Disable apache mod_status when hardening apache
Automatically disable apache status module when apache hardening is turned on. sync charm-helpers for apache hardening fixes. Change-Id: Idb114f4c37d5a570b352dbd43035cd737a658a1d Closes-Bug: #1710917
This commit is contained in:
parent
99108164c6
commit
4cf3383635
|
@ -3,3 +3,6 @@
|
||||||
ssh:
|
ssh:
|
||||||
server:
|
server:
|
||||||
use_pam: 'yes' # juju requires this
|
use_pam: 'yes' # juju requires this
|
||||||
|
apache:
|
||||||
|
hardening:
|
||||||
|
modules_to_disable: ['status']
|
||||||
|
|
|
@ -70,12 +70,12 @@ class DisabledModuleAudit(BaseAudit):
|
||||||
"""Returns the modules which are enabled in Apache."""
|
"""Returns the modules which are enabled in Apache."""
|
||||||
output = subprocess.check_output(['apache2ctl', '-M'])
|
output = subprocess.check_output(['apache2ctl', '-M'])
|
||||||
modules = []
|
modules = []
|
||||||
for line in output.strip().split():
|
for line in output.splitlines():
|
||||||
# Each line of the enabled module output looks like:
|
# Each line of the enabled module output looks like:
|
||||||
# module_name (static|shared)
|
# module_name (static|shared)
|
||||||
# Plus a header line at the top of the output which is stripped
|
# Plus a header line at the top of the output which is stripped
|
||||||
# out by the regex.
|
# out by the regex.
|
||||||
matcher = re.search(r'^ (\S*)', line)
|
matcher = re.search(r'^ (\S*)_module (\S*)', line)
|
||||||
if matcher:
|
if matcher:
|
||||||
modules.append(matcher.group(1))
|
modules.append(matcher.group(1))
|
||||||
return modules
|
return modules
|
||||||
|
|
|
@ -218,6 +218,8 @@ def principal_unit():
|
||||||
for rid in relation_ids(reltype):
|
for rid in relation_ids(reltype):
|
||||||
for unit in related_units(rid):
|
for unit in related_units(rid):
|
||||||
md = _metadata_unit(unit)
|
md = _metadata_unit(unit)
|
||||||
|
if not md:
|
||||||
|
continue
|
||||||
subordinate = md.pop('subordinate', None)
|
subordinate = md.pop('subordinate', None)
|
||||||
if not subordinate:
|
if not subordinate:
|
||||||
return unit
|
return unit
|
||||||
|
@ -511,7 +513,10 @@ def _metadata_unit(unit):
|
||||||
"""
|
"""
|
||||||
basedir = os.sep.join(charm_dir().split(os.sep)[:-2])
|
basedir = os.sep.join(charm_dir().split(os.sep)[:-2])
|
||||||
unitdir = 'unit-{}'.format(unit.replace(os.sep, '-'))
|
unitdir = 'unit-{}'.format(unit.replace(os.sep, '-'))
|
||||||
with open(os.path.join(basedir, unitdir, 'charm', 'metadata.yaml')) as md:
|
joineddir = os.path.join(basedir, unitdir, 'charm', 'metadata.yaml')
|
||||||
|
if not os.path.exists(joineddir):
|
||||||
|
return None
|
||||||
|
with open(joineddir) as md:
|
||||||
return yaml.safe_load(md)
|
return yaml.safe_load(md)
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -18,6 +18,7 @@ import amulet
|
||||||
import os
|
import os
|
||||||
import urllib2
|
import urllib2
|
||||||
import yaml
|
import yaml
|
||||||
|
import time
|
||||||
|
|
||||||
from charmhelpers.contrib.openstack.amulet.deployment import (
|
from charmhelpers.contrib.openstack.amulet.deployment import (
|
||||||
OpenStackAmuletDeployment
|
OpenStackAmuletDeployment
|
||||||
|
@ -234,6 +235,29 @@ class OpenstackDashboardBasicDeployment(OpenStackAmuletDeployment):
|
||||||
msg = "Dashboard frontpage check failed"
|
msg = "Dashboard frontpage check failed"
|
||||||
amulet.raise_status(amulet.FAIL, msg=msg)
|
amulet.raise_status(amulet.FAIL, msg=msg)
|
||||||
|
|
||||||
|
def test_404_connection(self):
|
||||||
|
"""Verify the apache status module gets disabled when
|
||||||
|
hardening apache."""
|
||||||
|
|
||||||
|
u.log.debug('Checking apache mod_status gets disabled.')
|
||||||
|
unit = self.openstack_dashboard_sentry
|
||||||
|
dashboard_relation = unit.relation('identity-service',
|
||||||
|
'keystone:identity-service')
|
||||||
|
dashboard_ip = dashboard_relation['private-address']
|
||||||
|
|
||||||
|
u.log.debug('Enabling hardening for apache...')
|
||||||
|
self.d.configure('openstack-dashboard', {'harden': 'apache'})
|
||||||
|
time.sleep(5) # wait for hook to run
|
||||||
|
self.d.sentry.wait() # wait for hook to finish
|
||||||
|
|
||||||
|
try:
|
||||||
|
urllib2.urlopen('http://%s/server-status' % (dashboard_ip))
|
||||||
|
except urllib2.HTTPError as e:
|
||||||
|
if e.code == 404:
|
||||||
|
return
|
||||||
|
msg = "Apache mod_status check failed."
|
||||||
|
amulet.raise_status(amulet.FAIL, msg=msg)
|
||||||
|
|
||||||
def test_900_restart_on_config_change(self):
|
def test_900_restart_on_config_change(self):
|
||||||
"""Verify that the specified services are restarted when the
|
"""Verify that the specified services are restarted when the
|
||||||
config is changed."""
|
config is changed."""
|
||||||
|
|
|
@ -218,6 +218,8 @@ def principal_unit():
|
||||||
for rid in relation_ids(reltype):
|
for rid in relation_ids(reltype):
|
||||||
for unit in related_units(rid):
|
for unit in related_units(rid):
|
||||||
md = _metadata_unit(unit)
|
md = _metadata_unit(unit)
|
||||||
|
if not md:
|
||||||
|
continue
|
||||||
subordinate = md.pop('subordinate', None)
|
subordinate = md.pop('subordinate', None)
|
||||||
if not subordinate:
|
if not subordinate:
|
||||||
return unit
|
return unit
|
||||||
|
@ -511,7 +513,10 @@ def _metadata_unit(unit):
|
||||||
"""
|
"""
|
||||||
basedir = os.sep.join(charm_dir().split(os.sep)[:-2])
|
basedir = os.sep.join(charm_dir().split(os.sep)[:-2])
|
||||||
unitdir = 'unit-{}'.format(unit.replace(os.sep, '-'))
|
unitdir = 'unit-{}'.format(unit.replace(os.sep, '-'))
|
||||||
with open(os.path.join(basedir, unitdir, 'charm', 'metadata.yaml')) as md:
|
joineddir = os.path.join(basedir, unitdir, 'charm', 'metadata.yaml')
|
||||||
|
if not os.path.exists(joineddir):
|
||||||
|
return None
|
||||||
|
with open(joineddir) as md:
|
||||||
return yaml.safe_load(md)
|
return yaml.safe_load(md)
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue