From dc5e9c1999c8fc3bd79e02b098c4919d7c1b2dc8 Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Sun, 20 Jun 2021 14:22:51 +0300 Subject: [PATCH] add polkit policy to run from root, add more translations --- Makefile | 12 +++- linux-infosec-setupper.spec | 50 +++++++++++++++- po/ru.po | 60 +++++++++---------- .../linux-infosec-setupper-pwquality-gui.sh | 2 + ...inux-infosec-setupper-pwquality-gui.policy | 23 +++++++ test_back_auditd.sh | 4 +- 6 files changed, 114 insertions(+), 37 deletions(-) create mode 100644 polkit/linux-infosec-setupper-pwquality-gui.sh create mode 100644 polkit/org.nixtux.pkexec.linux-infosec-setupper-pwquality-gui.policy diff --git a/Makefile b/Makefile index 43056e3..13c5d0b 100644 --- a/Makefile +++ b/Makefile @@ -3,15 +3,19 @@ all: install: # bin is for scripts which will run sbin/* via pkexec - #mkdir -p $(DESTDIR)/usr/bin + mkdir -p $(DESTDIR)/usr/bin # sbin is for executables mkdir -p $(DESTDIR)/usr/sbin install -m0755 front_auditd_cli.sh $(DESTDIR)/usr/sbin/linux-infosec-setupper-auditd-cli + install -m0755 front_pwquality_cli.sh $(DESTDIR)/usr/sbin/linux-infosec-setupper-pwquality-cli + install -m0755 front_pwquality.sh $(DESTDIR)/usr/sbin/linux-infosec-setupper-pwquality-gui mkdir -p $(DESTDIR)/usr/share/linux-infosec-setupper mkdir -p $(DESTDIR)/usr/share/linux-infosec-setupper/audit - #mkdir -p $(DESTDIR)/usr/share/linux-infosec-setupper/pwquality + mkdir -p $(DESTDIR)/usr/share/linux-infosec-setupper/pwquality + install -m0644 pw_default $(DESTDIR)/usr/share/linux-infosec-setupper/pwquality/pw_default install -m0644 common.sh $(DESTDIR)/usr/share/linux-infosec-setupper/common.sh install -m0644 back_auditd.sh $(DESTDIR)/usr/share/linux-infosec-setupper/audit/back_auditd.sh + install -m0644 back_pwquality.sh $(DESTDIR)/usr/share/linux-infosec-setupper/pwquality/back_pwquality.sh mkdir -p $(DESTDIR)/var/lib/linux-infosec-setupper mkdir -p $(DESTDIR)/var/lib/linux-infosec-setupper/audit #mkdir -p $(DESTDIR)/var/lib/linux-infosec-setupper/pwquality @@ -20,6 +24,10 @@ install: mkdir -p $(DESTDIR)/usr/share/locale/ru/LC_MESSAGES msgfmt -o $(DESTDIR)/usr/share/locale/ru/LC_MESSAGES/linux-infosec-setupper.mo po/ru.po + mkdir -p $(DESTDIR)/usr/share/polkit-1/actions + install -m0644 polkit/org.nixtux.pkexec.linux-infosec-setupper-pwquality-gui.policy $(DESTDIR)/usr/share/polkit-1/actions/ + install -m0755 polkit/linux-infosec-setupper-pwquality-gui.sh $(DESTDIR)/usr/bin/linux-infosec-setupper-pwquality-gui + rpm: # https://stackoverflow.com/a/1909390 $(eval TMP := $(shell mktemp --suffix=.tar.gz)) diff --git a/linux-infosec-setupper.spec b/linux-infosec-setupper.spec index 4b11bdb..57df01d 100644 --- a/linux-infosec-setupper.spec +++ b/linux-infosec-setupper.spec @@ -1,7 +1,7 @@ Name: linux-infosec-setupper Summary: CLI and GUI utilities to setup information security-related parts of Linux License: GPLv3 -Group: System/Base +Group: System/Configuration/Other Version: 0.1 Release: 1 Source0: %{name}-%{version}.tar.gz @@ -17,7 +17,7 @@ BuildRequires: gettext %package common Summary: Common parts for subpackages of %{name} -Group: System/Base +Group: System/Configuration/Other Requires: awk Requires: bash Requires: coreutils @@ -37,7 +37,7 @@ Common parts for subpackages of %{name} %package auditd-cli Summary: CLI and backend to setup auditd configs -Group: System/Base +Group: System/Configuration/Other Requires: %{name}-common = %{version}-%{release} Requires: audit @@ -53,6 +53,48 @@ CLI and backend to setup auditd configs #----------------------------------------------------------------------------------- +%package pwquality-cli +Summary: CLI and backend to setup pwquality configs +Group: System/Configuration/Other +Requires: %{name}-common = %{version}-%{release} +%if 0%{mdvver} +Requires: pam_pwquality +Requires: libpwquality-common +%else +# redhat +Requires: libpwquality +%endif + +%description pwquality-cli +CLI and backend to setup pwquality configs + +%files pwquality-cli +%{_sbindir}/linux-infosec-setupper-pwquality-cli +%dir %{_datadir}/linux-infosec-setupper/pwquality +%{_datadir}/linux-infosec-setupper/pwquality/back_pwquality.sh +%{_datadir}/linux-infosec-setupper/pwquality/pw_default +%dir %attr(0700,root,root) /var/lib/linux-infosec-setupper/pwquality +%ghost /var/lib/linux-infosec-setupper/pwquality/pw_changed + +#----------------------------------------------------------------------------------- + +%package pwquality-gui +Summary: GUI to setup pwquality configs +Group: System/Configuration/Other +Requires: %{name}-pwquality-cli = %{version}-%{release} +Requires: yad +Recommends: polkit + +%description pwquality-gui +GUI to setup pwquality configs + +%files pwquality-gui +%{_sbindir}/linux-infosec-setupper-pwquality-gui +%{_bindir}/linux-infosec-setupper-pwquality-gui +%{_datadir}/polkit-1/actions/org.nixtux.pkexec.linux-infosec-setupper-pwquality-gui.policy + +#----------------------------------------------------------------------------------- + %prep %autosetup -p1 -c @@ -64,7 +106,9 @@ CLI and backend to setup auditd configs # ghost files mkdir -p %{buildroot}/var/lib/linux-infosec-setupper/audit/ +mkdir -p %{buildroot}/var/lib/linux-infosec-setupper/pwquality/ touch %{buildroot}/var/lib/linux-infosec-setupper/audit/auditd-conf.sh +touch %{buildroot}/var/lib/linux-infosec-setupper/pwquality/pw_changed %check bash -x ./test_back_auditd.sh diff --git a/po/ru.po b/po/ru.po index c8ea7b1..ee57991 100644 --- a/po/ru.po +++ b/po/ru.po @@ -104,88 +104,87 @@ msgstr "" #: ../back_pwquality.sh:59 ../back_pwquality.sh:64 ../back_pwquality.sh:69 #: ../back_pwquality.sh:78 ../back_pwquality.sh:87 ../back_pwquality.sh:92 msgid "The received parameters are not correct. Expected %s, received %s" -msgstr "" +msgstr "полученные параметры неправильны. Ожидалось %s, а получено %s" #: ../back_pwquality.sh:59 ../back_pwquality.sh:64 ../back_pwquality.sh:69 #: ../back_pwquality.sh:78 ../back_pwquality.sh:87 ../back_pwquality.sh:92 msgid "0 or 1" -msgstr "" +msgstr "0 или 1" #: ../common.sh:49 -#, fuzzy msgid "Argument to %s must be a number" -msgstr "Значением %s должно быть %s или %s" +msgstr "Значением %s должно быть число" #: ../common.sh:58 #, fuzzy msgid "Argument to %s must be greater than %s" -msgstr "Значением %s должно быть %s или %s" +msgstr "Значение %s должно быть больше значения %s" #: ../common.sh:69 msgid "Argument to %s must be a string without spaces" -msgstr "" +msgstr "Значение %s должно быть строкой без пробелов" #: ../common.sh:83 -#, fuzzy msgid "Value of %s is empty, set yes or no" -msgstr "Значением %s должно быть %s или %s" +msgstr "Значение %s пусто, задайте yes или no" #: ../common.sh:87 msgid "String %s is not a boolean, set yes or no" -msgstr "" +msgstr "Строка %s не является булеановым значением, задайте yes или no" #: ../common.sh:98 -#, fuzzy msgid "Value of %s must be a non-negative number" -msgstr "Значением %s должно быть %s или %s" +msgstr "Значение %s должно быть целым числом больше нуля" #: ../common.sh:105 msgid "%s is not a correct email" -msgstr "" +msgstr "%s не является валидным адресом электропочты" #: ../front_auditd_cli.sh:17 msgid "This is generator of auditd config" -msgstr "" +msgstr "Это генератор конфига auditd" #: ../front_auditd_cli.sh:18 msgid "Run as: %s [--parameter value] [--parameter value]" -msgstr "" +msgstr "Запускайте его так: %s [--параметр значение] [--параметр значение]" #: ../front_auditd_cli.sh:19 msgid "Supported parameters of auditd and their default values are:" -msgstr "" +msgstr "Поддерживаемые параметров auditd и их значения по умолчанию таковы:" #: ../front_pwquality_cli.sh:18 ../front_pwquality_cli.sh:19 #: ../front_pwquality_cli.sh:83 ../front_pwquality.sh:19 #: ../front_pwquality.sh:20 ../front_pwquality.sh:87 ../front_pwquality.sh:119 msgid "Unable to write to file %s" -msgstr "" +msgstr "Невозможно записать в файл %s" #: ../front_pwquality_cli.sh:37 msgid "No arguments specified" -msgstr "" +msgstr "Не передано никаких аргументов" #: ../front_pwquality_cli.sh:42 msgid "Usage: #NAME# --[OPTIONS...]" -msgstr "" +msgstr "Использование: #NAME# --[OPTIONS...]" #: ../front_pwquality_cli.sh:43 msgid " example: #NAME# --difok 6" -msgstr "" +msgstr " пример: #NAME# --difok 6" #: ../front_pwquality_cli.sh:44 msgid " example: #NAME# d 6" -msgstr "" +msgstr " пример: #NAME# d 6" #: ../front_pwquality_cli.sh:45 msgid "" "#NAME# allows you to manage the file configuration for pwquality in the cli " "option. A GUI version is also available: #NAME2#" msgstr "" +"#NAME# позволяет управлять конфигом pwquality через cli. " +"Также доступна гарфическая версия: #NAME2#" #: ../front_pwquality_cli.sh:47 msgid " Options:" -msgstr "" +msgstr " Параметры:" #: ../front_pwquality_cli.sh:48 msgid "" @@ -296,7 +295,7 @@ msgstr "" #: ../front_pwquality.sh:31 msgid "Unable to set variable %s" -msgstr "" +msgstr "Невозможно установить переменную %s" #: ../front_pwquality.sh:37 msgid "linux-infosec-setupper" @@ -304,11 +303,11 @@ msgstr "" #: ../front_pwquality.sh:37 msgid "Password policies setup" -msgstr "" +msgstr "Настройка политики сложности паролей" #: ../front_pwquality.sh:37 msgid "Load defaults!view-refresh:3" -msgstr "" +msgstr "Сбросить настройки!view-refresh:3" #: ../front_pwquality.sh:37 msgid "yad-save:0" @@ -323,6 +322,7 @@ msgid "" "Number of characters in the new password that must not be present in the old " "password::LBL" msgstr "" +"Количество символов из нового пароля, которых не должно быть в старом пароле::LBL" #: ../front_pwquality.sh:37 msgid "${_tag1}Value (difok)${_tag2}:NUM" @@ -330,7 +330,7 @@ msgstr "" #: ../front_pwquality.sh:37 msgid "Minimum acceptable size for the new password::LBL" -msgstr "" +msgstr "Минимальный допустимый размер нового пароля::LBL" #: ../front_pwquality.sh:37 msgid "${_tag1}Value (minlen)${_tag2}:NUM" @@ -338,7 +338,7 @@ msgstr "" #: ../front_pwquality.sh:37 msgid "The maximum credit for having digits in the new password::LBL" -msgstr "" +msgstr "Максималньый кредит на цифры в новом пароле::LBL" #: ../front_pwquality.sh:37 msgid "${_tag1}Value (dcredit)${_tag2}:NUM" @@ -347,7 +347,7 @@ msgstr "" #: ../front_pwquality.sh:37 msgid "" "The maximum credit for having uppercase characters in the new password::LBL" -msgstr "" +msgstr "Максимальный кредит на заглавные буквы в новом пароле::LBL" #: ../front_pwquality.sh:37 msgid "${_tag1}Value (ucredit)${_tag2}:NUM" @@ -356,7 +356,7 @@ msgstr "" #: ../front_pwquality.sh:37 msgid "" "The maximum credit for having lowercase characters in the new password::LBL" -msgstr "" +msgstr "Максимальный кредит на строчные буквы в новом пароле::LBL" #: ../front_pwquality.sh:37 msgid "${_tag1}Value (lcredit)${_tag2}:NUM" @@ -364,7 +364,7 @@ msgstr "" #: ../front_pwquality.sh:37 msgid "The maximum credit for having other characters in the new password::LBL" -msgstr "" +msgstr "Максимальный кредит на осталньые символы в новом пароле" #: ../front_pwquality.sh:37 msgid "${_tag1}Value (ocredit)${_tag2}:NUM" @@ -374,7 +374,7 @@ msgstr "" msgid "" "The minimum number of required classes of characters for the new password::" "LBL" -msgstr "" +msgstr "Минимальное необходимое кол-во типов символов в новом пароле::LBL" #: ../front_pwquality.sh:37 msgid "${_tag1}Value (minclass)${_tag2}:NUM" diff --git a/polkit/linux-infosec-setupper-pwquality-gui.sh b/polkit/linux-infosec-setupper-pwquality-gui.sh new file mode 100644 index 0000000..4007798 --- /dev/null +++ b/polkit/linux-infosec-setupper-pwquality-gui.sh @@ -0,0 +1,2 @@ +#!/bin/sh +pkexec /usr/sbin/linux-infosec-setupper-pwquality-gui $@ diff --git a/polkit/org.nixtux.pkexec.linux-infosec-setupper-pwquality-gui.policy b/polkit/org.nixtux.pkexec.linux-infosec-setupper-pwquality-gui.policy new file mode 100644 index 0000000..bedb988 --- /dev/null +++ b/polkit/org.nixtux.pkexec.linux-infosec-setupper-pwquality-gui.policy @@ -0,0 +1,23 @@ + + + + + NixTux + https://nixtux.ru + gcr-key + + + GUI to setup pwquality configs + Графический инструмент для настройки политики сложности паролей + Enter password to run it + Введите пароль для запуска + + auth_admin + auth_admin + auth_admin + + /usr/sbin/linux-infosec-setupper-pwquality-gui + true + + diff --git a/test_back_auditd.sh b/test_back_auditd.sh index e180597..c8b4332 100755 --- a/test_back_auditd.sh +++ b/test_back_auditd.sh @@ -29,9 +29,9 @@ _main(){ [ "$(md5sum "${DESTDIR}"/etc/systemd/system/auditd.service.d/90-linux-infosec-setupper-auditd-firewall.conf | awk '{print $1}')" = 27f8c93280d21e8b0d4b399ac234b663 ] ;} || \ { echo failed test 2; failed="$((++failed))"; } _mk_auditd_config --log_group root || { echo failed test 3; failed="$((++failed))"; } - [ "$(md5sum "${VAR_DIR_AUDIT}/auditd-conf.sh" | awk '{print $1}')" = 86564ff0e5e2137f49415186487f0152 ] || { echo failed test 4; failed="$((++failed))"; } + [ "$(md5sum "${VAR_DIR_AUDIT}/auditd-conf.sh" | awk '{print $1}')" = 83a7bb6d8d24378e398d597430e27f0e ] || { echo failed test 4; failed="$((++failed))"; } _mk_auditd_config || { echo failed test 5; failed="$((++failed))"; } - [ "$(md5sum "${VAR_DIR_AUDIT}/auditd-conf.sh" | awk '{print $1}')" = 86564ff0e5e2137f49415186487f0152 ] || { echo failed test 6; failed="$((++failed))"; } + [ "$(md5sum "${VAR_DIR_AUDIT}/auditd-conf.sh" | awk '{print $1}')" = 83a7bb6d8d24378e398d597430e27f0e ] || { echo failed test 6; failed="$((++failed))"; } ! _mk_auditd_config --local_events xuy || { echo failed test 7; failed="$((++failed))"; } _mk_auditd_config --systemd-firewalling-params "--IPAddressDeny any --IPAddressAllow 192.168.10.1/24 --IPAddressAllow 192.168.20.1" || { echo failed test 8; failed="$((++failed))"; } [ "$(md5sum "${DESTDIR}"/etc/systemd/system/auditd.service.d/90-linux-infosec-setupper-auditd-firewall.conf | awk '{print $1}')" = 27f8c93280d21e8b0d4b399ac234b663 ] || { echo failed test 9; failed="$((++failed))"; }