apache hardening DisabledModuleAudit doesn't work
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Charm Helpers |
Fix Released
|
Undecided
|
Shane Peters |
Bug Description
Modules aren't getting disabled when adding them to 'modules_
Reproduce:
1. Add the following to hardening.yaml in any charm that employs apache hardening. Here, we're trying to disable the 'status' module in openstack-
apache:
hardening:
modules_
2. Enable hardening on apache
$ juju config openstack-dashboard harden="apache"
3. Watch 'juju-debug' and observe 'DisabledModule
DEBUG unit.openstack-
DEBUG unit.openstack-
DEBUG unit.openstack-
DEBUG unit.openstack-
DEBUG unit.openstack-
DEBUG unit.openstack-
DEBUG unit.openstack-
DEBUG unit.openstack-
DEBUG unit.openstack-
4. Notice the module doesn't actually get disabled
$ juju run --application openstack-dashboard 'apachectl -M'
Loaded Modules:
core_module (static)
... snip ...
status_module (shared)
The problem exists at _get_loaded_
while parsing the output of 'apachectl -M'.
More specifically, split() operates over linefeeds and spaces inclusively, resulting in output like:
['Loaded', 'Modules:', 'core_module', '(static)', <SNIP>, 'status_module', '(shared)', 'wsgi_module', '(shared)']
However, the regex is expecting output like this:
['Loaded Modules:', ' core_module (static)', <SNIP>, ' status_module (shared)', ' status_module (shared)',
This results in an empty list always being returned to ensure_compliance() upon checking which modules need are currently enabled.
Another observation is when a2dismod is called in _disable_module() it's passing the full name of the module parsed from apachectl -M which has the format of 'status_module' instead of just 'status'.
Related branches
- Alex Kavanagh (community): Approve
-
Diff: 35 lines (+11/-2)2 files modifiedcharmhelpers/contrib/hardening/audits/apache.py (+2/-2)
tests/contrib/hardening/audits/test_apache_audits.py (+9/-0)
Changed in charm-helpers: | |
assignee: | nobody → Shane Peters (shaner) |
Changed in charm-helpers: | |
status: | New → Fix Committed |
Changed in charm-helpers: | |
status: | Fix Committed → Fix Released |