1
# Copyright 2016 Canonical Limited.
3
# This file is part of charm-helpers.
5
# charm-helpers is free software: you can redistribute it and/or modify
6
# it under the terms of the GNU Lesser General Public License version 3 as
7
# published by the Free Software Foundation.
9
# charm-helpers is distributed in the hope that it will be useful,
10
# but WITHOUT ANY WARRANTY; without even the implied warranty of
11
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12
# GNU Lesser General Public License for more details.
14
# You should have received a copy of the GNU Lesser General Public License
15
# along with charm-helpers. If not, see <http://www.gnu.org/licenses/>.
19
from collections import OrderedDict
21
from charmhelpers.core.hookenv import (
27
from charmhelpers.contrib.hardening.host.checks import run_os_checks
28
from charmhelpers.contrib.hardening.ssh.checks import run_ssh_checks
29
from charmhelpers.contrib.hardening.mysql.checks import run_mysql_checks
30
from charmhelpers.contrib.hardening.apache.checks import run_apache_checks
33
def harden(overrides=None):
34
"""Hardening decorator.
36
This is the main entry point for running the hardening stack. In order to
37
run modules of the stack you must add this decorator to charm hook(s) and
38
ensure that your charm config.yaml contains the 'harden' option set to
39
one or more of the supported modules. Setting these will cause the
40
corresponding hardening code to be run when the hook fires.
42
This decorator can and should be applied to more than one hook or function
43
such that hardening modules are called multiple times. This is because
44
subsequent calls will perform auditing checks that will report any changes
45
to resources hardened by the first run (and possibly perform compliance
46
actions as a result of any detected infractions).
48
:param overrides: Optional list of stack modules used to override those
49
provided with 'harden' config.
50
:returns: Returns value returned by decorated function once executed.
52
def _harden_inner1(f):
53
log("Hardening function '%s'" % (f.__name__), level=DEBUG)
55
def _harden_inner2(*args, **kwargs):
56
RUN_CATALOG = OrderedDict([('os', run_os_checks),
57
('ssh', run_ssh_checks),
58
('mysql', run_mysql_checks),
59
('apache', run_apache_checks)])
61
enabled = overrides or (config("harden") or "").split()
64
# modules will always be performed in the following order
65
for module, func in six.iteritems(RUN_CATALOG):
67
enabled.remove(module)
68
modules_to_run.append(func)
71
log("Unknown hardening modules '%s' - ignoring" %
72
(', '.join(enabled)), level=WARNING)
74
for hardener in modules_to_run:
75
log("Executing hardening module '%s'" %
76
(hardener.__name__), level=DEBUG)
79
log("No hardening applied to '%s'" % (f.__name__), level=DEBUG)
81
return f(*args, **kwargs)