← Back to branch summary

~junaidali/charms/trusty/plumgrid-gateway/mgmt_val

« back to all changes in this revision

Viewing changes to hooks/charmhelpers/contrib/hardening/host/checks/pam.py

  • Committer: bbaqar at plumgrid
  • Date: 2016-04-25 09:21:09 UTC
  • mfrom: (26.1.2 plumgrid-gateway)
  • Revision ID: bbaqar@plumgrid.com-20160425092109-kweey25bx97pmj80
Merge: Liberty/Mitaka support

Show diffs side-by-side

added added

removed removed

Lines of Context:
hooks/charmhelpers/contrib/hardening/host/checks/pam.py
 
1
# Copyright 2016 Canonical Limited.
 
2
#
 
3
# This file is part of charm-helpers.
 
4
#
 
5
# charm-helpers is free software: you can redistribute it and/or modify
 
6
# it under the terms of the GNU Lesser General Public License version 3 as
 
7
# published by the Free Software Foundation.
 
8
#
 
9
# charm-helpers is distributed in the hope that it will be useful,
 
10
# but WITHOUT ANY WARRANTY; without even the implied warranty of
 
11
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 
12
# GNU Lesser General Public License for more details.
 
13
#
 
14
# You should have received a copy of the GNU Lesser General Public License
 
15
# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
 
16
 
 
17
from subprocess import (
 
18
    check_output,
 
19
    CalledProcessError,
 
20
)
 
21
 
 
22
from charmhelpers.core.hookenv import (
 
23
    log,
 
24
    DEBUG,
 
25
    ERROR,
 
26
)
 
27
from charmhelpers.fetch import (
 
28
    apt_install,
 
29
    apt_purge,
 
30
    apt_update,
 
31
)
 
32
from charmhelpers.contrib.hardening.audits.file import (
 
33
    TemplatedFile,
 
34
    DeletedFile,
 
35
)
 
36
from charmhelpers.contrib.hardening import utils
 
37
from charmhelpers.contrib.hardening.host import TEMPLATES_DIR
 
38
 
 
39
 
 
40
def get_audits():
 
41
    """Get OS hardening PAM authentication audits.
 
42
 
 
43
    :returns:  dictionary of audits
 
44
    """
 
45
    audits = []
 
46
 
 
47
    settings = utils.get_settings('os')
 
48
 
 
49
    if settings['auth']['pam_passwdqc_enable']:
 
50
        audits.append(PasswdqcPAM('/etc/passwdqc.conf'))
 
51
 
 
52
    if settings['auth']['retries']:
 
53
        audits.append(Tally2PAM('/usr/share/pam-configs/tally2'))
 
54
    else:
 
55
        audits.append(DeletedFile('/usr/share/pam-configs/tally2'))
 
56
 
 
57
    return audits
 
58
 
 
59
 
 
60
class PasswdqcPAMContext(object):
 
61
 
 
62
    def __call__(self):
 
63
        ctxt = {}
 
64
        settings = utils.get_settings('os')
 
65
 
 
66
        ctxt['auth_pam_passwdqc_options'] = \
 
67
            settings['auth']['pam_passwdqc_options']
 
68
 
 
69
        return ctxt
 
70
 
 
71
 
 
72
class PasswdqcPAM(TemplatedFile):
 
73
    """The PAM Audit verifies the linux PAM settings."""
 
74
    def __init__(self, path):
 
75
        super(PasswdqcPAM, self).__init__(path=path,
 
76
                                          template_dir=TEMPLATES_DIR,
 
77
                                          context=PasswdqcPAMContext(),
 
78
                                          user='root',
 
79
                                          group='root',
 
80
                                          mode=0o0640)
 
81
 
 
82
    def pre_write(self):
 
83
        # Always remove?
 
84
        for pkg in ['libpam-ccreds', 'libpam-cracklib']:
 
85
            log("Purging package '%s'" % pkg, level=DEBUG),
 
86
            apt_purge(pkg)
 
87
 
 
88
        apt_update(fatal=True)
 
89
        for pkg in ['libpam-passwdqc']:
 
90
            log("Installing package '%s'" % pkg, level=DEBUG),
 
91
            apt_install(pkg)
 
92
 
 
93
    def post_write(self):
 
94
        """Updates the PAM configuration after the file has been written"""
 
95
        try:
 
96
            check_output(['pam-auth-update', '--package'])
 
97
        except CalledProcessError as e:
 
98
            log('Error calling pam-auth-update: %s' % e, level=ERROR)
 
99
 
 
100
 
 
101
class Tally2PAMContext(object):
 
102
 
 
103
    def __call__(self):
 
104
        ctxt = {}
 
105
        settings = utils.get_settings('os')
 
106
 
 
107
        ctxt['auth_lockout_time'] = settings['auth']['lockout_time']
 
108
        ctxt['auth_retries'] = settings['auth']['retries']
 
109
 
 
110
        return ctxt
 
111
 
 
112
 
 
113
class Tally2PAM(TemplatedFile):
 
114
    """The PAM Audit verifies the linux PAM settings."""
 
115
    def __init__(self, path):
 
116
        super(Tally2PAM, self).__init__(path=path,
 
117
                                        template_dir=TEMPLATES_DIR,
 
118
                                        context=Tally2PAMContext(),
 
119
                                        user='root',
 
120
                                        group='root',
 
121
                                        mode=0o0640)
 
122
 
 
123
    def pre_write(self):
 
124
        # Always remove?
 
125
        apt_purge('libpam-ccreds')
 
126
        apt_update(fatal=True)
 
127
        apt_install('libpam-modules')
 
128
 
 
129
    def post_write(self):
 
130
        """Updates the PAM configuration after the file has been written"""
 
131
        try:
 
132
            check_output(['pam-auth-update', '--package'])
 
133
        except CalledProcessError as e:
 
134
            log('Error calling pam-auth-update: %s' % e, level=ERROR)