kevinheyer/bootstrap-vz
1
0
Fork 0
mirror of https://github.com/kevingruesser/bootstrap-vz.git synced 2025-08-24 07:26:29 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Implement security tasks + minor fixes

Browse source
This commit is contained in:
Anders Ingemann 2013-07-01 23:41:22 +02:00
parent 953e324ca3
commit 9ee096f262
3 changed files with 38 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
providers/ec2/__init__.py
View file

@ -9,6 +9,7 @@ from tasks import bootstrap
from tasks import locale from tasks import locale
from tasks import apt from tasks import apt
from tasks import boot from tasks import boot
from tasks import security
def initialize(): def initialize():
@ -43,7 +44,10 @@ def tasks(tasklist, manifest):
boot.ConfigureGrub(), boot.ConfigureGrub(),
boot.ModifyFstab(), boot.ModifyFstab(),
boot.BlackListModules(), boot.BlackListModules(),
boot.DisableGetTTYs()) boot.DisableGetTTYs(),
security.EnableShadowConfig(),
security.DisableSSHPasswordAuthentication(),
security.DisableSSHDNSLookup())
from common.tasks import TriggerRollback from common.tasks import TriggerRollback
tasklist.add(TriggerRollback()) tasklist.add(TriggerRollback())

2
providers/ec2/tasks/boot.py
View file

@ -59,7 +59,7 @@ class BlackListModules(Task):
def run(self, info): def run(self, info):
blacklist_path = os.path.join(info.root, 'etc/modprobe.d/blacklist.conf') blacklist_path = os.path.join(info.root, 'etc/modprobe.d/blacklist.conf')
with open(blacklist_path, 'a') as blacklist: with open(blacklist_path, 'a') as blacklist:
blacklist.write(('# disable pc speaker\nblacklist pcspkr')) blacklist.write('# disable pc speaker\nblacklist pcspkr')
class DisableGetTTYs(Task): class DisableGetTTYs(Task):

32
providers/ec2/tasks/security.py Normal file
View file

@ -0,0 +1,32 @@
from base import Task
from common import phases
import os.path
class EnableShadowConfig(Task):
description = 'Enabling shadowconfig'
phase = phases.system_modification
def run(self, info):
from common.tools import log_check_call
log_check_call(['chroot', info.root, '/sbin/shadowconfig', 'on'])
class DisableSSHPasswordAuthentication(Task):
description = 'Disabling SSH password authentication'
phase = phases.system_modification
def run(self, info):
from common.tools import sed_i
sshd_config_path = os.path.join(info.root, 'etc/ssh/sshd_config')
sed_i(sshd_config_path, '^#PasswordAuthentication yes', 'PasswordAuthentication no')
class DisableSSHDNSLookup(Task):
description = 'Disabling sshd remote host name lookup'
phase = phases.system_modification
def run(self, info):
sshd_config_path = os.path.join(info.root, 'etc/ssh/sshd_config')
with open(sshd_config_path, 'a') as sshd_config:
sshd_config.write('UseDNS no')