aboutsummaryrefslogtreecommitdiffstats
path: root/charms/trusty/ceilometer/charmhelpers/contrib/hardening/defaults
diff options
context:
space:
mode:
Diffstat (limited to 'charms/trusty/ceilometer/charmhelpers/contrib/hardening/defaults')
-rw-r--r--charms/trusty/ceilometer/charmhelpers/contrib/hardening/defaults/__init__.py0
-rw-r--r--charms/trusty/ceilometer/charmhelpers/contrib/hardening/defaults/apache.yaml13
-rw-r--r--charms/trusty/ceilometer/charmhelpers/contrib/hardening/defaults/apache.yaml.schema9
-rw-r--r--charms/trusty/ceilometer/charmhelpers/contrib/hardening/defaults/mysql.yaml38
-rw-r--r--charms/trusty/ceilometer/charmhelpers/contrib/hardening/defaults/mysql.yaml.schema15
-rw-r--r--charms/trusty/ceilometer/charmhelpers/contrib/hardening/defaults/os.yaml67
-rw-r--r--charms/trusty/ceilometer/charmhelpers/contrib/hardening/defaults/os.yaml.schema42
-rw-r--r--charms/trusty/ceilometer/charmhelpers/contrib/hardening/defaults/ssh.yaml49
-rw-r--r--charms/trusty/ceilometer/charmhelpers/contrib/hardening/defaults/ssh.yaml.schema42
9 files changed, 0 insertions, 275 deletions
diff --git a/charms/trusty/ceilometer/charmhelpers/contrib/hardening/defaults/__init__.py b/charms/trusty/ceilometer/charmhelpers/contrib/hardening/defaults/__init__.py
deleted file mode 100644
index e69de29..0000000
--- a/charms/trusty/ceilometer/charmhelpers/contrib/hardening/defaults/__init__.py
+++ /dev/null
diff --git a/charms/trusty/ceilometer/charmhelpers/contrib/hardening/defaults/apache.yaml b/charms/trusty/ceilometer/charmhelpers/contrib/hardening/defaults/apache.yaml
deleted file mode 100644
index e5ada29..0000000
--- a/charms/trusty/ceilometer/charmhelpers/contrib/hardening/defaults/apache.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-# NOTE: this file contains the default configuration for the 'apache' hardening
-# code. If you want to override any settings you must add them to a file
-# called hardening.yaml in the root directory of your charm using the
-# name 'apache' as the root key followed by any of the following with new
-# values.
-
-common:
- apache_dir: '/etc/apache2'
-
-hardening:
- traceenable: 'off'
- allowed_http_methods: "GET POST"
- modules_to_disable: [ cgi, cgid ] \ No newline at end of file
diff --git a/charms/trusty/ceilometer/charmhelpers/contrib/hardening/defaults/apache.yaml.schema b/charms/trusty/ceilometer/charmhelpers/contrib/hardening/defaults/apache.yaml.schema
deleted file mode 100644
index 227589b..0000000
--- a/charms/trusty/ceilometer/charmhelpers/contrib/hardening/defaults/apache.yaml.schema
+++ /dev/null
@@ -1,9 +0,0 @@
-# NOTE: this schema must contain all valid keys from it's associated defaults
-# file. It is used to validate user-provided overrides.
-common:
- apache_dir:
- traceenable:
-
-hardening:
- allowed_http_methods:
- modules_to_disable:
diff --git a/charms/trusty/ceilometer/charmhelpers/contrib/hardening/defaults/mysql.yaml b/charms/trusty/ceilometer/charmhelpers/contrib/hardening/defaults/mysql.yaml
deleted file mode 100644
index 682d22b..0000000
--- a/charms/trusty/ceilometer/charmhelpers/contrib/hardening/defaults/mysql.yaml
+++ /dev/null
@@ -1,38 +0,0 @@
-# NOTE: this file contains the default configuration for the 'mysql' hardening
-# code. If you want to override any settings you must add them to a file
-# called hardening.yaml in the root directory of your charm using the
-# name 'mysql' as the root key followed by any of the following with new
-# values.
