Implement security tasks + minor fixes

2025-08-22 09:50:37 +00:00 · 2013-07-01 23:41:22 +02:00 · 2013-07-01 23:41:22 +02:00 · 9ee096f262
commit 9ee096f262
parent 953e324ca3
3 changed files with 38 additions and 2 deletions
--- a/providers/ec2/init.py
+++ b/providers/ec2/init.py
@ -9,6 +9,7 @@ from tasks import bootstrap
 from tasks import locale
 from tasks import apt
 from tasks import boot
+from tasks import security


 def initialize():
@ -43,7 +44,10 @@ def tasks(tasklist, manifest):
 	             boot.ConfigureGrub(),
 	             boot.ModifyFstab(),
 	             boot.BlackListModules(),
-	             boot.DisableGetTTYs())
+	             boot.DisableGetTTYs(),
+	             security.EnableShadowConfig(),
+	             security.DisableSSHPasswordAuthentication(),
+	             security.DisableSSHDNSLookup())

 	from common.tasks import TriggerRollback
 	tasklist.add(TriggerRollback())
--- a/providers/ec2/tasks/boot.py
+++ b/providers/ec2/tasks/boot.py
@ -59,7 +59,7 @@ class BlackListModules(Task):
 	def run(self, info):
 		blacklist_path = os.path.join(info.root, 'etc/modprobe.d/blacklist.conf')
 		with open(blacklist_path, 'a') as blacklist:
-			blacklist.write(('# disable pc speaker\nblacklist pcspkr'))
+			blacklist.write('# disable pc speaker\nblacklist pcspkr')


 class DisableGetTTYs(Task):
--- a/providers/ec2/tasks/security.py
+++ b/providers/ec2/tasks/security.py
@ -0,0 +1,32 @@
+from base import Task
+from common import phases
+import os.path
+
+
+class EnableShadowConfig(Task):
+	description = 'Enabling shadowconfig'
+	phase = phases.system_modification
+
+	def run(self, info):
+		from common.tools import log_check_call
+		log_check_call(['chroot', info.root, '/sbin/shadowconfig', 'on'])
+
+
+class DisableSSHPasswordAuthentication(Task):
+	description = 'Disabling SSH password authentication'
+	phase = phases.system_modification
+
+	def run(self, info):
+		from common.tools import sed_i
+		sshd_config_path = os.path.join(info.root, 'etc/ssh/sshd_config')
+		sed_i(sshd_config_path, '^#PasswordAuthentication yes', 'PasswordAuthentication no')
+
+
+class DisableSSHDNSLookup(Task):
+	description = 'Disabling sshd remote host name lookup'
+	phase = phases.system_modification
+
+	def run(self, info):
+		sshd_config_path = os.path.join(info.root, 'etc/ssh/sshd_config')
+		with open(sshd_config_path, 'a') as sshd_config:
+			sshd_config.write('UseDNS no')