Rework front audit gui

3 years ago · f1cfc301ad
parent 79d3f3a88b
commit f1cfc301ad
4 changed files with 56 additions and 51 deletions
--- a/DESTDIR/.gitignore
+++ b/DESTDIR/.gitignore
@ -1,2 +0,0 @@
-etc/audit/auditd.conf
-var/lib/linux-infosec-setupper/audit/auditd-conf.sh
--- a/DESTDIR/etc/security/pwquality.conf
+++ b/DESTDIR/etc/security/pwquality.conf
@ -1,5 +1,5 @@
-difok = 99
-minlen = 7
+difok = 1
+minlen = 6
 dcredit = 0
 ucredit = 0
 lcredit = 0
@ -10,8 +10,7 @@ maxsequence = 0
 maxclassrepeat = 0
 gecoscheck = FALSE
 dictcheck = 1
-usercheck = 0
+usercheck = 1
 usersubstr = 0
 enforcing = 1
 retry = 1
-enforce_for_root
--- a/back_auditd.sh
+++ b/back_auditd.sh
@ -153,8 +153,8 @@ _audit_variables(){
 	disk_error_action="halt"
 	tcp_listen_port=""
 	tcp_max_per_addr=""
-	systemd_allowed_ip_list="1 1"
-	systemd_denied_ip_list="2 2"
+	systemd_allowed_ip_list=""
+	systemd_denied_ip_list=""
 }

 _mk_auditd_config(){
--- a/front_auditd.sh
+++ b/front_auditd.sh
@ -16,26 +16,29 @@ if ! [ -f "${VAR_DIR_AUDIT}/auditd-conf.sh}" ]; then
 	_mk_auditd_config || { error $"Unable to read file %s" "${VAR_DIR_AUDIT}/auditd-conf.sh"; exit 1; }
 fi

-_source_conf() {
 source "${VAR_DIR_AUDIT}/auditd-conf.sh" || exit 1
-}
-_source_conf

 # For yad checkboxes, the words TRUE or FALSE are required.
 # We change the following parameters no to FALSE and yes to TRUE
-_yad_declare() {
 for i in local_events write_logs distribute_network; do
 	# The variables have the same name as the lines in the config
 	eval 'if [[ $'$i' == "yes" ]]; then declare $i=TRUE; else declare $i=FALSE; fi' || { error $"Unable to set variable %s" "$i"; exit 1; }
 done
-}
-_yad_declare

 _tag1="<span weight='bold'>"
 _tag2="</span>"
 _NUMBER="$(( ${RANDOM:0:4} * 13 ))"
+_umask="$(umask)"
+umask 0077
+_temp_file1="$(mktemp front_audit1.XXXXXXXX)"
+_temp_file2="$(mktemp front_audit2.XXXXXXXX)"
+umask "$_umask"
+_rm_temp() {
+	rm -f "$_temp_file1" "$_temp_file2"
+	exit 0
+}
+trap _rm_temp EXIT

