Add checks for disabled root account
The root account checks are applied to generated and deployed images to make sure that root account is locked, except for live ISO. Related: rhbz#1687595
This commit is contained in:
parent
5d6446a7bd
commit
277d391f01
37
tests/cli/lib/root_account.sh
Executable file
37
tests/cli/lib/root_account.sh
Executable file
@ -0,0 +1,37 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
check_root_account() {
|
||||||
|
# Try to SSH to a remote machine first using root account using password-based
|
||||||
|
# auth (this is expected to fail) and then using key-based auth with the
|
||||||
|
# supplied username to check content of /etc/shadow and audit.log.
|
||||||
|
#
|
||||||
|
# use: check_root_account <user> <machine> [ssh options]
|
||||||
|
|
||||||
|
local ssh_opts="-o StrictHostKeyChecking=no $3"
|
||||||
|
local user="$1"
|
||||||
|
local machine="$2"
|
||||||
|
if [[ "$user" == "" || "$machine" == "" ]]; then
|
||||||
|
rlFail "check_root_account: Missing user or machine parameter."
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ $ROOT_ACCOUNT_LOCKED == 0 ]; then
|
||||||
|
rlRun -t -c "ssh $ssh_opts ${user}@${machine} \"sudo grep '^root::' /etc/shadow\"" \
|
||||||
|
0 "Password for root account in /etc/shadow is empty"
|
||||||
|
else
|
||||||
|
# ssh returns 255 in case of any ssh error, so it's better to grep the specific error message
|
||||||
|
rlRun -t -c "ssh $ssh_opts -o PubkeyAuthentication=no root@${machine} 2>&1 | grep -i 'permission denied ('" \
|
||||||
|
0 "Can't ssh to '$machine' as root using password-based auth"
|
||||||
|
rlRun -t -c "ssh $ssh_opts ${user}@${machine} \"sudo grep -E '^root:(\*LOCK\*|!):' /etc/shadow\"" \
|
||||||
|
0 "root account is disabled in /etc/shadow"
|
||||||
|
rlRun -t -c "ssh $ssh_opts ${user}@${machine} \"sudo grep 'USER_LOGIN.*acct=\\\"root\\\".*terminal=ssh.*res=failed' /var/log/audit/audit.log\"" \
|
||||||
|
0 "audit.log contains entry about unsuccessful root login"
|
||||||
|
# We modify the default sshd settings on live ISO, so we can only check the default empty password setting
|
||||||
|
# outside of live ISO
|
||||||
|
rlRun -t -c "ssh $ssh_opts ${user}@${machine} 'grep -E \"^[[:blank:]]*PermitEmptyPasswords[[:blank:]]*yes\" /etc/ssh/sshd_config'" 1 \
|
||||||
|
"Login with empty passwords is disabled in sshd config file"
|
||||||
|
fi
|
||||||
|
rlRun -t -c "ssh $ssh_opts ${user}@${machine} 'cat /etc/redhat-release'"
|
||||||
|
|
||||||
|
}
|
||||||
|
|
@ -186,8 +186,9 @@ __EOF__
|
|||||||
CLOUD_USER="fedora"
|
CLOUD_USER="fedora"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# verify we can login into that instance and maybe some other details
|
# verify we can login into that instance and root account is disabled
|
||||||
rlRun -t -c "ssh -oStrictHostKeyChecking=no -i $SSH_KEY_DIR/id_rsa $CLOUD_USER@$IP_ADDRESS 'cat /etc/redhat-release'"
|
. ./tests/cli/lib/root_account.sh
|
||||||
|
check_root_account $CLOUD_USER $IP_ADDRESS "-i $SSH_KEY_DIR/id_rsa"
|
||||||
rlPhaseEnd
|
rlPhaseEnd
|
||||||
|
|
||||||
rlPhaseStartCleanup
|
rlPhaseStartCleanup
|
||||||
|
@ -137,8 +137,9 @@ __EOF__
|
|||||||
rlPhaseEnd
|
rlPhaseEnd
|
||||||
|
|
||||||
rlPhaseStartTest "Verify VM instance"
|
rlPhaseStartTest "Verify VM instance"
|
||||||
# verify we can login into that instance
|
# verify we can login into that instance and root account is disabled
|
||||||
rlRun -t -c "ssh -oStrictHostKeyChecking=no -i $SSH_KEY_DIR/id_rsa azure-user@$IP_ADDRESS 'cat /etc/redhat-release'"
|
. ./tests/cli/lib/root_account.sh
|
||||||
|
check_root_account azure-user $IP_ADDRESS "-i $SSH_KEY_DIR/id_rsa"
|
||||||
rlPhaseEnd
|
rlPhaseEnd
|
||||||
|
|
||||||
