apache hardening DisabledModuleAudit doesn't work

Bug #1712203 reported by Shane Peters on 2017-08-21
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Charm Helpers
Undecided
Shane Peters

Bug Description

Modules aren't getting disabled when adding them to 'modules_to_disable' field in hardening.yaml.

Reproduce:
1. Add the following to hardening.yaml in any charm that employs apache hardening. Here, we're trying to disable the 'status' module in openstack-dashboard.

apache:
  hardening:
    modules_to_disable: 'status_module'

2. Enable hardening on apache
    $ juju config openstack-dashboard harden="apache"

3. Watch 'juju-debug' and observe 'DisabledModuleAudit' executing (trimmed timestamp)

DEBUG unit.openstack-dashboard/5.juju-log Applying 'apache' overrides
DEBUG unit.openstack-dashboard/5.juju-log Running 'FilePermissionAudit' check
DEBUG unit.openstack-dashboard/5.juju-log Running 'TemplatedFile' check
DEBUG unit.openstack-dashboard/5.juju-log Running 'TemplatedFile' check
DEBUG unit.openstack-dashboard/5.juju-log Running 'DirectoryPermissionAudit' check
DEBUG unit.openstack-dashboard/5.juju-log Running 'DisabledModuleAudit' check
DEBUG unit.openstack-dashboard/5.juju-log Running 'NoReadWriteForOther' check
DEBUG unit.openstack-dashboard/5.juju-log Running 'DeletedFile' check
DEBUG unit.openstack-dashboard/5.juju-log Apache hardening checks complete.

4. Notice the module doesn't actually get disabled
    $ juju run --application openstack-dashboard 'apachectl -M'
Loaded Modules:
 core_module (static)
 ... snip ...
 status_module (shared)

The problem exists at _get_loaded_modules() in charmhelpers/contrib/hardening/audits/apache.py
while parsing the output of 'apachectl -M'.

More specifically, split() operates over linefeeds and spaces inclusively, resulting in output like:

['Loaded', 'Modules:', 'core_module', '(static)', <SNIP>, 'status_module', '(shared)', 'wsgi_module', '(shared)']

However, the regex is expecting output like this:

['Loaded Modules:', ' core_module (static)', <SNIP>, ' status_module (shared)', ' status_module (shared)',

This results in an empty list always being returned to ensure_compliance() upon checking which modules need are currently enabled.

Another observation is when a2dismod is called in _disable_module() it's passing the full name of the module parsed from apachectl -M which has the format of 'status_module' instead of just 'status'.

Tags: sts Edit Tag help

Related branches

Shane Peters (shaner) on 2017-08-21
Changed in charm-helpers:
assignee: nobody → Shane Peters (shaner)
Shane Peters (shaner) on 2017-09-07
Changed in charm-helpers:
status: New → Fix Committed
Changed in charm-helpers:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers