← Back to branch summary

~narindergupta/opnfv/neutron-gateway

« back to all changes in this revision

Viewing changes to hooks/charmhelpers/contrib/hardening/apache/checks/config.py

  • Committer: Narinder Gupta (for canonical email id)
  • Date: 2017-02-15 16:35:39 UTC
  • Revision ID: narinder.gupta@canonical.com-20170215163539-3mm1k5mo1dxl4r5x
first draft version.

Show diffs side-by-side

added added

removed removed

Lines of Context:
hooks/charmhelpers/contrib/hardening/apache/checks/config.py
 
1
# Copyright 2016 Canonical Limited.
 
2
#
 
3
# Licensed under the Apache License, Version 2.0 (the "License");
 
4
# you may not use this file except in compliance with the License.
 
5
# You may obtain a copy of the License at
 
6
#
 
7
#  http://www.apache.org/licenses/LICENSE-2.0
 
8
#
 
9
# Unless required by applicable law or agreed to in writing, software
 
10
# distributed under the License is distributed on an "AS IS" BASIS,
 
11
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 
12
# See the License for the specific language governing permissions and
 
13
# limitations under the License.
 
14
 
 
15
import os
 
16
import re
 
17
import subprocess
 
18
 
 
19
 
 
20
from charmhelpers.core.hookenv import (
 
21
    log,
 
22
    INFO,
 
23
)
 
24
from charmhelpers.contrib.hardening.audits.file import (
 
25
    FilePermissionAudit,
 
26
    DirectoryPermissionAudit,
 
27
    NoReadWriteForOther,
 
28
    TemplatedFile,
 
29
)
 
30
from charmhelpers.contrib.hardening.audits.apache import DisabledModuleAudit
 
31
from charmhelpers.contrib.hardening.apache import TEMPLATES_DIR
 
32
from charmhelpers.contrib.hardening import utils
 
33
 
 
34
 
 
35
def get_audits():
 
36
    """Get Apache hardening config audits.
 
37
 
 
38
    :returns:  dictionary of audits
 
39
    """
 
40
    if subprocess.call(['which', 'apache2'], stdout=subprocess.PIPE) != 0:
 
41
        log("Apache server does not appear to be installed on this node - "
 
42
            "skipping apache hardening", level=INFO)
 
43
        return []
 
44
 
 
45
    context = ApacheConfContext()
 
46
    settings = utils.get_settings('apache')
 
47
    audits = [
 
48
        FilePermissionAudit(paths='/etc/apache2/apache2.conf', user='root',
 
49
                            group='root', mode=0o0640),
 
50
 
 
51
        TemplatedFile(os.path.join(settings['common']['apache_dir'],
 
52
                                   'mods-available/alias.conf'),
 
53
                      context,
 
54
                      TEMPLATES_DIR,
 
55
                      mode=0o0755,
 
56
                      user='root',
 
57
                      service_actions=[{'service': 'apache2',
 
58
                                        'actions': ['restart']}]),
 
59
 
 
60
        TemplatedFile(os.path.join(settings['common']['apache_dir'],
 
61
                                   'conf-enabled/hardening.conf'),
 
62
                      context,
 
63
                      TEMPLATES_DIR,
 
64
                      mode=0o0640,
 
65
                      user='root',
 
66
                      service_actions=[{'service': 'apache2',
 
67
                                        'actions': ['restart']}]),
 
68
 
 
69
        DirectoryPermissionAudit(settings['common']['apache_dir'],
 
70
                                 user='root',
 
71
                                 group='root',
 
72
                                 mode=0o640),
 
73
 
 
74
        DisabledModuleAudit(settings['hardening']['modules_to_disable']),
 
75
 
 
76
        NoReadWriteForOther(settings['common']['apache_dir']),
 
77
    ]
 
78
 
 
79
    return audits
 
80
 
 
81
 
 
82
class ApacheConfContext(object):
 
83
    """Defines the set of key/value pairs to set in a apache config file.
 
84
 
 
85
    This context, when called, will return a dictionary containing the
 
86
    key/value pairs of setting to specify in the
 
87
    /etc/apache/conf-enabled/hardening.conf file.
 
88
    """
 
89
    def __call__(self):
 
90
        settings = utils.get_settings('apache')
 
91
        ctxt = settings['hardening']
 
92
 
 
93
        out = subprocess.check_output(['apache2', '-v'])
 
94
        ctxt['apache_version'] = re.search(r'.+version: Apache/(.+?)\s.+',
 
95
                                           out).group(1)
 
96
        ctxt['apache_icondir'] = '/usr/share/apache2/icons/'
 
97
        ctxt['traceenable'] = settings['hardening']['traceenable']
 
98
        return ctxt