-_yad() {
 yad --plug=$_NUMBER --tabnum=1 --form \
 	--text-align=center \
 	--bool-fmt=T \
@ -45,7 +48,7 @@ yad --plug=$_NUMBER --tabnum=1 --form \
 	--field=$"Local events::LBL" "!" \
 	  --field=$"(Status) Local events:CHK" "${local_events:-FALSE}" \
 	--field=$"Log file::LBL" "!" \
-	  --field=$"${_tag1}(String) Log file${_tag2}" "${log_file:--}" \
+	  --field=$"${_tag1}(String) Log file${_tag2}:SFL" "${log_file}" \
 	--field=$"Write logs::LBL" "!" \
 	  --field=$"(Status) Write logs:CHK" "${write_logs:-FALSE}" \
 	--field=$"Log format::LBL" "!" \
@ -55,7 +58,7 @@ yad --plug=$_NUMBER --tabnum=1 --form \
 	--field=$"Priority boost::LBL" "!" \
 	  --field=$"${_tag1}(Value) Priority boost${_tag2}:NUM" "${priority_boost:-0}!" \
 	--field=$"Flush::LBL" "!" \
-	--field=$"(Value) Flush:CHK" "$(if [ -n "$flush" ]; then echo "none!incremental!incremental_async!data!sync!" | sed "s/$flush\!/\^$flush\!/g;s/\!\$//"; else echo "none!incremental!incremental_async!data!sync"; fi)" \
+	--field=$"(Value) Flush:CB" "$(if [ -n "$flush" ]; then echo "none!incremental!incremental_async!data!sync!" | sed "s/$flush\!/\^$flush\!/g;s/\!\$//"; else echo "none!incremental!incremental_async!data!sync"; fi)" \
 	--field=$"Freq::LBL" "!" \
 	  --field=$"${_tag1}(Value) Freq${_tag2}:NUM" "${freq:-0}!" \
 	--field=$"Max log fileaction::LBL" "!" \
@ -65,17 +68,17 @@ yad --plug=$_NUMBER --tabnum=1 --form \
 	--field=$"Disp Qos::LBL" "!" \
 	  --field=$"${_tag1}(Value) Disp Qos${_tag2}:CB" "$(if [ -n "$disp_qos" ]; then echo "lossy!lossless!" | sed "s/$disp_qos\!/\^$disp_qos\!/g;s/\!\$//"; else echo "lossy!lossless"; fi)" \
 	--field=$"Dispatcher::LBL" "!" \
-	  --field=$"${_tag1}(String) dispatcher${_tag2}" "${dispatcher}" \
+	  --field=$"${_tag1}(String) dispatcher${_tag2}:SFL" "${dispatcher}" \
 	--field=$"Distribute network::LBL" "!" \
 	  --field=$"(Status) Distribute network:CHK" "${distribute_network:-FALSE}" \
 	--field=$"Name format::LBL" "!" \
 	  --field=$"${_tag1}(Value) Name format${_tag2}:CB" "$(if [ -n "$name_format" ]; then echo "none!hostname!fqd!numeric!user!" | sed "s/$name_format\!/\^$name_format\!/g;s/\!\$//"; else echo "none!hostname!fqd!numeric!user"; fi)" \
 	--field=$"Name::LBL" "!" \
-	  --field=$"${_tag1}(String) Name${_tag2}" "${name:--}" \
+	  --field=$"${_tag1}(String) Name${_tag2}" "${name}" \
 	--field=$"Max log file::LBL" "!" \
 	  --field=$"${_tag1}(Value) Max log file${_tag2}:NUM" "${max_log_file:-0}!" \
 	--field=$"Action Mail Acct::LBL" "!" \
-	  --field=$"${_tag1}(String) Action Mail Acct${_tag2}:" "${action_mail_acct:--}" \
+	  --field=$"${_tag1}(String) Action Mail Acct${_tag2}:" "${action_mail_acct}" \
 	--field=$"Space left::LBL" "!" \
 	  --field=$"${_tag1}(Value) Space left${_tag2}:NUM" "${space_left:-0}!" \
 	--field=$"Space left action::LBL" "!" \
@ -83,7 +86,7 @@ yad --plug=$_NUMBER --tabnum=1 --form \
 	--field=$"Disk full action::LBL" "!" \
 	  --field=$"${_tag1}(String) Disk full action${_tag2}:CBE" "$(if [ -n "$disk_full_action" ]; then echo "ignore!syslog!rotate!email!suspend!single!halt!exec!" | sed "s/$disk_full_action\!/\^$disk_full_action\!/g;s/\!\$//"; else echo "ignore!syslog!rotate!email!suspend!single!halt!exec"; fi)" \
 	--field=$"Disk error action::LBL" "!" \
-	  --field=$"${_tag1}(String) Disk error action${_tag2}:CBE" "$(if [ -n "$disk_error_action" ]; then echo "ignore!syslog!rotate!email!suspend!single!halt!exec!" | sed "s/$disk_error_action\!/\^$disk_error_action\!/g;s/\!\$//"; else echo "ignore!syslog!rotate!email!suspend!single!halt!exec"; fi)" &
+	  --field=$"${_tag1}(String) Disk error action${_tag2}:CBE" "$(if [ -n "$disk_error_action" ]; then echo "ignore!syslog!rotate!email!suspend!single!halt!exec!" | sed "s/$disk_error_action\!/\^$disk_error_action\!/g;s/\!\$//"; else echo "ignore!syslog!rotate!email!suspend!single!halt!exec"; fi)" &>"$_temp_file1" &

 yad --plug=$_NUMBER --tabnum=2 --form \
 	--text-align=center \
@ -97,26 +100,24 @@ yad --plug=$_NUMBER --tabnum=2 --form \
 	  --field=$"${_tag1}(Value) Tcp max per addr${_tag2}::NUM" "${tcp_max_per_addr_port:-1}!1..65535!1" \
 	--field=$"Systemd firewalling params:LBL" "!" \
 	  --field=$"${_tag1}(Value) Allowed IPs${_tag2}::TXT" "$(echo -e "${systemd_allowed_ip_list// /\\n}")" \
-	  --field=$"${_tag1}(Value) Denied IPs${_tag2}::TXT" "$(echo -e "${systemd_denied_ip_list// /\\n}")" &
+	  --field=$"${_tag1}(Value) Denied IPs${_tag2}::TXT" "$(echo -e "${systemd_denied_ip_list// /\\n}")" &>"$_temp_file2" &

