,'\s*automount:', "automount: $regex\n"); + &B_append_line($nsswitch,'\s*aliases:', "aliases: $regex\n"); + &B_append_line($nsswitch,'\s*services:', "services: $regex\n"); + } +} + +1; + |