Charm Helpers

Merge lp:~vds/charm-helpers/Support_MTOUT into lp:charm-helpers

  1. Support_MTOUT
  2. Merge into devel
Proposed by Vincenzo Di Somma
Status: Merged
Merged at revision: 723
Proposed branch: lp:~vds/charm-helpers/Support_MTOUT
Merge into: lp:charm-helpers
Diff against target: 101 lines (+31/-4)
5 files modified
charmhelpers/contrib/hardening/defaults/os.yaml (+1/-0)
charmhelpers/contrib/hardening/defaults/os.yaml.schema (+1/-0)
charmhelpers/contrib/hardening/host/checks/profile.py (+8/-2)
charmhelpers/contrib/hardening/host/templates/99-hardening.sh (+5/-0)
tests/contrib/hardening/host/checks/test_profile.py (+16/-2)
To merge this branch: bzr merge lp:~vds/charm-helpers/Support_MTOUT
Reviewer Review Type Date Requested Status
Edward Hope-Morley Approve
Ante Karamatić (community) Approve
Ryan Beisner (community) Needs Information
Review via email: mp+320391@code.launchpad.net

Description of the change

Setting default timeout for ssh sessions.

To post a comment you must log in.
Revision history for this message
Ryan Beisner (1chb1n) :
review: Approve
Revision history for this message
Ryan Beisner (1chb1n) :
review: Needs Information
Revision history for this message
Ryan Beisner (1chb1n) wrote :

Apologies, I had too many LP reviews open; didn't intend to approve this just yet.

Revision history for this message
Ryan Beisner (1chb1n) wrote :

@vds - is there a LP BUG that you can link and reference here? That will help provide context to these proposed changes. Thank you.

Revision history for this message
Ante Karamatić (ivoks) wrote :

This commit is one of few recent commits to charm-helpers, which are implementing some common principles in security hardening. They are based on security reviews from existing deployments.

review: Approve
Revision history for this message
Ryan Beisner (1chb1n) wrote :

Ack - are we intending for this to be backported to stable charms, or will this go out with the next release by normal process (17.05)?

Revision history for this message
Ante Karamatić (ivoks) wrote :

Yes, backporting will be needed, I'm afraid.

On Tue, Mar 21, 2017 at 3:14 PM Ryan Beisner <email address hidden>
wrote:

> Ack - are we intending for this to be backported to stable charms, or will
> this go out with the next release by normal process (17.05)?
> --
> https://code.launchpad.net/~vds/charm-helpers/Support_MTOUT/+merge/320391
> You are reviewing the proposed merge of
> lp:~vds/charm-helpers/Support_MTOUT into lp:charm-helpers.
>
--
Ante Karamatić
<email address hidden>
Canonical

Revision history for this message
Ryan Beisner (1chb1n) wrote :

Ok, that should be doable. In that case I'd like to see us start the process out with an LP bug to track it all the way through. It will be a hard requirement for a stable backport anyway. Thanks!

Revision history for this message
Edward Hope-Morley (hopem) wrote :

This looks mostly good apart from one thing; you need to extend the ProfileContext class to be able to be able to extract tmout.

review: Needs Fixing
lp:~vds/charm-helpers/Support_MTOUT updated
727. By Vincenzo Di Somma

Added ssh_tmout to profile context.

Revision history for this message
Edward Hope-Morley (hopem) wrote :

Please run make test before pushing changes:

$ make test
Checking for Python syntax...
charmhelpers/contrib/hardening/host/checks/profile.py:48:18: E127 continuation line over-indented for visual indent
Makefile:70: recipe for target 'lint' failed
make: *** [lint] Error 1

If the rest of the review of ok I will fix this inline before merging.

Revision history for this message
Edward Hope-Morley (hopem) wrote :

