1
# Copyright 2016 Canonical Limited.
3
# Licensed under the Apache License, Version 2.0 (the "License");
4
# you may not use this file except in compliance with the License.
5
# You may obtain a copy of the License at
7
# http://www.apache.org/licenses/LICENSE-2.0
9
# Unless required by applicable law or agreed to in writing, software
10
# distributed under the License is distributed on an "AS IS" BASIS,
11
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12
# See the License for the specific language governing permissions and
13
# limitations under the License.
15
from six import string_types
17
from charmhelpers.contrib.hardening.audits.file import TemplatedFile
18
from charmhelpers.contrib.hardening.host import TEMPLATES_DIR
19
from charmhelpers.contrib.hardening import utils
23
"""Get OS hardening login.defs audits.
25
:returns: dictionary of audits
27
audits = [TemplatedFile('/etc/login.defs', LoginContext(),
28
template_dir=TEMPLATES_DIR,
29
user='root', group='root', mode=0o0444)]
33
class LoginContext(object):
36
settings = utils.get_settings('os')
38
# Octal numbers in yaml end up being turned into decimal,
39
# so check if the umask is entered as a string (e.g. '027')
40
# or as an octal umask as we know it (e.g. 002). If its not
41
# a string assume it to be octal and turn it into an octal
43
umask = settings['environment']['umask']
44
if not isinstance(umask, string_types):
45
umask = '%s' % oct(umask)
48
'additional_user_paths':
49
settings['environment']['extra_user_paths'],
51
'pwd_max_age': settings['auth']['pw_max_age'],
52
'pwd_min_age': settings['auth']['pw_min_age'],
53
'uid_min': settings['auth']['uid_min'],
54
'sys_uid_min': settings['auth']['sys_uid_min'],
55
'sys_uid_max': settings['auth']['sys_uid_max'],
56
'gid_min': settings['auth']['gid_min'],
57
'sys_gid_min': settings['auth']['sys_gid_min'],
58
'sys_gid_max': settings['auth']['sys_gid_max'],
59
'login_retries': settings['auth']['retries'],
60
'login_timeout': settings['auth']['timeout'],
61
'chfn_restrict': settings['auth']['chfn_restrict'],
62
'allow_login_without_home': settings['auth']['allow_homeless']