~canonical-hw-cert/charms/xenial/snappy-device-agent/trunk

« back to all changes in this revision

Viewing changes to hooks/charmhelpers/contrib/hardening/host/checks/minimize_access.py

Committer: Paul Larson
Date: 2016-05-16 20:27:32 UTC
Revision ID: paul.larson@canonical.com-20160516202732-9r4nkyl2f91w9xo3

Add support for xenial

files added:
hooks/charmhelpers/cli

hooks/charmhelpers/cli/README.rst

hooks/charmhelpers/cli/__init__.py

hooks/charmhelpers/cli/benchmark.py

hooks/charmhelpers/cli/commands.py

hooks/charmhelpers/cli/hookenv.py

hooks/charmhelpers/cli/host.py

hooks/charmhelpers/cli/unitdata.py

hooks/charmhelpers/context.py

hooks/charmhelpers/contrib/benchmark

hooks/charmhelpers/contrib/benchmark/__init__.py

hooks/charmhelpers/contrib/charmhelpers/IMPORT

hooks/charmhelpers/contrib/charmsupport/IMPORT

hooks/charmhelpers/contrib/hardening

hooks/charmhelpers/contrib/hardening/README.hardening.md

hooks/charmhelpers/contrib/hardening/__init__.py

hooks/charmhelpers/contrib/hardening/apache

hooks/charmhelpers/contrib/hardening/apache/__init__.py

hooks/charmhelpers/contrib/hardening/apache/checks

hooks/charmhelpers/contrib/hardening/apache/checks/__init__.py

hooks/charmhelpers/contrib/hardening/apache/checks/config.py

hooks/charmhelpers/contrib/hardening/apache/templates

hooks/charmhelpers/contrib/hardening/apache/templates/alias.conf

hooks/charmhelpers/contrib/hardening/apache/templates/hardening.conf

hooks/charmhelpers/contrib/hardening/audits

hooks/charmhelpers/contrib/hardening/audits/__init__.py

hooks/charmhelpers/contrib/hardening/audits/apache.py

hooks/charmhelpers/contrib/hardening/audits/apt.py

hooks/charmhelpers/contrib/hardening/audits/file.py

hooks/charmhelpers/contrib/hardening/defaults

hooks/charmhelpers/contrib/hardening/defaults/apache.yaml

hooks/charmhelpers/contrib/hardening/defaults/apache.yaml.schema

hooks/charmhelpers/contrib/hardening/defaults/mysql.yaml

hooks/charmhelpers/contrib/hardening/defaults/mysql.yaml.schema

hooks/charmhelpers/contrib/hardening/defaults/os.yaml

hooks/charmhelpers/contrib/hardening/defaults/os.yaml.schema

hooks/charmhelpers/contrib/hardening/defaults/ssh.yaml

hooks/charmhelpers/contrib/hardening/defaults/ssh.yaml.schema

hooks/charmhelpers/contrib/hardening/harden.py

hooks/charmhelpers/contrib/hardening/host

hooks/charmhelpers/contrib/hardening/host/__init__.py

hooks/charmhelpers/contrib/hardening/host/checks

hooks/charmhelpers/contrib/hardening/host/checks/__init__.py

hooks/charmhelpers/contrib/hardening/host/checks/apt.py

hooks/charmhelpers/contrib/hardening/host/checks/limits.py

hooks/charmhelpers/contrib/hardening/host/checks/login.py

hooks/charmhelpers/contrib/hardening/host/checks/minimize_access.py

hooks/charmhelpers/contrib/hardening/host/checks/pam.py

hooks/charmhelpers/contrib/hardening/host/checks/profile.py

hooks/charmhelpers/contrib/hardening/host/checks/securetty.py

hooks/charmhelpers/contrib/hardening/host/checks/suid_sgid.py

hooks/charmhelpers/contrib/hardening/host/checks/sysctl.py

hooks/charmhelpers/contrib/hardening/host/templates

hooks/charmhelpers/contrib/hardening/host/templates/10.hardcore.conf

hooks/charmhelpers/contrib/hardening/host/templates/99-juju-hardening.conf

hooks/charmhelpers/contrib/hardening/host/templates/login.defs

hooks/charmhelpers/contrib/hardening/host/templates/modules

hooks/charmhelpers/contrib/hardening/host/templates/passwdqc.conf

hooks/charmhelpers/contrib/hardening/host/templates/pinerolo_profile.sh

hooks/charmhelpers/contrib/hardening/host/templates/securetty

hooks/charmhelpers/contrib/hardening/host/templates/tally2

hooks/charmhelpers/contrib/hardening/mysql

hooks/charmhelpers/contrib/hardening/mysql/__init__.py

hooks/charmhelpers/contrib/hardening/mysql/checks

hooks/charmhelpers/contrib/hardening/mysql/checks/__init__.py

hooks/charmhelpers/contrib/hardening/mysql/checks/config.py

hooks/charmhelpers/contrib/hardening/mysql/templates

hooks/charmhelpers/contrib/hardening/mysql/templates/hardening.cnf

hooks/charmhelpers/contrib/hardening/ssh

hooks/charmhelpers/contrib/hardening/ssh/__init__.py

hooks/charmhelpers/contrib/hardening/ssh/checks

hooks/charmhelpers/contrib/hardening/ssh/checks/__init__.py

hooks/charmhelpers/contrib/hardening/ssh/checks/config.py

hooks/charmhelpers/contrib/hardening/ssh/templates

hooks/charmhelpers/contrib/hardening/ssh/templates/ssh_config

hooks/charmhelpers/contrib/hardening/ssh/templates/sshd_config

hooks/charmhelpers/contrib/hardening/templating.py

hooks/charmhelpers/contrib/hardening/utils.py

hooks/charmhelpers/contrib/mellanox

hooks/charmhelpers/contrib/mellanox/__init__.py

