Charm Helpers

apache hardening DisabledModuleAudit doesn't work

Bug #1712203 reported by Shane Peters
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Charm Helpers
Fix Released
Undecided
Shane Peters

Bug Description

Modules aren't getting disabled when adding them to 'modules_to_disable' field in hardening.yaml.

Reproduce:
1. Add the following to hardening.yaml in any charm that employs apache hardening. Here, we're trying to disable the 'status' module in openstack-dashboard.

apache:
  hardening:
    modules_to_disable: 'status_module'

2. Enable hardening on apache
    $ juju config openstack-dashboard harden="apache"

3. Watch 'juju-debug' and observe 'DisabledModuleAudit' executing (trimmed timestamp)

DEBUG unit.openstack-dashboard/5.juju-log Applying 'apache' overrides
DEBUG unit.openstack-dashboard/5.juju-log Running 'FilePermissionAudit' check
DEBUG unit.openstack-dashboard/5.juju-log Running 'TemplatedFile' check
DEBUG unit.openstack-dashboard/5.juju-log Running 'TemplatedFile' check
DEBUG unit.openstack-dashboard/5.juju-log Running 'DirectoryPermissionAudit' check
DEBUG unit.openstack-dashboard/5.juju-log Running 'DisabledModuleAudit' check
DEBUG unit.openstack-dashboard/5.juju-log Running 'NoReadWriteForOther' check
DEBUG unit.openstack-dashboard/5.juju-log Running 'DeletedFile' check
DEBUG unit.openstack-dashboard/5.juju-log Apache hardening checks complete.

4. Notice the module doesn't actually get disabled
    $ juju run --application openstack-dashboard 'apachectl -M'
Loaded Modules:
 core_module (static)
 ... snip ...
 status_module (shared)

The problem exists at _get_loaded_modules() in charmhelpers/contrib/hardening/audits/apache.py
while parsing the output of 'apachectl -M'.

More specifically, split() operates over linefeeds and spaces inclusively, resulting in output like:

['Loaded', 'Modules:', 'core_module', '(static)', <SNIP>, 'status_module', '(shared)', 'wsgi_module', '(shared)']

However, the regex is expecting output like this:

['Loaded Modules:', ' core_module (static)', <SNIP>, ' status_module (shared)', ' status_module (shared)',

This results in an empty list always being returned to ensure_compliance() upon checking which modules need are currently enabled.

Another observation is when a2dismod is called in _disable_module() it's passing the full name of the module parsed from apachectl -M which has the format of 'status_module' instead of just 'status'.

Tags: sts

Related branches

lp:~shaner/charm-helpers/lp1712203
Alex Kavanagh: Approve
Diff: 35 lines (+11/-2)
2 files modified
charmhelpers/contrib/hardening/audits/apache.py (+2/-2)
tests/contrib/hardening/audits/test_apache_audits.py (+9/-0)
Shane Peters (shaner)
Changed in charm-helpers:
assignee: nobody → Shane Peters (shaner)
Shane Peters (shaner)
Changed in charm-helpers:
status: New → Fix Committed
Edward Hope-Morley (hopem)
Changed in charm-helpers:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.