 #systemd-firewalling-params
-var="$(yad --key=$_NUMBER --notebook --stack --expand --tab=$"Audit" --tab=$"Network" \
+yad --key=$_NUMBER --notebook --stack --expand --tab=$"Audit" --tab=$"Network" \
 	--width=800 \
 	--height=800 \
 	--title=$"linux-infosec-setupper" \
-	--button=$"Load defaults!view-refresh:3" --button=$"yad-save:0" --button=$"yad-close:1")"
-}
+	--button=$"Load defaults!view-refresh:3" --button=$"yad-save:0" --button=$"yad-close:1"
 	_status="$?"
 # If we clicked on the "Load default" button, we decided to restore the settings.
 # The exit code after clicking on this button is 3. We restore the config if we clicked on this button
 if [ "$_status" == 3 ]; then
 	_mk_auditd_config || { error $"Unable to read file %s" "${VAR_DIR_AUDIT}/auditd-conf.sh"; exit 1; }
-	_source_conf
-	_yad_declare
-	_yad

 fi	

+var="$(<"$_temp_file1")$(<"$_temp_file2")"
+
 # If we decide to undo the changes and not change anything, the var variable will be empty.
 [ -z "$var" ] && exit 0

@ -124,26 +125,33 @@ fi
 var2="$(while read -rd '|' line; do
 	echo $line
 done <<<"$var" | sed '/^$/d' | \
-	sed 's/TRUE/1/
-	    ;s/FALSE/0/
-	    ;1s/^/--difok /
-	    ;2s/^/--minlen /
-	    ;3s/^/--dcredit /
-	    ;4s/^/--ucredit /
-	    ;5s/^/--lcredit /
-	    ;6s/^/--ocredit /
-	    ;7s/^/--minclass /
-	    ;8s/^/--maxrepeat /
-	    ;9s/^/--maxsequence /
-	    ;10s/^/--maxclassrepeat /
-	    ;11s/^/--usersubstr /
-	    ;12s/^/--retry /
-	    ;13s/^/--gecoscheck /
-	    ;14s/^/--dictcheck /
-	    ;15s/^/--usercheck /
-	    ;16s/^/--enforcing /
-	    ;17s/^/--enforce_for_root /
-	    ;18s/^/--local_users_only /' | tr '\n' ' ')"
-
-source "${SHARE_DIR_PWQUALITY}/back_pwquality.sh"
-_mk_pwquality_conf $var2 > "${DESTDIR}/etc/security/pwquality.conf" || { error $"Unable to write to file %s" "${DESTDIR}/etc/security/pwquality.conf"; exit 1; }
+	sed 's/TRUE/yes/
+	    ;s/FALSE/no/
+	    ;1s/^/--local-events /
+	    ;2s/^/--log_file /
+	    ;3s/^/--write_logs /
+	    ;4s/^/--log_format /
+	    ;5s/^/--log_group /
+	    ;6s/^/--priority_boost /
+	    ;7s/^/--flush /
+	    ;8s/^/--freq /
+	    ;9s/^/--max_log_fileaction /
+	    ;10s/^/--num_logs /
+	    ;11s/^/--disp_qos /
+	    ;12s/^/--dispatcher /
+	    ;13s/^/--distribute_network /
+	    ;14s/^/--name_format /
+	    ;15s/^/--name /
+	    ;16s/^/--max_log_file /
+	    ;17s/^/--action_mail_acct /
+	    ;18s/^/--space_left /
+	    ;19s/^/--space_left_action /
+	    ;20s/^/--disk_full_action /
+	    ;21s/^/--disk_error_action /
+	    ;22s/^/--tcp_listen_port /
+	    ;23s/^/--tcp_max_per_addr /
+	    ;24s/^/--systemd_allowed_ip_list /
+	    ;25s/^/--systemd_denied_ip_list /' | tr '\n' ' ')"
+set -e
+_mk_auditd_config $var2 || { error $"Unable to write to file %s" "${VAR_DIR_AUDIT}/auditd-conf.sh"; exit 1; }
+_write_auditd_config || { error $"Unable to write to file %s" "${VAR_DIR_AUDIT}/auditd-conf.sh"; exit 1; }