104 lines
3.4 KiB
Python
104 lines
3.4 KiB
Python
# Copyright 2016 Canonical Limited.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
from __future__ import absolute_import # required for external apt import
|
|
from apt import apt_pkg
|
|
from six import string_types
|
|
|
|
from charmhelpers.fetch import (
|
|
apt_cache,
|
|
apt_purge
|
|
)
|
|
from charmhelpers.core.hookenv import (
|
|
log,
|
|
DEBUG,
|
|
WARNING,
|
|
)
|
|
from charmhelpers.contrib.hardening.audits import BaseAudit
|
|
|
|
|
|
class AptConfig(BaseAudit):
|
|
|
|
def __init__(self, config, **kwargs):
|
|
self.config = config
|
|
|
|
def verify_config(self):
|
|
apt_pkg.init()
|
|
for cfg in self.config:
|
|
value = apt_pkg.config.get(cfg['key'], cfg.get('default', ''))
|
|
if value and value != cfg['expected']:
|
|
log("APT config '%s' has unexpected value '%s' "
|
|
"(expected='%s')" %
|
|
(cfg['key'], value, cfg['expected']), level=WARNING)
|
|
|
|
def ensure_compliance(self):
|
|
self.verify_config()
|
|
|
|
|
|
class RestrictedPackages(BaseAudit):
|
|
"""Class used to audit restricted packages on the system."""
|
|
|
|
def __init__(self, pkgs, **kwargs):
|
|
super(RestrictedPackages, self).__init__(**kwargs)
|
|
if isinstance(pkgs, string_types) or not hasattr(pkgs, '__iter__'):
|
|
self.pkgs = [pkgs]
|
|
else:
|
|
self.pkgs = pkgs
|
|
|
|
def ensure_compliance(self):
|
|
cache = apt_cache()
|
|
|
|
for p in self.pkgs:
|
|
if p not in cache:
|
|
continue
|
|
|
|
pkg = cache[p]
|
|
if not self.is_virtual_package(pkg):
|
|
if not pkg.current_ver:
|
|
log("Package '%s' is not installed." % pkg.name,
|
|
level=DEBUG)
|
|
continue
|
|
else:
|
|
log("Restricted package '%s' is installed" % pkg.name,
|
|
level=WARNING)
|
|
self.delete_package(cache, pkg)
|
|
else:
|
|
log("Checking restricted virtual package '%s' provides" %
|
|
pkg.name, level=DEBUG)
|
|
self.delete_package(cache, pkg)
|
|
|
|
def delete_package(self, cache, pkg):
|
|
"""Deletes the package from the system.
|
|
|
|
Deletes the package form the system, properly handling virtual
|
|
packages.
|
|
|
|
:param cache: the apt cache
|
|
:param pkg: the package to remove
|
|
"""
|
|
if self.is_virtual_package(pkg):
|
|
log("Package '%s' appears to be virtual - purging provides" %
|
|
pkg.name, level=DEBUG)
|
|
for _p in pkg.provides_list:
|
|
self.delete_package(cache, _p[2].parent_pkg)
|
|
elif not pkg.current_ver:
|
|
log("Package '%s' not installed" % pkg.name, level=DEBUG)
|
|
return
|
|
else:
|
|
log("Purging package '%s'" % pkg.name, level=DEBUG)
|
|
apt_purge(pkg.name)
|
|
|
|
def is_virtual_package(self, pkg):
|
|
return pkg.has_provides and not pkg.has_versions
|