Parent

KASPAuditor::Runner

The KASPAuditor takes the signed and unsigned zones and compares them. It first parses both files, and creates transient files which are then sorted into canonical order. These files are then processed by the Auditor. If processing an NSEC3-signed file, the Auditor will create additional temporary files, which are processed after the main auditing run. This class controls the process.

Attributes

conf_file[RW]
enable_timeshift[RW]
kasp_file[RW]
signed_temp[RW]
unsigned_zone[RW]
working_folder[RW]

This the default value for the working folders, which is only used if the XML config can't be found

zone_name[RW]

Public Class Methods

new() click to toggle source
# File ../../auditor/lib/kasp_auditor.rb, line 99
def initialize
  @enable_timeshift = false
end
timeshift() click to toggle source
# File ../../auditor/lib/kasp_auditor.rb, line 259
def Runner.timeshift
  return @@timeshift
end

Public Instance Methods

change_group(gid_text) click to toggle source

def change_chroot(dir)

Dir.chroot((dir+"").untaint)

end

# File ../../auditor/lib/kasp_auditor.rb, line 385
def change_group(gid_text)
  gid = Etc.getgrnam((gid_text+"").untaint).gid
  Process::Sys.setgid(gid)
end
change_privilege(user, group) click to toggle source
# File ../../auditor/lib/kasp_auditor.rb, line 390
def change_privilege(user, group)
  return if !user && !group
  begin
    uid, gid = Process.euid, Process.egid
    target_uid = Etc.getpwnam((user+"").untaint).uid if user
    target_gid = Etc.getgrnam((group+"").untaint).gid if group

    if uid != target_uid or gid != target_gid
      Process.initgroups(user, target_gid) if target_gid

      Process::GID.change_privilege(target_gid) if target_gid

      Process::UID.change_privilege(target_uid) if target_uid
    end
  rescue Exception => e
    KASPAuditor.exit("Couldn't set User, Group to #{user.inspect}, #{group.inspect} : (#{e})", 1)
  end
end
change_uid(uid_text) click to toggle source
# File ../../auditor/lib/kasp_auditor.rb, line 376
def change_uid(uid_text)
  uid = Etc.getpwnam((uid_text+"").untaint).uid
  Process::Sys.setuid(uid)
end
configure_timeshift(syslog) click to toggle source
# File ../../auditor/lib/kasp_auditor.rb, line 263
def configure_timeshift(syslog)
  # Frig Time.now to ENV['ENFORCER_TIMESHIFT']
  if (@enable_timeshift)
    timeshift = ENV['ENFORCER_TIMESHIFT']

    # If environment variable not present, then ignore
    if (timeshift)
      # Change the time
      year = timeshift[0,4]
      mon = timeshift[4,2]
      day = timeshift[6,2]
      hour = timeshift[8,2]
      min = timeshift[10,2]
      sec = timeshift[12,2]

      syslog.log(LOG_INFO, "Timeshifting to #{timeshift}\n")
      print "Timeshifting to #{timeshift}\n"

      @@timeshift = Time.mktime(year, mon, day, hour, min, sec).to_i
      require 'time_shift.rb'
    end
  end
end
force_full() click to toggle source
# File ../../auditor/lib/kasp_auditor.rb, line 92
def force_full
  @force_full = true
  if (@force_full && @force_partial)
    raise ArgumentError.new("Can't force both full and partial auditor at once")
  end
end
force_partial() click to toggle source
# File ../../auditor/lib/kasp_auditor.rb, line 85
def force_partial
  @force_partial = true
  if (@force_partial && @force_full)
    raise ArgumentError.new("Can't force both full and partial auditor at once")
  end
end
full_audit(ret, input_file, output_file, pid, working, config, syslog, enforcer_interval) click to toggle source

Invoked the full auditor

# File ../../auditor/lib/kasp_auditor.rb, line 198
def full_audit(ret, input_file, output_file, pid, working, config, syslog, enforcer_interval)
  # Perform a full audit of every record. This requires sorting the zones canonically.
  # Preparse the input and output files
  do_audit = true
  pids=[]
  new_pid = normalise_and_sort(input_file, "in", pid, working, config, syslog)
  pids.push(new_pid)
  new_pid = normalise_and_sort(output_file, "out", pid, working, config, syslog)
  pids.push(new_pid)
  pids.each {|id|
    ret_id, ret_status = Process.wait2(id)
    if (ret_status != 0)
      syslog.log(LOG_ERR, "Error sorting files (#{input_file} and #{output_file}) : ERR #{ret_status}- moving on to next zone")
      ret = 1
      do_audit = false
    end
  }
  begin
    if (do_audit)
      # Now audit the pre-parsed and sorted file
      auditor = Auditor.new(syslog, working, enforcer_interval)
      ret_val = auditor.check_zone(config, working+get_name(input_file)+".in.sorted.#{pid}",
        working + get_name(output_file)+".out.sorted.#{pid}",
        input_file, output_file)
      ret = ret_val if (ret_val < ret)
      if ((config.err > 0) && (config.err < ret))
        ret = config.err
      end
    end
  rescue Exception=> e
    syslog.log(LOG_ERR, "Unexpected error auditing files (#{input_file} and #{output_file}) : ERR #{e}- moving on to next zone. Trace for debugging : #{e.backtrace.join("\n")}")
    ret = 1
  ensure
    [input_file + ".in", output_file + ".out"].each {|f|
      delete_file(working + get_name(f)+".parsed.#{pid}")
      delete_file(working + get_name(f)+".sorted.#{pid}")
    }
  end
  return ret
end
get_name(f) click to toggle source
# File ../../auditor/lib/kasp_auditor.rb, line 253
def get_name(f)
  # Return the filename, minus the path
  a = f.split(File::SEPARATOR)
  return File::SEPARATOR + a[a.length()-1]
end
load_privileges(doc) click to toggle source
# File ../../auditor/lib/kasp_auditor.rb, line 409
def load_privileges(doc)
  # Configuration/Privileges may be overridden by Auditor/Privileges
  #begin
  #  if (doc.elements['Configuration/Auditor/Privileges/Directory'])
  #    change_chroot(doc.elements['Configuration/Auditor/Privileges/Directory'].text)
  #  elsif (doc.elements['Configuration/Privileges/Directory'])
  #    change_chroot(doc.elements['Configuration/Privileges/Directory'].text)
  #  end
  #rescue Exception => e
  #  print "Couldn't set Configuration/Privileges/Directory (#{e})\n"
  #end
  user, group = nil
  if (doc.elements['Configuration/Auditor/Privileges/Group'])
    group=(doc.elements['Configuration/Auditor/Privileges/Group'].text)
  elsif (doc.elements['Configuration/Privileges/Group'])
    group=(doc.elements['Configuration/Privileges/Group'].text)
  end
  if (doc.elements['Configuration/Auditor/Privileges/User'])
    user=(doc.elements['Configuration/Auditor/Privileges/User'].text)
  elsif (doc.elements['Configuration/Privileges/User'])
    user=(doc.elements['Configuration/Privileges/User'].text)
  end
  change_privilege(user, group)
end
normalise_and_sort(f, prefix, pid, working, config, log) click to toggle source

Prepare the input unsigned and signed files for auditing

# File ../../auditor/lib/kasp_auditor.rb, line 240
def normalise_and_sort(f, prefix, pid, working, config, log)
  pp = Preparser.new(config, log)
  parsed_file = working+get_name(f)+".#{prefix}.parsed.#{pid}"
  sorted_file = working+get_name(f)+".#{prefix}.sorted.#{pid}"
  delete_file(parsed_file)
  delete_file(sorted_file)
  new_pid = (fork {
      pp.normalise_zone_and_add_prepended_names(f, parsed_file)
      pp.sort(parsed_file, sorted_file)
    })
  return new_pid
end
partial_audit(ret, input_file, output_file, working, config, syslog, enforcer_interval) click to toggle source

Invoke the partial auditor

# File ../../auditor/lib/kasp_auditor.rb, line 187
def partial_audit(ret, input_file, output_file, working, config, syslog, enforcer_interval)
  auditor = PartialAuditor.new(syslog, working)
  ret_val = auditor.check_zone(config, input_file, output_file, enforcer_interval)
  ret = ret_val if (ret_val < ret)
  if ((config.err > 0) && (config.err < ret))
    ret = config.err
  end
  return ret
end
run() click to toggle source

Run the auditor.

# File ../../auditor/lib/kasp_auditor.rb, line 104
def run
  conf_file = @conf_file
  @zone_name = "" if (!@zone_name)
  @zone_name.chomp(".")
  if (!conf_file)
    KASPAuditor.exit("No configuration file specified", 1)
  end
  syslog_facility, working, signer_working_folder, zonelist, kasp_file, enforcer_interval =
    load_config_xml(conf_file)
  if (@kasp_file)
    kasp_file = @kasp_file
  end

  Syslog.open("ods-auditor", Syslog::LOG_PID |
    Syslog::LOG_CONS, syslog_facility) { |syslog|
    run_with_syslog(zonelist, kasp_file, syslog, working, 
      signer_working_folder, enforcer_interval, conf_file)
  }
end

[Validate]

Generated with the Darkfish Rdoc Generator 2.