hooks/charmhelpers/contrib/mellanox/infiniband.py

hooks/charmhelpers/contrib/openstack/files

hooks/charmhelpers/contrib/openstack/files/__init__.py

hooks/charmhelpers/contrib/openstack/files/check_haproxy.sh

hooks/charmhelpers/contrib/openstack/files/check_haproxy_queue_depth.sh

hooks/charmhelpers/contrib/openstack/templates/ceph.conf

hooks/charmhelpers/contrib/openstack/templates/git.upstart

hooks/charmhelpers/contrib/openstack/templates/haproxy.cfg

hooks/charmhelpers/contrib/openstack/templates/openstack_https_frontend

hooks/charmhelpers/contrib/openstack/templates/openstack_https_frontend.conf

hooks/charmhelpers/contrib/openstack/templates/section-keystone-authtoken

hooks/charmhelpers/contrib/openstack/templates/section-keystone-authtoken-legacy

hooks/charmhelpers/contrib/openstack/templates/section-keystone-authtoken-mitaka

hooks/charmhelpers/contrib/openstack/templates/section-rabbitmq-oslo

hooks/charmhelpers/contrib/openstack/templates/section-zeromq

hooks/charmhelpers/coordinator.py

hooks/charmhelpers/core/files.py

hooks/charmhelpers/core/hugepage.py

hooks/charmhelpers/core/kernel.py

hooks/charmhelpers/core/strutils.py

templates/snappy-device-agent.env

templates/snappy-device-agent.service

files modified:
hooks/actions.py

hooks/charmhelpers/contrib/amulet/deployment.py

hooks/charmhelpers/contrib/amulet/utils.py

hooks/charmhelpers/contrib/ansible/__init__.py

hooks/charmhelpers/contrib/charmsupport/nrpe.py

hooks/charmhelpers/contrib/database/mysql.py

hooks/charmhelpers/contrib/hahelpers/cluster.py

hooks/charmhelpers/contrib/network/ip.py

hooks/charmhelpers/contrib/network/ovs/__init__.py

hooks/charmhelpers/contrib/network/ufw.py

hooks/charmhelpers/contrib/openstack/amulet/deployment.py

hooks/charmhelpers/contrib/openstack/amulet/utils.py

hooks/charmhelpers/contrib/openstack/context.py

hooks/charmhelpers/contrib/openstack/ip.py

hooks/charmhelpers/contrib/openstack/neutron.py

hooks/charmhelpers/contrib/openstack/templating.py

hooks/charmhelpers/contrib/openstack/utils.py

hooks/charmhelpers/contrib/peerstorage/__init__.py

hooks/charmhelpers/contrib/python/packages.py

hooks/charmhelpers/contrib/ssl/service.py

hooks/charmhelpers/contrib/storage/linux/ceph.py

hooks/charmhelpers/contrib/storage/linux/loopback.py

hooks/charmhelpers/contrib/storage/linux/utils.py

hooks/charmhelpers/contrib/templating/contexts.py

hooks/charmhelpers/contrib/templating/jinja.py

hooks/charmhelpers/contrib/unison/__init__.py

hooks/charmhelpers/core/fstab.py

hooks/charmhelpers/core/hookenv.py

hooks/charmhelpers/core/host.py

hooks/charmhelpers/core/services/base.py

hooks/charmhelpers/core/services/helpers.py

hooks/charmhelpers/core/templating.py

hooks/charmhelpers/core/unitdata.py

hooks/charmhelpers/fetch/__init__.py

hooks/charmhelpers/fetch/archiveurl.py

hooks/charmhelpers/fetch/bzrurl.py

hooks/charmhelpers/fetch/giturl.py

hooks/hooks.py

hooks/services.py

Show diffs side-by-side

added added

removed removed

hooks/charmhelpers/contrib/hardening/host/checks/minimize_access.py

# This file is part of charm-helpers.

# charm-helpers is free software: you can redistribute it and/or modify

# it under the terms of the GNU Lesser General Public License version 3 as

# published by the Free Software Foundation.

# charm-helpers is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU Lesser General Public License for more details.

# You should have received a copy of the GNU Lesser General Public License

# along with charm-helpers. If not, see <http://www.gnu.org/licenses/>.

from charmhelpers.contrib.hardening.audits.file import (

FilePermissionAudit,

ReadOnly,

)

from charmhelpers.contrib.hardening import utils

def get_audits():

"""Get OS hardening access audits.

:returns: dictionary of audits

"""

audits = []

settings = utils.get_settings('os')

# Remove write permissions from $PATH folders for all regular users.

# This prevents changing system-wide commands from normal users.

path_folders = {'/usr/local/sbin',

'/usr/local/bin',

'/usr/sbin',

'/usr/bin',

'/bin'}

extra_user_paths = settings['environment']['extra_user_paths']

path_folders.update(extra_user_paths)

audits.append(ReadOnly(path_folders))

# Only allow the root user to have access to the shadow file.

audits.append(FilePermissionAudit('/etc/shadow', 'root', 'root', 0o0600))

if 'change_user' not in settings['security']['users_allow']:

# su should only be accessible to user and group root, unless it is

# expressly defined to allow users to change to root via the

# security_users_allow config option.

audits.append(FilePermissionAudit('/bin/su', 'root', 'root', 0o750))

return audits

Older »