~junaidali/charms/trusty/plumgrid-director/mgmt

~junaidali/charms/trusty/plumgrid-director/mgmt_val

Viewing changes to hooks/charmhelpers/contrib/hardening/host/checks/pam.py

Committer: bbaqar at plumgrid
Date: 2016-05-18 09:48:39 UTC
mfrom: (31.1.8 plumgrid-director)
Revision ID: bbaqar@plumgrid.com-20160518094839-gfvrpxkwh3u08z0y

Merge - Mitaka changes
- Created new relation with neutron-api-plumgrid
- getting pg creds in config
- nginx conf changes for middleware

files added:
hooks/plumgrid-configs-relation-joined

files removed:
hooks/charmhelpers/contrib/ansible

hooks/charmhelpers/contrib/ansible/__init__.py

hooks/charmhelpers/contrib/benchmark

hooks/charmhelpers/contrib/benchmark/__init__.py

hooks/charmhelpers/contrib/charmhelpers

hooks/charmhelpers/contrib/charmhelpers/__init__.py

hooks/charmhelpers/contrib/charmsupport

hooks/charmhelpers/contrib/charmsupport/__init__.py

hooks/charmhelpers/contrib/charmsupport/nrpe.py

hooks/charmhelpers/contrib/charmsupport/volumes.py

hooks/charmhelpers/contrib/database

hooks/charmhelpers/contrib/database/__init__.py

hooks/charmhelpers/contrib/database/mysql.py

hooks/charmhelpers/contrib/hardening

hooks/charmhelpers/contrib/hardening/__init__.py

hooks/charmhelpers/contrib/hardening/apache

hooks/charmhelpers/contrib/hardening/apache/__init__.py

hooks/charmhelpers/contrib/hardening/apache/checks

hooks/charmhelpers/contrib/hardening/apache/checks/__init__.py

hooks/charmhelpers/contrib/hardening/apache/checks/config.py

hooks/charmhelpers/contrib/hardening/audits

hooks/charmhelpers/contrib/hardening/audits/__init__.py

hooks/charmhelpers/contrib/hardening/audits/apache.py

hooks/charmhelpers/contrib/hardening/audits/apt.py

hooks/charmhelpers/contrib/hardening/audits/file.py

hooks/charmhelpers/contrib/hardening/harden.py

hooks/charmhelpers/contrib/hardening/host

hooks/charmhelpers/contrib/hardening/host/__init__.py

hooks/charmhelpers/contrib/hardening/host/checks

hooks/charmhelpers/contrib/hardening/host/checks/__init__.py

hooks/charmhelpers/contrib/hardening/host/checks/apt.py

hooks/charmhelpers/contrib/hardening/host/checks/limits.py

hooks/charmhelpers/contrib/hardening/host/checks/login.py

hooks/charmhelpers/contrib/hardening/host/checks/minimize_access.py

hooks/charmhelpers/contrib/hardening/host/checks/pam.py

hooks/charmhelpers/contrib/hardening/host/checks/profile.py

hooks/charmhelpers/contrib/hardening/host/checks/securetty.py

hooks/charmhelpers/contrib/hardening/host/checks/suid_sgid.py

hooks/charmhelpers/contrib/hardening/host/checks/sysctl.py

hooks/charmhelpers/contrib/hardening/mysql

hooks/charmhelpers/contrib/hardening/mysql/__init__.py

hooks/charmhelpers/contrib/hardening/mysql/checks

hooks/charmhelpers/contrib/hardening/mysql/checks/__init__.py

hooks/charmhelpers/contrib/hardening/mysql/checks/config.py

hooks/charmhelpers/contrib/hardening/ssh

hooks/charmhelpers/contrib/hardening/ssh/__init__.py

hooks/charmhelpers/contrib/hardening/ssh/checks

hooks/charmhelpers/contrib/hardening/ssh/checks/__init__.py

hooks/charmhelpers/contrib/hardening/ssh/checks/config.py

hooks/charmhelpers/contrib/hardening/templating.py

hooks/charmhelpers/contrib/hardening/utils.py

hooks/charmhelpers/contrib/mellanox

hooks/charmhelpers/contrib/mellanox/__init__.py

hooks/charmhelpers/contrib/mellanox/infiniband.py

hooks/charmhelpers/contrib/peerstorage

hooks/charmhelpers/contrib/peerstorage/__init__.py

hooks/charmhelpers/contrib/saltstack

hooks/charmhelpers/contrib/saltstack/__init__.py

hooks/charmhelpers/contrib/ssl

hooks/charmhelpers/contrib/ssl/__init__.py

hooks/charmhelpers/contrib/ssl/service.py

hooks/charmhelpers/contrib/templating

hooks/charmhelpers/contrib/templating/__init__.py

hooks/charmhelpers/contrib/templating/contexts.py

hooks/charmhelpers/contrib/templating/jinja.py

hooks/charmhelpers/contrib/templating/pyformat.py

hooks/charmhelpers/contrib/unison

hooks/charmhelpers/contrib/unison/__init__.py

files modified:
charm-helpers-sync.yaml

config.yaml

hooks/pg_dir_hooks.py

hooks/pg_dir_utils.py

metadata.yaml

templates/kilo/nginx.conf

unit_tests/test_pg_dir_hooks.py

Show diffs side-by-side

added added

removed removed

hooks/charmhelpers/contrib/hardening/host/checks/pam.py

# This file is part of charm-helpers.

# charm-helpers is free software: you can redistribute it and/or modify

# it under the terms of the GNU Lesser General Public License version 3 as

# published by the Free Software Foundation.

# charm-helpers is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU Lesser General Public License for more details.

# You should have received a copy of the GNU Lesser General Public License

# along with charm-helpers. If not, see <http://www.gnu.org/licenses/>.

from subprocess import (

check_output,

CalledProcessError,

)

from charmhelpers.core.hookenv import (

log,

DEBUG,

ERROR,

)

from charmhelpers.fetch import (

apt_install,

apt_purge,

apt_update,

)

from charmhelpers.contrib.hardening.audits.file import (

TemplatedFile,

DeletedFile,

)

from charmhelpers.contrib.hardening import utils

from charmhelpers.contrib.hardening.host import TEMPLATES_DIR

def get_audits():

"""Get OS hardening PAM authentication audits.

:returns: dictionary of audits

"""

audits = []

settings = utils.get_settings('os')

if settings['auth']['pam_passwdqc_enable']:

audits.append(PasswdqcPAM('/etc/passwdqc.conf'))

if settings['auth']['retries']:

audits.append(Tally2PAM('/usr/share/pam-configs/tally2'))

else:

audits.append(DeletedFile('/usr/share/pam-configs/tally2'))

return audits

class PasswdqcPAMContext(object):

def __call__(self):

ctxt = {}

settings = utils.get_settings('os')

ctxt['auth_pam_passwdqc_options'] = \

settings['auth']['pam_passwdqc_options']

return ctxt

class PasswdqcPAM(TemplatedFile):

"""The PAM Audit verifies the linux PAM settings."""

def __init__(self, path):

super(PasswdqcPAM, self).__init__(path=path,

template_dir=TEMPLATES_DIR,

context=PasswdqcPAMContext(),

user='root',

group='root',

mode=0o0640)

def pre_write(self):

# Always remove?

for pkg in ['libpam-ccreds', 'libpam-cracklib']:

log("Purging package '%s'" % pkg, level=DEBUG),

apt_purge(pkg)

apt_update(fatal=True)

for pkg in ['libpam-passwdqc']:

log("Installing package '%s'" % pkg, level=DEBUG),

apt_install(pkg)

def post_write(self):

"""Updates the PAM configuration after the file has been written"""

try:

check_output(['pam-auth-update', '--package'])

except CalledProcessError as e:

log('Error calling pam-auth-update: %s' % e, level=ERROR)

100

101

class Tally2PAMContext(object):

102

103

def __call__(self):

104

ctxt = {}

105

settings = utils.get_settings('os')

106

107

ctxt['auth_lockout_time'] = settings['auth']['lockout_time']

108

ctxt['auth_retries'] = settings['auth']['retries']

109

110

return ctxt

111

112

113

class Tally2PAM(TemplatedFile):

114

"""The PAM Audit verifies the linux PAM settings."""

115

def __init__(self, path):

116

super(Tally2PAM, self).__init__(path=path,

117

template_dir=TEMPLATES_DIR,

118

context=Tally2PAMContext(),

119

user='root',

120

group='root',

121

mode=0o0640)

122

123

def pre_write(self):

124

# Always remove?

125

apt_purge('libpam-ccreds')

126

apt_update(fatal=True)

127

apt_install('libpam-modules')

128

129

def post_write(self):

130

"""Updates the PAM configuration after the file has been written"""

131

try:

132

check_output(['pam-auth-update', '--package'])

133

except CalledProcessError as e:

134

log('Error calling pam-auth-update: %s' % e, level=ERROR)

Older »