-
-hardening:
- mysql-conf: /etc/mysql/my.cnf
- hardening-conf: /etc/mysql/conf.d/hardening.cnf
-
-security:
- # @see http://www.symantec.com/connect/articles/securing-mysql-step-step
- # @see http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_chroot
- chroot: None
-
- # @see http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_safe-user-create
- safe-user-create: 1
-
- # @see http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-auth
- secure-auth: 1
-
- # @see http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_symbolic-links
- skip-symbolic-links: 1
-
- # @see http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-show-database
- skip-show-database: True
-
- # @see http://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile
- local-infile: 0
-
- # @see https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_allow-suspicious-udfs
- allow-suspicious-udfs: 0
-
- # @see https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_automatic_sp_privileges
- automatic-sp-privileges: 0
-
- # @see https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-file-priv
- secure-file-priv: /tmp
diff --git a/charms/trusty/ceilometer/charmhelpers/contrib/hardening/defaults/mysql.yaml.schema b/charms/trusty/ceilometer/charmhelpers/contrib/hardening/defaults/mysql.yaml.schema
deleted file mode 100644
index 2edf325..0000000
--- a/charms/trusty/ceilometer/charmhelpers/contrib/hardening/defaults/mysql.yaml.schema
+++ /dev/null
@@ -1,15 +0,0 @@
-# NOTE: this schema must contain all valid keys from it's associated defaults
-# file. It is used to validate user-provided overrides.
-hardening:
- mysql-conf:
- hardening-conf:
-security:
- chroot:
- safe-user-create:
- secure-auth:
- skip-symbolic-links:
- skip-show-database:
- local-infile:
- allow-suspicious-udfs:
- automatic-sp-privileges:
- secure-file-priv:
diff --git a/charms/trusty/ceilometer/charmhelpers/contrib/hardening/defaults/os.yaml b/charms/trusty/ceilometer/charmhelpers/contrib/hardening/defaults/os.yaml
deleted file mode 100644
index ddd4286..0000000
--- a/charms/trusty/ceilometer/charmhelpers/contrib/hardening/defaults/os.yaml
+++ /dev/null
@@ -1,67 +0,0 @@
-# NOTE: this file contains the default configuration for the 'os' hardening
-# code. If you want to override any settings you must add them to a file
-# called hardening.yaml in the root directory of your charm using the
-# name 'os' as the root key followed by any of the following with new
-# values.
-
-general:
- desktop_enable: False # (type:boolean)
-
-environment:
- extra_user_paths: []
- umask: 027
- root_path: /
-
-auth:
- pw_max_age: 60
- # discourage password cycling
- pw_min_age: 7
- retries: 5
- lockout_time: 600
- timeout: 60
- allow_homeless: False # (type:boolean)
- pam_passwdqc_enable: True # (type:boolean)
- pam_passwdqc_options: 'min=disabled,disabled,16,12,8'
- root_ttys:
- console
- tty1
- tty2
- tty3
- tty4
- tty5
- tty6
- uid_min: 1000
- gid_min: 1000
- sys_uid_min: 100
- sys_uid_max: 999
- sys_gid_min: 100
- sys_gid_max: 999
- chfn_restrict:
-
-security:
- users_allow: []
- suid_sgid_enforce: True # (type:boolean)
- # user-defined blacklist and whitelist
- suid_sgid_blacklist: []
- suid_sgid_whitelist: []
- # if this is True, remove any suid/sgid bits from files that were not in the whitelist
- suid_sgid_dry_run_on_unknown: False # (type:boolean)
- suid_sgid_remove_from_unknown: False # (type:boolean)
- # remove packages with known issues
- packages_clean: True # (type:boolean)
- packages_list:
- xinetd
- inetd
- ypserv
- telnet-server
- rsh-server
- rsync
- kernel_enable_module_loading: True # (type:boolean)
- kernel_enable_core_dump: False # (type:boolean)
-
-sysctl:
- kernel_secure_sysrq: 244 # 4 + 16 + 32 + 64 + 128
- kernel_enable_sysrq: False # (type:boolean)
- forwarding: False # (type:boolean)
- ipv6_enable: False # (type:boolean)
- arp_restricted: True # (type:boolean)
diff --git a/charms/trusty/ceilometer/charmhelpers/contrib/hardening/defaults/os.yaml.schema b/charms/trusty/ceilometer/charmhelpers/contrib/hardening/defaults/os.yaml.schema
deleted file mode 100644
index 88b3966..0000000
--- a/charms/trusty/ceilometer/charmhelpers/contrib/hardening/defaults/os.yaml.schema
+++ /dev/null
@@ -1,42 +0,0 @@
-# NOTE: this schema must contain all valid keys from it's associated defaults
-# file. It is used to validate user-provided overrides.
-general:
- desktop_enable:
-environment:
- extra_user_paths:
- umask:
- root_path:
-auth:
- pw_max_age:
- pw_min_age:
- retries:
- lockout_time:
- timeout:
- allow_homeless:
- pam_passwdqc_enable:
- pam_passwdqc_options:
- root_ttys:
- uid_min:
- gid_min:
- sys_uid_min:
- sys_uid_max:
- sys_gid_min:
- sys_gid_max:
- chfn_restrict:
-security:
- users_allow:
- suid_sgid_enforce:
- suid_sgid_blacklist:
- suid_sgid_whitelist:
- suid_sgid_dry_run_on_unknown:
- suid_sgid_remove_from_unknown:
- packages_clean:
- packages_list:
- kernel_enable_module_loading:
- kernel_enable_core_dump:
-sysctl:
- kernel_secure_sysrq:
- kernel_enable_sysrq:
- forwarding:
- ipv6_enable:
- arp_restricted:
diff --git a/charms/trusty/ceilometer/charmhelpers/contrib/hardening/defaults/ssh.yaml b/charms/trusty/ceilometer/charmhelpers/contrib/hardening/defaults/ssh.yaml
deleted file mode 100644
index cd529bc..0000000
--- a/charms/trusty/ceilometer/charmhelpers/contrib/hardening/defaults/ssh.yaml
+++ /dev/null
@@ -1,49 +0,0 @@
-# NOTE: this file contains the default configuration for the 'ssh' hardening
-# code. If you want to override any settings you must add them to a file
-# called hardening.yaml in the root directory of your charm using the
-# name 'ssh' as the root key followed by any of the following with new
-# values.
-
-common:
- service_name: 'ssh'
- network_ipv6_enable: False # (type:boolean)
- ports: [22]
- remote_hosts: []
-
-client:
- package: 'openssh-client'
- cbc_required: False # (type:boolean)
- weak_hmac: False # (type:boolean)
- weak_kex: False # (type:boolean)
- roaming: False
- password_authentication: 'no'
-
-server:
- host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_dsa_key',
- '/etc/ssh/ssh_host_ecdsa_key']
- cbc_required: False # (type:boolean)
- weak_hmac: False # (type:boolean)
- weak_kex: False # (type:boolean)
- allow_root_with_key: False # (type:boolean)
- allow_tcp_forwarding: 'no'
- allow_agent_forwarding: 'no'
- allow_x11_forwarding: 'no'
- use_privilege_separation: 'sandbox'
- listen_to: ['0.0.0.0']
- use_pam: 'no'
- package: 'openssh-server'
- password_authentication: 'no'
- alive_interval: '600'
- alive_count: '3'
- sftp_enable: False # (type:boolean)
- sftp_group: 'sftponly'
- sftp_chroot: '/home/%u'
- deny_users: []
- allow_users: []
- deny_groups: []
- allow_groups: []
- print_motd: 'no'
- print_last_log: 'no'
- use_dns: 'no'
- max_auth_tries: 2
- max_sessions: 10
diff --git a/charms/trusty/ceilometer/charmhelpers/contrib/hardening/defaults/ssh.yaml.schema b/charms/trusty/ceilometer/charmhelpers/contrib/hardening/defaults/ssh.yaml.schema
deleted file mode 100644
index d05e054..0000000
--- a/charms/trusty/ceilometer/charmhelpers/contrib/hardening/defaults/ssh.yaml.schema
+++ /dev/null
@@ -1,42 +0,0 @@
-# NOTE: this schema must contain all valid keys from it's associated defaults
-# file. It is used to validate user-provided overrides.
-common:
- service_name:
- network_ipv6_enable:
- ports:
- remote_hosts:
-client:
- package:
- cbc_required:
- weak_hmac:
- weak_kex:
- roaming:
- password_authentication:
-server:
- host_key_files:
- cbc_required:
- weak_hmac:
- weak_kex:
- allow_root_with_key:
- allow_tcp_forwarding:
- allow_agent_forwarding:
- allow_x11_forwarding:
- use_privilege_separation:
- listen_to:
- use_pam:
- package:
- password_authentication:
- alive_interval:
- alive_count:
- sftp_enable:
- sftp_group:
- sftp_chroot:
- deny_users:
- allow_users:
- deny_groups:
- allow_groups:
- print_motd:
- print_last_log:
- use_dns:
- max_auth_tries:
- max_sessions: