~junaidali/charms/trusty/plumgrid-director/pg-restart

« back to all changes in this revision

Viewing changes to hooks/charmhelpers/contrib/hardening/host/checks/minimize_access.py

Committer: Junaid Ali
Date: 2016-05-01 02:16:59 UTC
Revision ID: junaidali@plumgrid.com-20160501021659-niy7zqw0iy1celyy

update sleep time in restart_pg, changes for make sync

files removed:
hooks/charmhelpers/contrib/ansible

hooks/charmhelpers/contrib/ansible/__init__.py

hooks/charmhelpers/contrib/benchmark

hooks/charmhelpers/contrib/benchmark/__init__.py

hooks/charmhelpers/contrib/charmhelpers

hooks/charmhelpers/contrib/charmhelpers/__init__.py

hooks/charmhelpers/contrib/charmsupport

hooks/charmhelpers/contrib/charmsupport/__init__.py

hooks/charmhelpers/contrib/charmsupport/nrpe.py

hooks/charmhelpers/contrib/charmsupport/volumes.py

hooks/charmhelpers/contrib/database

hooks/charmhelpers/contrib/database/__init__.py

hooks/charmhelpers/contrib/database/mysql.py

hooks/charmhelpers/contrib/hardening

hooks/charmhelpers/contrib/hardening/__init__.py

hooks/charmhelpers/contrib/hardening/apache

hooks/charmhelpers/contrib/hardening/apache/__init__.py

hooks/charmhelpers/contrib/hardening/apache/checks

hooks/charmhelpers/contrib/hardening/apache/checks/__init__.py

hooks/charmhelpers/contrib/hardening/apache/checks/config.py

hooks/charmhelpers/contrib/hardening/audits

hooks/charmhelpers/contrib/hardening/audits/__init__.py

hooks/charmhelpers/contrib/hardening/audits/apache.py

hooks/charmhelpers/contrib/hardening/audits/apt.py

hooks/charmhelpers/contrib/hardening/audits/file.py

hooks/charmhelpers/contrib/hardening/harden.py

hooks/charmhelpers/contrib/hardening/host

hooks/charmhelpers/contrib/hardening/host/__init__.py

hooks/charmhelpers/contrib/hardening/host/checks

hooks/charmhelpers/contrib/hardening/host/checks/__init__.py

hooks/charmhelpers/contrib/hardening/host/checks/apt.py

hooks/charmhelpers/contrib/hardening/host/checks/limits.py

hooks/charmhelpers/contrib/hardening/host/checks/login.py

hooks/charmhelpers/contrib/hardening/host/checks/minimize_access.py

hooks/charmhelpers/contrib/hardening/host/checks/pam.py

hooks/charmhelpers/contrib/hardening/host/checks/profile.py

hooks/charmhelpers/contrib/hardening/host/checks/securetty.py

hooks/charmhelpers/contrib/hardening/host/checks/suid_sgid.py

hooks/charmhelpers/contrib/hardening/host/checks/sysctl.py

hooks/charmhelpers/contrib/hardening/mysql

hooks/charmhelpers/contrib/hardening/mysql/__init__.py

hooks/charmhelpers/contrib/hardening/mysql/checks

hooks/charmhelpers/contrib/hardening/mysql/checks/__init__.py

hooks/charmhelpers/contrib/hardening/mysql/checks/config.py

hooks/charmhelpers/contrib/hardening/ssh

hooks/charmhelpers/contrib/hardening/ssh/__init__.py

hooks/charmhelpers/contrib/hardening/ssh/checks

hooks/charmhelpers/contrib/hardening/ssh/checks/__init__.py

hooks/charmhelpers/contrib/hardening/ssh/checks/config.py

hooks/charmhelpers/contrib/hardening/templating.py

hooks/charmhelpers/contrib/hardening/utils.py

hooks/charmhelpers/contrib/mellanox

hooks/charmhelpers/contrib/mellanox/__init__.py

hooks/charmhelpers/contrib/mellanox/infiniband.py

hooks/charmhelpers/contrib/peerstorage

hooks/charmhelpers/contrib/peerstorage/__init__.py

hooks/charmhelpers/contrib/saltstack

hooks/charmhelpers/contrib/saltstack/__init__.py

hooks/charmhelpers/contrib/ssl

hooks/charmhelpers/contrib/ssl/__init__.py

hooks/charmhelpers/contrib/ssl/service.py

hooks/charmhelpers/contrib/templating

hooks/charmhelpers/contrib/templating/__init__.py

hooks/charmhelpers/contrib/templating/contexts.py

hooks/charmhelpers/contrib/templating/jinja.py

hooks/charmhelpers/contrib/templating/pyformat.py

hooks/charmhelpers/contrib/unison

hooks/charmhelpers/contrib/unison/__init__.py

files modified:
charm-helpers-sync.yaml

hooks/pg_dir_utils.py

unit_tests/test_pg_dir_hooks.py

Show diffs side-by-side

added added

removed removed

hooks/charmhelpers/contrib/hardening/host/checks/minimize_access.py

# This file is part of charm-helpers.

# charm-helpers is free software: you can redistribute it and/or modify

# it under the terms of the GNU Lesser General Public License version 3 as

# published by the Free Software Foundation.

# charm-helpers is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU Lesser General Public License for more details.

# You should have received a copy of the GNU Lesser General Public License

# along with charm-helpers. If not, see <http://www.gnu.org/licenses/>.

from charmhelpers.contrib.hardening.audits.file import (

FilePermissionAudit,

ReadOnly,

)

from charmhelpers.contrib.hardening import utils

def get_audits():

"""Get OS hardening access audits.

:returns: dictionary of audits

"""

audits = []

settings = utils.get_settings('os')

# Remove write permissions from $PATH folders for all regular users.

# This prevents changing system-wide commands from normal users.

path_folders = {'/usr/local/sbin',

'/usr/local/bin',

'/usr/sbin',

'/usr/bin',

'/bin'}

extra_user_paths = settings['environment']['extra_user_paths']

path_folders.update(extra_user_paths)

audits.append(ReadOnly(path_folders))

# Only allow the root user to have access to the shadow file.

audits.append(FilePermissionAudit('/etc/shadow', 'root', 'root', 0o0600))

if 'change_user' not in settings['security']['users_allow']:

# su should only be accessible to user and group root, unless it is

# expressly defined to allow users to change to root via the

# security_users_allow config option.

audits.append(FilePermissionAudit('/bin/su', 'root', 'root', 0o750))

return audits

Older »