1 files changed, 0 insertions, 131 deletions
diff --git a/charms/trusty/ceilometer/charmhelpers/contrib/hardening/host/checks/suid_sgid.py b/charms/trusty/ceilometer/charmhelpers/contrib/hardening/host/checks/suid_sgid.py
deleted file mode 100644
index 0534689..0000000
--- a/charms/trusty/ceilometer/charmhelpers/contrib/hardening/host/checks/suid_sgid.py
+++ /dev/null
@@ -1,131 +0,0 @@
-# Copyright 2016 Canonical Limited.
-#
-# This file is part of charm-helpers.
-#
-# charm-helpers is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Lesser General Public License version 3 as
-# published by the Free Software Foundation.
-#
-# charm-helpers is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU Lesser General Public License for more details.
-#
-# You should have received a copy of the GNU Lesser General Public License
-# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
-
-import subprocess
-
-from charmhelpers.core.hookenv import (
-    log,
-    INFO,
-)
-from charmhelpers.contrib.hardening.audits.file import NoSUIDSGIDAudit
-from charmhelpers.contrib.hardening import utils
-
-
-BLACKLIST = ['/usr/bin/rcp', '/usr/bin/rlogin', '/usr/bin/rsh',
-             '/usr/libexec/openssh/ssh-keysign',
-             '/usr/lib/openssh/ssh-keysign',
-             '/sbin/netreport',
-             '/usr/sbin/usernetctl',
-             '/usr/sbin/userisdnctl',
-             '/usr/sbin/pppd',
-             '/usr/bin/lockfile',
-             '/usr/bin/mail-lock',
-             '/usr/bin/mail-unlock',
-             '/usr/bin/mail-touchlock',
-             '/usr/bin/dotlockfile',
-             '/usr/bin/arping',
-             '/usr/sbin/uuidd',
-             '/usr/bin/mtr',
-             '/usr/lib/evolution/camel-lock-helper-1.2',
-             '/usr/lib/pt_chown',
-             '/usr/lib/eject/dmcrypt-get-device',
-             '/usr/lib/mc/cons.saver']
-
-WHITELIST = ['/bin/mount', '/bin/ping', '/bin/su', '/bin/umount',
-             '/sbin/pam_timestamp_check', '/sbin/unix_chkpwd', '/usr/bin/at',
-             '/usr/bin/gpasswd', '/usr/bin/locate', '/usr/bin/newgrp',
-             '/usr/bin/passwd', '/usr/bin/ssh-agent',
-             '/usr/libexec/utempter/utempter', '/usr/sbin/lockdev',
-             '/usr/sbin/sendmail.sendmail', '/usr/bin/expiry',
-             '/bin/ping6', '/usr/bin/traceroute6.iputils',
-             '/sbin/mount.nfs', '/sbin/umount.nfs',
-             '/sbin/mount.nfs4', '/sbin/umount.nfs4',
-             '/usr/bin/crontab',
-             '/usr/bin/wall', '/usr/bin/write',
-             '/usr/bin/screen',
-             '/usr/bin/mlocate',
-             '/usr/bin/chage', '/usr/bin/chfn', '/usr/bin/chsh',
-             '/bin/fusermount',
-             '/usr/bin/pkexec',
-             '/usr/bin/sudo', '/usr/bin/sudoedit',
-             '/usr/sbin/postdrop', '/usr/sbin/postqueue',
-             '/usr/sbin/suexec',
-             '/usr/lib/squid/ncsa_auth', '/usr/lib/squid/pam_auth',
-             '/usr/kerberos/bin/ksu',
-             '/usr/sbin/ccreds_validate',
-             '/usr/bin/Xorg',
-             '/usr/bin/X',
-             '/usr/lib/dbus-1.0/dbus-daemon-launch-helper',
-             '/usr/lib/vte/gnome-pty-helper',
-             '/usr/lib/libvte9/gnome-pty-helper',
-             '/usr/lib/libvte-2.90-9/gnome-pty-helper']
-
-
-def get_audits():
-    """Get OS hardening suid/sgid audits.
-
-    :returns:  dictionary of audits
-    """
-    checks = []
-    settings = utils.get_settings('os')
-    if not settings['security']['suid_sgid_enforce']:
-        log("Skipping suid/sgid hardening", level=INFO)
-        return checks
-
-    # Build the blacklist and whitelist of files for suid/sgid checks.
-    # There are a total of 4 lists:
-    #   1. the system blacklist
-    #   2. the system whitelist
-    #   3. the user blacklist
-    #   4. the user whitelist
-    #
-    # The blacklist is the set of paths which should NOT have the suid/sgid bit
-    # set and the whitelist is the set of paths which MAY have the suid/sgid
-    # bit setl. The user whitelist/blacklist effectively override the system
-    # whitelist/blacklist.
-    u_b = settings['security']['suid_sgid_blacklist']
-    u_w = settings['security']['suid_sgid_whitelist']
-
-    blacklist = set(BLACKLIST) - set(u_w + u_b)
-    whitelist = set(WHITELIST) - set(u_b + u_w)
-
-    checks.append(NoSUIDSGIDAudit(blacklist))
-
-    dry_run = settings['security']['suid_sgid_dry_run_on_unknown']
-
-    if settings['security']['suid_sgid_remove_from_unknown'] or dry_run:
-        # If the policy is a dry_run (e.g. complain only) or remove unknown
-        # suid/sgid bits then find all of the paths which have the suid/sgid
-        # bit set and then remove the whitelisted paths.
-        root_path = settings['environment']['root_path']
-        unknown_paths = find_paths_with_suid_sgid(root_path) - set(whitelist)
-        checks.append(NoSUIDSGIDAudit(unknown_paths, unless=dry_run))
-
-    return checks
-
-
-def find_paths_with_suid_sgid(root_path):
-    """Finds all paths/files which have an suid/sgid bit enabled.
-
-    Starting with the root_path, this will recursively find all paths which
-    have an suid or sgid bit set.
-    """
-    cmd = ['find', root_path, '-perm', '-4000', '-o', '-perm', '-2000',
-           '-type', 'f', '!', '-path', '/proc/*', '-print']
-
-    p = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
-    out, _ = p.communicate()
-    return set(out.split('\n'))