rlPhaseStartCleanup
|
rlPhaseStartCleanup
|
||||||
|
@ -123,8 +123,9 @@ __EOF__
|
|||||||
CLOUD_USER="fedora"
|
CLOUD_USER="fedora"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# verify we can login into that instance
|
# verify we can login into that instance and root account is disabled
|
||||||
rlRun -t -c "ssh -oStrictHostKeyChecking=no -i $SSH_KEY_DIR/id_rsa $CLOUD_USER@$IP_ADDRESS 'cat /etc/redhat-release'"
|
. ./tests/cli/lib/root_account.sh
|
||||||
|
check_root_account $CLOUD_USER $IP_ADDRESS "-i $SSH_KEY_DIR/id_rsa"
|
||||||
rlPhaseEnd
|
rlPhaseEnd
|
||||||
|
|
||||||
rlPhaseStartCleanup
|
rlPhaseStartCleanup
|
||||||
|
@ -141,8 +141,9 @@ __EOF__
|
|||||||
rlPhaseEnd
|
rlPhaseEnd
|
||||||
|
|
||||||
rlPhaseStartTest "Verify VM instance"
|
rlPhaseStartTest "Verify VM instance"
|
||||||
# Verify we can login into that instance
|
# verify we can login into that instance and root account is disabled
|
||||||
rlRun -t -c "ssh -oStrictHostKeyChecking=no -i $SSH_KEY_DIR/id_rsa root@$IP_ADDRESS 'cat /etc/redhat-release'"
|
. ./tests/cli/lib/root_account.sh
|
||||||
|
check_root_account root $IP_ADDRESS "-i $SSH_KEY_DIR/id_rsa"
|
||||||
rlPhaseEnd
|
rlPhaseEnd
|
||||||
|
|
||||||
rlPhaseStartCleanup
|
rlPhaseStartCleanup
|
||||||
|
@ -51,7 +51,8 @@ rlJournalStart
|
|||||||
|
|
||||||
rlPhaseStartTest "Verify VM instance"
|
rlPhaseStartTest "Verify VM instance"
|
||||||
# verify we can login into that instance *WITHOUT* a password
|
# verify we can login into that instance *WITHOUT* a password
|
||||||
rlRun -t -c "ssh -oStrictHostKeyChecking=no -p 2222 root@localhost 'cat /etc/redhat-release'"
|
. ./tests/cli/lib/root_account.sh
|
||||||
|
ROOT_ACCOUNT_LOCKED=0 check_root_account root localhost "-p 2222"
|
||||||
rlPhaseEnd
|
rlPhaseEnd
|
||||||
|
|
||||||
rlPhaseStartCleanup
|
rlPhaseStartCleanup
|
||||||
|
@ -73,8 +73,9 @@ __EOF__
|
|||||||
rlPhaseEnd
|
rlPhaseEnd
|
||||||
|
|
||||||
rlPhaseStartTest "Verify VM instance"
|
rlPhaseStartTest "Verify VM instance"
|
||||||
# verify we can login into that instance
|
# verify we can login into that instance and root account is disabled
|
||||||
rlRun -t -c "ssh -oStrictHostKeyChecking=no -i $SSH_KEY_DIR/id_rsa -p 2222 root@localhost 'cat /etc/redhat-release'"
|
. ./tests/cli/lib/root_account.sh
|
||||||
|
check_root_account $CLOUD_USER $IP_ADDRESS "-i $SSH_KEY_DIR/id_rsa -p 2222"
|
||||||
rlPhaseEnd
|
rlPhaseEnd
|
||||||
|
|
||||||
rlPhaseStartCleanup
|
rlPhaseStartCleanup
|
||||||
|
@ -8,6 +8,13 @@ function setup_tests {
|
|||||||
# explicitly enable sshd for live-iso b/c it is disabled by default
|
# explicitly enable sshd for live-iso b/c it is disabled by default
|
||||||
# due to security concerns (no root password required)
|
# due to security concerns (no root password required)
|
||||||
sed -i.orig 's/^services.*/services --disabled="network" --enabled="NetworkManager,sshd"/' $1/composer/live-iso.ks
|
sed -i.orig 's/^services.*/services --disabled="network" --enabled="NetworkManager,sshd"/' $1/composer/live-iso.ks
|
||||||
|
# explicitly enable logging in with empty passwords via ssh, because
|
||||||
|
# the default sshd setting for PermitEmptyPasswords is 'no'; we need a little hack to do inplace
|
||||||
|
# substitution as awk on RHEL-7 doesn't provide '-i inplace' option
|
||||||
|
echo "$(awk "
|
||||||
|
/%post/ && FLAG != 2 {FLAG=1}
|
||||||
|
/%end/ && FLAG == 1 {print \"sed -i 's/.*PermitEmptyPasswords.*/PermitEmptyPasswords yes/' /etc/ssh/sshd_config\"; FLAG=2}
|
||||||
|
{print}" $1/composer/live-iso.ks)" > $1/composer/live-iso.ks
|
||||||
}
|
}
|
||||||
|
|
||||||
function teardown_tests {
|
function teardown_tests {
|
||||||
|
Loading…
Reference in New Issue
Block a user