~openstack-charmers-next/charms/xenial/nova-compute/trunk

Viewing changes to hooks/charmhelpers/contrib/hardening/mysql/checks/config.py

Committer: Edward Hope-Morley
Date: 2016-03-24 11:18:41 UTC
mto: This revision was merged to the branch mainline in revision 211.
Revision ID: edward.hope-morley@canonical.com-20160324111841-99ruo5hjzrpqktlx

Add hardening support

Add charmhelpers.contrib.hardening and calls to install,
config-changed, upgrade-charm and update-status hooks.
Also add new config option to allow one or more hardening
modules to be applied at runtime.

Change-Id: I525c15a14662175f2a68cdcd25a3ab2c92237850

files added:
hardening.yaml

hooks/charmhelpers/contrib/hardening

hooks/charmhelpers/contrib/hardening/README.hardening.md

hooks/charmhelpers/contrib/hardening/__init__.py

hooks/charmhelpers/contrib/hardening/apache

hooks/charmhelpers/contrib/hardening/apache/__init__.py

hooks/charmhelpers/contrib/hardening/apache/checks

hooks/charmhelpers/contrib/hardening/apache/checks/__init__.py

hooks/charmhelpers/contrib/hardening/apache/checks/config.py

hooks/charmhelpers/contrib/hardening/apache/templates

hooks/charmhelpers/contrib/hardening/apache/templates/__init__.py

hooks/charmhelpers/contrib/hardening/apache/templates/alias.conf

hooks/charmhelpers/contrib/hardening/apache/templates/hardening.conf

hooks/charmhelpers/contrib/hardening/audits

hooks/charmhelpers/contrib/hardening/audits/__init__.py

hooks/charmhelpers/contrib/hardening/audits/apache.py

hooks/charmhelpers/contrib/hardening/audits/apt.py

hooks/charmhelpers/contrib/hardening/audits/file.py

hooks/charmhelpers/contrib/hardening/defaults

hooks/charmhelpers/contrib/hardening/defaults/__init__.py

hooks/charmhelpers/contrib/hardening/defaults/apache.yaml

hooks/charmhelpers/contrib/hardening/defaults/apache.yaml.schema

hooks/charmhelpers/contrib/hardening/defaults/mysql.yaml

hooks/charmhelpers/contrib/hardening/defaults/mysql.yaml.schema

hooks/charmhelpers/contrib/hardening/defaults/os.yaml

hooks/charmhelpers/contrib/hardening/defaults/os.yaml.schema

hooks/charmhelpers/contrib/hardening/defaults/ssh.yaml

hooks/charmhelpers/contrib/hardening/defaults/ssh.yaml.schema

hooks/charmhelpers/contrib/hardening/harden.py

hooks/charmhelpers/contrib/hardening/host

hooks/charmhelpers/contrib/hardening/host/__init__.py

hooks/charmhelpers/contrib/hardening/host/checks

hooks/charmhelpers/contrib/hardening/host/checks/__init__.py

hooks/charmhelpers/contrib/hardening/host/checks/apt.py

hooks/charmhelpers/contrib/hardening/host/checks/limits.py

hooks/charmhelpers/contrib/hardening/host/checks/login.py

hooks/charmhelpers/contrib/hardening/host/checks/minimize_access.py

hooks/charmhelpers/contrib/hardening/host/checks/pam.py

hooks/charmhelpers/contrib/hardening/host/checks/profile.py

hooks/charmhelpers/contrib/hardening/host/checks/securetty.py

hooks/charmhelpers/contrib/hardening/host/checks/suid_sgid.py

hooks/charmhelpers/contrib/hardening/host/checks/sysctl.py

hooks/charmhelpers/contrib/hardening/host/templates

hooks/charmhelpers/contrib/hardening/host/templates/10.hardcore.conf

hooks/charmhelpers/contrib/hardening/host/templates/99-juju-hardening.conf

hooks/charmhelpers/contrib/hardening/host/templates/__init__.py

hooks/charmhelpers/contrib/hardening/host/templates/login.defs

hooks/charmhelpers/contrib/hardening/host/templates/modules

hooks/charmhelpers/contrib/hardening/host/templates/passwdqc.conf

hooks/charmhelpers/contrib/hardening/host/templates/pinerolo_profile.sh

hooks/charmhelpers/contrib/hardening/host/templates/securetty

hooks/charmhelpers/contrib/hardening/host/templates/tally2

hooks/charmhelpers/contrib/hardening/mysql

hooks/charmhelpers/contrib/hardening/mysql/__init__.py

hooks/charmhelpers/contrib/hardening/mysql/checks

hooks/charmhelpers/contrib/hardening/mysql/checks/__init__.py

hooks/charmhelpers/contrib/hardening/mysql/checks/config.py

hooks/charmhelpers/contrib/hardening/mysql/templates

hooks/charmhelpers/contrib/hardening/mysql/templates/__init__.py

hooks/charmhelpers/contrib/hardening/mysql/templates/hardening.cnf

hooks/charmhelpers/contrib/hardening/ssh

hooks/charmhelpers/contrib/hardening/ssh/__init__.py

hooks/charmhelpers/contrib/hardening/ssh/checks

hooks/charmhelpers/contrib/hardening/ssh/checks/__init__.py

hooks/charmhelpers/contrib/hardening/ssh/checks/config.py

hooks/charmhelpers/contrib/hardening/ssh/templates

hooks/charmhelpers/contrib/hardening/ssh/templates/__init__.py

hooks/charmhelpers/contrib/hardening/ssh/templates/ssh_config

hooks/charmhelpers/contrib/hardening/ssh/templates/sshd_config

hooks/charmhelpers/contrib/hardening/templating.py

hooks/charmhelpers/contrib/hardening/utils.py

hooks/charmhelpers/contrib/openstack/templates/section-keystone-authtoken-legacy

files modified:
charm-helpers-hooks.yaml

config.yaml

hooks/charmhelpers/contrib/openstack/amulet/utils.py

hooks/charmhelpers/contrib/openstack/templates/section-keystone-authtoken

hooks/charmhelpers/contrib/openstack/utils.py

hooks/charmhelpers/contrib/storage/linux/ceph.py

hooks/charmhelpers/core/hookenv.py

hooks/charmhelpers/core/host.py

hooks/nova_compute_hooks.py

tests/charmhelpers/contrib/amulet/utils.py

tests/charmhelpers/contrib/openstack/amulet/utils.py

unit_tests/test_actions_git_reinstall.py

unit_tests/test_nova_compute_hooks.py

Show diffs side-by-side

added added

removed removed

hooks/charmhelpers/contrib/hardening/mysql/checks/config.py

# This file is part of charm-helpers.

# charm-helpers is free software: you can redistribute it and/or modify

# it under the terms of the GNU Lesser General Public License version 3 as

# published by the Free Software Foundation.

# charm-helpers is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU Lesser General Public License for more details.

# You should have received a copy of the GNU Lesser General Public License

# along with charm-helpers. If not, see <http://www.gnu.org/licenses/>.

import six

import subprocess

from charmhelpers.core.hookenv import (

log,

WARNING,

)

from charmhelpers.contrib.hardening.audits.file import (

FilePermissionAudit,

DirectoryPermissionAudit,

TemplatedFile,

)

from charmhelpers.contrib.hardening.mysql import TEMPLATES_DIR

from charmhelpers.contrib.hardening import utils

def get_audits():

"""Get MySQL hardening config audits.

:returns: dictionary of audits

"""

if subprocess.call(['which', 'mysql'], stdout=subprocess.PIPE) != 0:

log("MySQL does not appear to be installed on this node - "

"skipping mysql hardening", level=WARNING)

return []

settings = utils.get_settings('mysql')

hardening_settings = settings['hardening']

my_cnf = hardening_settings['mysql-conf']

audits = [

FilePermissionAudit(paths=[my_cnf], user='root',

group='root', mode=0o0600),

TemplatedFile(hardening_settings['hardening-conf'],

MySQLConfContext(),

TEMPLATES_DIR,

mode=0o0750,

user='mysql',

group='root',

service_actions=[{'service': 'mysql',

'actions': ['restart']}]),

# MySQL and Percona charms do not allow configuration of the

# data directory, so use the default.

DirectoryPermissionAudit('/var/lib/mysql',

user='mysql',

group='mysql',

recursive=False,

mode=0o755),

DirectoryPermissionAudit('/etc/mysql',

user='root',

group='root',

recursive=False,

mode=0o700),

]

return audits

class MySQLConfContext(object):

"""Defines the set of key/value pairs to set in a mysql config file.

This context, when called, will return a dictionary containing the

key/value pairs of setting to specify in the

/etc/mysql/conf.d/hardening.cnf file.

"""

def __call__(self):

settings = utils.get_settings('mysql')

# Translate for python3

return {'mysql_settings':

[(k, v) for k, v in six.iteritems(settings['security'])]}

Older »