From 277d391f01219f9f222ce22fd563c101e922c89e Mon Sep 17 00:00:00 2001 From: Jiri Kortus Date: Thu, 28 Feb 2019 16:31:05 +0100 Subject: [PATCH] Add checks for disabled root account The root account checks are applied to generated and deployed images to make sure that root account is locked, except for live ISO. Related: rhbz#1687595 --- tests/cli/lib/root_account.sh | 37 ++++++++++++++++++++ tests/cli/test_build_and_deploy_aws.sh | 5 +-- tests/cli/test_build_and_deploy_azure.sh | 5 +-- tests/cli/test_build_and_deploy_openstack.sh | 5 +-- tests/cli/test_build_and_deploy_vmware.sh | 5 +-- tests/cli/test_compose_live-iso.sh | 3 +- tests/cli/test_compose_qcow2.sh | 5 +-- tests/test_cli.sh | 7 ++++ 8 files changed, 61 insertions(+), 11 deletions(-) create mode 100755 tests/cli/lib/root_account.sh diff --git a/tests/cli/lib/root_account.sh b/tests/cli/lib/root_account.sh new file mode 100755 index 00000000..1235fd24 --- /dev/null +++ b/tests/cli/lib/root_account.sh @@ -0,0 +1,37 @@ +#!/usr/bin/env bash + +check_root_account() { +# Try to SSH to a remote machine first using root account using password-based +# auth (this is expected to fail) and then using key-based auth with the +# supplied username to check content of /etc/shadow and audit.log. +# +# use: check_root_account [ssh options] + + local ssh_opts="-o StrictHostKeyChecking=no $3" + local user="$1" + local machine="$2" + if [[ "$user" == "" || "$machine" == "" ]]; then + rlFail "check_root_account: Missing user or machine parameter." + return 1 + fi + + if [ $ROOT_ACCOUNT_LOCKED == 0 ]; then + rlRun -t -c "ssh $ssh_opts ${user}@${machine} \"sudo grep '^root::' /etc/shadow\"" \ + 0 "Password for root account in /etc/shadow is empty" + else + # ssh returns 255 in case of any ssh error, so it's better to grep the specific error message + rlRun -t -c "ssh $ssh_opts -o PubkeyAuthentication=no root@${machine} 2>&1 | grep -i 'permission denied ('" \ + 0 "Can't ssh to '$machine' as root using password-based auth" + rlRun -t -c "ssh $ssh_opts ${user}@${machine} \"sudo grep -E '^root:(\*LOCK\*|!):' /etc/shadow\"" \ + 0 "root account is disabled in /etc/shadow" + rlRun -t -c "ssh $ssh_opts ${user}@${machine} \"sudo grep 'USER_LOGIN.*acct=\\\"root\\\".*terminal=ssh.*res=failed' /var/log/audit/audit.log\"" \ + 0 "audit.log contains entry about unsuccessful root login" + # We modify the default sshd settings on live ISO, so we can only check the default empty password setting + # outside of live ISO + rlRun -t -c "ssh $ssh_opts ${user}@${machine} 'grep -E \"^[[:blank:]]*PermitEmptyPasswords[[:blank:]]*yes\" /etc/ssh/sshd_config'" 1 \ + "Login with empty passwords is disabled in sshd config file" + fi + rlRun -t -c "ssh $ssh_opts ${user}@${machine} 'cat /etc/redhat-release'" + +} + diff --git a/tests/cli/test_build_and_deploy_aws.sh b/tests/cli/test_build_and_deploy_aws.sh index deeacabb..c5d99c9b 100755 --- a/tests/cli/test_build_and_deploy_aws.sh +++ b/tests/cli/test_build_and_deploy_aws.sh @@ -186,8 +186,9 @@ __EOF__ CLOUD_USER="fedora" fi - # verify we can login into that instance and maybe some other details - rlRun -t -c "ssh -oStrictHostKeyChecking=no -i $SSH_KEY_DIR/id_rsa $CLOUD_USER@$IP_ADDRESS 'cat /etc/redhat-release'" + # verify we can login into that instance and root account is disabled + . ./tests/cli/lib/root_account.sh + check_root_account $CLOUD_USER $IP_ADDRESS "-i $SSH_KEY_DIR/id_rsa" rlPhaseEnd rlPhaseStartCleanup diff --git a/tests/cli/test_build_and_deploy_azure.sh b/tests/cli/test_build_and_deploy_azure.sh index 007f1934..61a23899 100755 --- a/tests/cli/test_build_and_deploy_azure.sh +++ b/tests/cli/test_build_and_deploy_azure.sh @@ -137,8 +137,9 @@ __EOF__ rlPhaseEnd rlPhaseStartTest "Verify VM instance" - # verify we can login into that instance - rlRun -t -c "ssh -oStrictHostKeyChecking=no -i $SSH_KEY_DIR/id_rsa azure-user@$IP_ADDRESS 'cat /etc/redhat-release'" + # verify we can login into that instance and root account is disabled + . ./tests/cli/lib/root_account.sh + check_root_account azure-user $IP_ADDRESS "-i $SSH_KEY_DIR/id_rsa" rlPhaseEnd rlPhaseStartCleanup diff --git a/tests/cli/test_build_and_deploy_openstack.sh b/tests/cli/test_build_and_deploy_openstack.sh index 5902ff0b..2a9a9808 100755 --- a/tests/cli/test_build_and_deploy_openstack.sh +++ b/tests/cli/test_build_and_deploy_openstack.sh @@ -123,8 +123,9 @@ __EOF__ CLOUD_USER="fedora" fi - # verify we can login into that instance - rlRun -t -c "ssh -oStrictHostKeyChecking=no -i $SSH_KEY_DIR/id_rsa $CLOUD_USER@$IP_ADDRESS 'cat /etc/redhat-release'" + # verify we can login into that instance and root account is disabled + . ./tests/cli/lib/root_account.sh + check_root_account $CLOUD_USER $IP_ADDRESS "-i $SSH_KEY_DIR/id_rsa" rlPhaseEnd rlPhaseStartCleanup diff --git a/tests/cli/test_build_and_deploy_vmware.sh b/tests/cli/test_build_and_deploy_vmware.sh index a45a5220..d4134bce 100755 --- a/tests/cli/test_build_and_deploy_vmware.sh +++ b/tests/cli/test_build_and_deploy_vmware.sh @@ -141,8 +141,9 @@ __EOF__ rlPhaseEnd rlPhaseStartTest "Verify VM instance" - # Verify we can login into that instance - rlRun -t -c "ssh -oStrictHostKeyChecking=no -i $SSH_KEY_DIR/id_rsa root@$IP_ADDRESS 'cat /etc/redhat-release'" + # verify we can login into that instance and root account is disabled + . ./tests/cli/lib/root_account.sh + check_root_account root $IP_ADDRESS "-i $SSH_KEY_DIR/id_rsa" rlPhaseEnd rlPhaseStartCleanup diff --git a/tests/cli/test_compose_live-iso.sh b/tests/cli/test_compose_live-iso.sh index 15ee32b0..c3526a10 100755 --- a/tests/cli/test_compose_live-iso.sh +++ b/tests/cli/test_compose_live-iso.sh @@ -51,7 +51,8 @@ rlJournalStart rlPhaseStartTest "Verify VM instance" # verify we can login into that instance *WITHOUT* a password - rlRun -t -c "ssh -oStrictHostKeyChecking=no -p 2222 root@localhost 'cat /etc/redhat-release'" + . ./tests/cli/lib/root_account.sh + ROOT_ACCOUNT_LOCKED=0 check_root_account root localhost "-p 2222" rlPhaseEnd rlPhaseStartCleanup diff --git a/tests/cli/test_compose_qcow2.sh b/tests/cli/test_compose_qcow2.sh index 00b877d4..034a3d9c 100755 --- a/tests/cli/test_compose_qcow2.sh +++ b/tests/cli/test_compose_qcow2.sh @@ -73,8 +73,9 @@ __EOF__ rlPhaseEnd rlPhaseStartTest "Verify VM instance" - # verify we can login into that instance - rlRun -t -c "ssh -oStrictHostKeyChecking=no -i $SSH_KEY_DIR/id_rsa -p 2222 root@localhost 'cat /etc/redhat-release'" + # verify we can login into that instance and root account is disabled + . ./tests/cli/lib/root_account.sh + check_root_account $CLOUD_USER $IP_ADDRESS "-i $SSH_KEY_DIR/id_rsa -p 2222" rlPhaseEnd rlPhaseStartCleanup diff --git a/tests/test_cli.sh b/tests/test_cli.sh index 2aa270e0..402bb898 100755 --- a/tests/test_cli.sh +++ b/tests/test_cli.sh @@ -8,6 +8,13 @@ function setup_tests { # explicitly enable sshd for live-iso b/c it is disabled by default # due to security concerns (no root password required) sed -i.orig 's/^services.*/services --disabled="network" --enabled="NetworkManager,sshd"/' $1/composer/live-iso.ks + # explicitly enable logging in with empty passwords via ssh, because + # the default sshd setting for PermitEmptyPasswords is 'no'; we need a little hack to do inplace + # substitution as awk on RHEL-7 doesn't provide '-i inplace' option + echo "$(awk " + /%post/ && FLAG != 2 {FLAG=1} + /%end/ && FLAG == 1 {print \"sed -i 's/.*PermitEmptyPasswords.*/PermitEmptyPasswords yes/' /etc/ssh/sshd_config\"; FLAG=2} + {print}" $1/composer/live-iso.ks)" > $1/composer/live-iso.ks } function teardown_tests {