1
# Copyright 2016 Canonical Limited.
3
# This file is part of charm-helpers.
5
# charm-helpers is free software: you can redistribute it and/or modify
6
# it under the terms of the GNU Lesser General Public License version 3 as
7
# published by the Free Software Foundation.
9
# charm-helpers is distributed in the hope that it will be useful,
10
# but WITHOUT ANY WARRANTY; without even the implied warranty of
11
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12
# GNU Lesser General Public License for more details.
14
# You should have received a copy of the GNU Lesser General Public License
15
# along with charm-helpers. If not, see <http://www.gnu.org/licenses/>.
22
from charmhelpers.core.hookenv import (
26
from charmhelpers.contrib.hardening.audits.file import (
28
DirectoryPermissionAudit,
32
from charmhelpers.contrib.hardening.audits.apache import DisabledModuleAudit
33
from charmhelpers.contrib.hardening.apache import TEMPLATES_DIR
34
from charmhelpers.contrib.hardening import utils
38
"""Get Apache hardening config audits.
40
:returns: dictionary of audits
42
if subprocess.call(['which', 'apache2'], stdout=subprocess.PIPE) != 0:
43
log("Apache server does not appear to be installed on this node - "
44
"skipping apache hardening", level=INFO)
47
context = ApacheConfContext()
48
settings = utils.get_settings('apache')
50
FilePermissionAudit(paths='/etc/apache2/apache2.conf', user='root',
51
group='root', mode=0o0640),
53
TemplatedFile(os.path.join(settings['common']['apache_dir'],
54
'mods-available/alias.conf'),
59
service_actions=[{'service': 'apache2',
60
'actions': ['restart']}]),
62
TemplatedFile(os.path.join(settings['common']['apache_dir'],
63
'conf-enabled/hardening.conf'),
68
service_actions=[{'service': 'apache2',
69
'actions': ['restart']}]),
71
DirectoryPermissionAudit(settings['common']['apache_dir'],
76
DisabledModuleAudit(settings['hardening']['modules_to_disable']),
78
NoReadWriteForOther(settings['common']['apache_dir']),
84
class ApacheConfContext(object):
85
"""Defines the set of key/value pairs to set in a apache config file.
87
This context, when called, will return a dictionary containing the
88
key/value pairs of setting to specify in the
89
/etc/apache/conf-enabled/hardening.conf file.
92
settings = utils.get_settings('apache')
93
ctxt = settings['hardening']
95
out = subprocess.check_output(['apache2', '-v'])
96
ctxt['apache_version'] = re.search(r'.+version: Apache/(.+?)\s.+',
98
ctxt['apache_icondir'] = '/usr/share/apache2/icons/'
99
ctxt['traceenable'] = settings['hardening']['traceenable']
added
removed
hooks/charmhelpers/contrib/hardening/apache/checks/config.py
