~openstack-charmers-next/charms/xenial/swift-storage/trunk

Viewing changes to charmhelpers/contrib/hardening/host/checks/login.py

Committer: Edward Hope-Morley
Date: 2016-03-24 11:11:58 UTC
Revision ID: edward.hope-morley@canonical.com-20160324111158-4whr78jd2v9yihw2

Add hardening support

Add charmhelpers.contrib.hardening and calls to install,
config-changed, upgrade-charm and update-status hooks.
Also add new config option to allow one or more hardening
modules to be applied at runtime.

Change-Id: If0d1e10b58ed506e0aca659f30120b8d5c96c04f

files added:
charmhelpers/contrib/hardening

charmhelpers/contrib/hardening/README.hardening.md

charmhelpers/contrib/hardening/__init__.py

charmhelpers/contrib/hardening/apache

charmhelpers/contrib/hardening/apache/__init__.py

charmhelpers/contrib/hardening/apache/checks

charmhelpers/contrib/hardening/apache/checks/__init__.py

charmhelpers/contrib/hardening/apache/checks/config.py

charmhelpers/contrib/hardening/apache/templates

charmhelpers/contrib/hardening/apache/templates/__init__.py

charmhelpers/contrib/hardening/apache/templates/alias.conf

charmhelpers/contrib/hardening/apache/templates/hardening.conf

charmhelpers/contrib/hardening/audits

charmhelpers/contrib/hardening/audits/__init__.py

charmhelpers/contrib/hardening/audits/apache.py

charmhelpers/contrib/hardening/audits/apt.py

charmhelpers/contrib/hardening/audits/file.py

charmhelpers/contrib/hardening/defaults

charmhelpers/contrib/hardening/defaults/__init__.py

charmhelpers/contrib/hardening/defaults/apache.yaml

charmhelpers/contrib/hardening/defaults/apache.yaml.schema

charmhelpers/contrib/hardening/defaults/mysql.yaml

charmhelpers/contrib/hardening/defaults/mysql.yaml.schema

charmhelpers/contrib/hardening/defaults/os.yaml

charmhelpers/contrib/hardening/defaults/os.yaml.schema

charmhelpers/contrib/hardening/defaults/ssh.yaml

charmhelpers/contrib/hardening/defaults/ssh.yaml.schema

charmhelpers/contrib/hardening/harden.py

charmhelpers/contrib/hardening/host

charmhelpers/contrib/hardening/host/__init__.py

charmhelpers/contrib/hardening/host/checks

charmhelpers/contrib/hardening/host/checks/__init__.py

charmhelpers/contrib/hardening/host/checks/apt.py

charmhelpers/contrib/hardening/host/checks/limits.py

charmhelpers/contrib/hardening/host/checks/login.py

charmhelpers/contrib/hardening/host/checks/minimize_access.py

charmhelpers/contrib/hardening/host/checks/pam.py

charmhelpers/contrib/hardening/host/checks/profile.py

charmhelpers/contrib/hardening/host/checks/securetty.py

charmhelpers/contrib/hardening/host/checks/suid_sgid.py

charmhelpers/contrib/hardening/host/checks/sysctl.py

charmhelpers/contrib/hardening/host/templates

charmhelpers/contrib/hardening/host/templates/10.hardcore.conf

charmhelpers/contrib/hardening/host/templates/99-juju-hardening.conf

charmhelpers/contrib/hardening/host/templates/__init__.py

charmhelpers/contrib/hardening/host/templates/login.defs

charmhelpers/contrib/hardening/host/templates/modules

charmhelpers/contrib/hardening/host/templates/passwdqc.conf

charmhelpers/contrib/hardening/host/templates/pinerolo_profile.sh

charmhelpers/contrib/hardening/host/templates/securetty

charmhelpers/contrib/hardening/host/templates/tally2

charmhelpers/contrib/hardening/mysql

charmhelpers/contrib/hardening/mysql/__init__.py

charmhelpers/contrib/hardening/mysql/checks

charmhelpers/contrib/hardening/mysql/checks/__init__.py

charmhelpers/contrib/hardening/mysql/checks/config.py

