1
# Copyright 2016 Canonical Limited.
3
# This file is part of charm-helpers.
5
# charm-helpers is free software: you can redistribute it and/or modify
6
# it under the terms of the GNU Lesser General Public License version 3 as
7
# published by the Free Software Foundation.
9
# charm-helpers is distributed in the hope that it will be useful,
10
# but WITHOUT ANY WARRANTY; without even the implied warranty of
11
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12
# GNU Lesser General Public License for more details.
14
# You should have received a copy of the GNU Lesser General Public License
15
# along with charm-helpers. If not, see <http://www.gnu.org/licenses/>.
17
from six import string_types
19
from charmhelpers.contrib.hardening.audits.file import TemplatedFile
20
from charmhelpers.contrib.hardening.host import TEMPLATES_DIR
21
from charmhelpers.contrib.hardening import utils
25
"""Get OS hardening login.defs audits.
27
:returns: dictionary of audits
29
audits = [TemplatedFile('/etc/login.defs', LoginContext(),
30
template_dir=TEMPLATES_DIR,
31
user='root', group='root', mode=0o0444)]
35
class LoginContext(object):
38
settings = utils.get_settings('os')
40
# Octal numbers in yaml end up being turned into decimal,
41
# so check if the umask is entered as a string (e.g. '027')
42
# or as an octal umask as we know it (e.g. 002). If its not
43
# a string assume it to be octal and turn it into an octal
45
umask = settings['environment']['umask']
46
if not isinstance(umask, string_types):
47
umask = '%s' % oct(umask)
50
'additional_user_paths':
51
settings['environment']['extra_user_paths'],
53
'pwd_max_age': settings['auth']['pw_max_age'],
54
'pwd_min_age': settings['auth']['pw_min_age'],
55
'uid_min': settings['auth']['uid_min'],
56
'sys_uid_min': settings['auth']['sys_uid_min'],
57
'sys_uid_max': settings['auth']['sys_uid_max'],
58
'gid_min': settings['auth']['gid_min'],
59
'sys_gid_min': settings['auth']['sys_gid_min'],
60
'sys_gid_max': settings['auth']['sys_gid_max'],
61
'login_retries': settings['auth']['retries'],
62
'login_timeout': settings['auth']['timeout'],
63
'chfn_restrict': settings['auth']['chfn_restrict'],
64
'allow_login_without_home': settings['auth']['allow_homeless']