Ok lgtm. Please add a better commit message next though.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'charmhelpers/contrib/hardening/defaults/os.yaml'
2--- charmhelpers/contrib/hardening/defaults/os.yaml 2016-03-14 13:57:17 +0000
3+++ charmhelpers/contrib/hardening/defaults/os.yaml 2017-03-23 08:41:57 +0000
4@@ -58,6 +58,7 @@
5 rsync
6 kernel_enable_module_loading: True # (type:boolean)
7 kernel_enable_core_dump: False # (type:boolean)
8+ ssh_tmout: 300
9
10 sysctl:
11 kernel_secure_sysrq: 244 # 4 + 16 + 32 + 64 + 128
12
13=== modified file 'charmhelpers/contrib/hardening/defaults/os.yaml.schema'
14--- charmhelpers/contrib/hardening/defaults/os.yaml.schema 2016-03-14 13:57:17 +0000
15+++ charmhelpers/contrib/hardening/defaults/os.yaml.schema 2017-03-23 08:41:57 +0000
16@@ -34,6 +34,7 @@
17 packages_list:
18 kernel_enable_module_loading:
19 kernel_enable_core_dump:
20+ ssh_tmout:
21 sysctl:
22 kernel_secure_sysrq:
23 kernel_enable_sysrq:
24
25=== modified file 'charmhelpers/contrib/hardening/host/checks/profile.py'
26--- charmhelpers/contrib/hardening/host/checks/profile.py 2016-07-06 14:41:05 +0000
27+++ charmhelpers/contrib/hardening/host/checks/profile.py 2017-03-23 08:41:57 +0000
28@@ -25,7 +25,6 @@
29 audits = []
30
31 settings = utils.get_settings('os')
32-
33 # If core dumps are not enabled, then don't allow core dumps to be
34 # created as they may contain sensitive information.
35 if not settings['security']['kernel_enable_core_dump']:
36@@ -33,11 +32,18 @@
37 ProfileContext(),
38 template_dir=TEMPLATES_DIR,
39 mode=0o0755, user='root', group='root'))
40+ if settings['security']['ssh_tmout']:
41+ audits.append(TemplatedFile('/etc/profile.d/99-hardening.sh',
42+ ProfileContext(),
43+ template_dir=TEMPLATES_DIR,
44+ mode=0o0644, user='root', group='root'))
45 return audits
46
47
48 class ProfileContext(object):
49
50 def __call__(self):
51- ctxt = {}
52+ settings = utils.get_settings('os')
53+ ctxt = {'ssh_tmout':
54+ settings['security']['ssh_tmout']}
55 return ctxt
56
57=== added file 'charmhelpers/contrib/hardening/host/templates/99-hardening.sh'
58--- charmhelpers/contrib/hardening/host/templates/99-hardening.sh 1970-01-01 00:00:00 +0000
59+++ charmhelpers/contrib/hardening/host/templates/99-hardening.sh 2017-03-23 08:41:57 +0000
60@@ -0,0 +1,5 @@
61+TMOUT={{ tmout }}
62+readonly TMOUT
63+export TMOUT
64+
65+readonly HISTFILE
66
67=== modified file 'tests/contrib/hardening/host/checks/test_profile.py'
68--- tests/contrib/hardening/host/checks/test_profile.py 2016-07-06 14:41:05 +0000
69+++ tests/contrib/hardening/host/checks/test_profile.py 2017-03-23 08:41:57 +0000
70@@ -22,15 +22,29 @@
71 class ProfileTestCase(TestCase):
72
73 @patch.object(profile.utils, 'get_settings', lambda x:
74- {'security': {'kernel_enable_core_dump': False}})
75+ {'security': {'kernel_enable_core_dump': False, 'ssh_tmout': False}})
76 def test_core_dump_disabled(self):
77 audits = profile.get_audits()
78 self.assertEqual(1, len(audits))
79 self.assertTrue(isinstance(audits[0], profile.TemplatedFile))
80
81 @patch.object(profile.utils, 'get_settings', lambda x: {
82- 'security': {'kernel_enable_core_dump': True}
83+ 'security': {'kernel_enable_core_dump': True, 'ssh_tmout': False}
84 })
85 def test_core_dump_enabled(self):
86 audits = profile.get_audits()
87 self.assertEqual(0, len(audits))
88+
89+ @patch.object(profile.utils, 'get_settings', lambda x:
90+ {'security': {'kernel_enable_core_dump': True, 'ssh_tmout': False}})
91+ def test_ssh_tmout_disabled(self):
92+ audits = profile.get_audits()
93+ self.assertEqual(0, len(audits))
94+
95+ @patch.object(profile.utils, 'get_settings', lambda x: {
96+ 'security': {'kernel_enable_core_dump': True, 'ssh_tmout': 300}
97+ })
98+ def test_ssh_tmout_enabled(self):
99+ audits = profile.get_audits()
100+ self.assertEqual(1, len(audits))
101+ self.assertTrue(isinstance(audits[0], profile.TemplatedFile))

Subscribers

People subscribed via source and target branches