charmhelpers/contrib/hardening/mysql/templates

charmhelpers/contrib/hardening/mysql/templates/__init__.py

charmhelpers/contrib/hardening/mysql/templates/hardening.cnf

charmhelpers/contrib/hardening/ssh

charmhelpers/contrib/hardening/ssh/__init__.py

charmhelpers/contrib/hardening/ssh/checks

charmhelpers/contrib/hardening/ssh/checks/__init__.py

charmhelpers/contrib/hardening/ssh/checks/config.py

charmhelpers/contrib/hardening/ssh/templates

charmhelpers/contrib/hardening/ssh/templates/__init__.py

charmhelpers/contrib/hardening/ssh/templates/ssh_config

charmhelpers/contrib/hardening/ssh/templates/sshd_config

charmhelpers/contrib/hardening/templating.py

charmhelpers/contrib/hardening/utils.py

charmhelpers/contrib/openstack/templates/section-keystone-authtoken-legacy

hardening.yaml

hooks/update-status

files modified:
charm-helpers-hooks.yaml

charmhelpers/contrib/openstack/amulet/utils.py

charmhelpers/contrib/openstack/templates/section-keystone-authtoken

charmhelpers/contrib/storage/linux/ceph.py

config.yaml

hooks/swift_storage_hooks.py

tests/charmhelpers/contrib/amulet/utils.py

tests/charmhelpers/contrib/openstack/amulet/utils.py

unit_tests/test_actions.py

unit_tests/test_actions_openstack_upgrade.py

unit_tests/test_swift_storage_relations.py

Show diffs side-by-side

added added

removed removed

# This file is part of charm-helpers.

# charm-helpers is free software: you can redistribute it and/or modify

# it under the terms of the GNU Lesser General Public License version 3 as

# published by the Free Software Foundation.

# charm-helpers is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU Lesser General Public License for more details.

# You should have received a copy of the GNU Lesser General Public License

# along with charm-helpers. If not, see <http://www.gnu.org/licenses/>.

from six import string_types

from charmhelpers.contrib.hardening.audits.file import TemplatedFile

from charmhelpers.contrib.hardening.host import TEMPLATES_DIR

from charmhelpers.contrib.hardening import utils

def get_audits():

"""Get OS hardening login.defs audits.

:returns: dictionary of audits

"""

audits = [TemplatedFile('/etc/login.defs', LoginContext(),

template_dir=TEMPLATES_DIR,

user='root', group='root', mode=0o0444)]

return audits

class LoginContext(object):

def __call__(self):

settings = utils.get_settings('os')

# Octal numbers in yaml end up being turned into decimal,

# so check if the umask is entered as a string (e.g. '027')

# or as an octal umask as we know it (e.g. 002). If its not

# a string assume it to be octal and turn it into an octal

# string.

umask = settings['environment']['umask']

if not isinstance(umask, string_types):

umask = '%s' % oct(umask)

ctxt = {

'additional_user_paths':

settings['environment']['extra_user_paths'],

'umask': umask,

'pwd_max_age': settings['auth']['pw_max_age'],

'pwd_min_age': settings['auth']['pw_min_age'],

'uid_min': settings['auth']['uid_min'],

'sys_uid_min': settings['auth']['sys_uid_min'],

'sys_uid_max': settings['auth']['sys_uid_max'],

'gid_min': settings['auth']['gid_min'],

'sys_gid_min': settings['auth']['sys_gid_min'],

'sys_gid_max': settings['auth']['sys_gid_max'],

'login_retries': settings['auth']['retries'],

'login_timeout': settings['auth']['timeout'],

'chfn_restrict': settings['auth']['chfn_restrict'],

'allow_login_without_home': settings['auth']['allow_homeless']

}

return ctxt

Older »