From 4c313acc646399da196ac82d69536a6bfc4ef643 Mon Sep 17 00:00:00 2001 From: Jiri Kortus Date: Thu, 28 Feb 2019 16:31:05 +0100 Subject: [PATCH] Add checks for disabled root account The root account checks are applied to generated and deployed images to make sure that root account is locked, except for live ISO. (cherry picked from commit 655e7e40c0d7fa5b050f73adc81f601a1ebcf2a9) (cherry picked from commit 7c093ecbb40cf5e28533aa3fc4db09736bf93bb0) --- tests/cli/lib/root_account.sh | 37 ++++++++++++++++++++ tests/cli/test_build_and_deploy_aws.sh | 5 +-- tests/cli/test_build_and_deploy_azure.sh | 5 +-- tests/cli/test_build_and_deploy_openstack.sh | 5 +-- tests/cli/test_build_and_deploy_vmware.sh | 5 +-- tests/cli/test_compose_live-iso.sh | 3 +- tests/cli/test_compose_qcow2.sh | 5 +-- tests/test_cli.sh | 7 ++++ 8 files changed, 61 insertions(+), 11 deletions(-) create mode 100755 tests/cli/lib/root_account.sh diff --git a/tests/cli/lib/root_account.sh b/tests/cli/lib/root_account.sh new file mode 100755 index 00000000..1235fd24 --- /dev/null +++ b/tests/cli/lib/root_account.sh @@ -0,0 +1,37 @@ +#!/usr/bin/env bash + +check_root_account() { +# Try to SSH to a remote machine first using root account using password-based +# auth (this is expected to fail) and then using key-based auth with the +# supplied username to check content of /etc/shadow and audit.log. +# +# use: check_root_account [ssh options] + + local ssh_opts="-o StrictHostKeyChecking=no $3" + local user="$1" + local machine="$2" + if [[ "$user" == "" || "$machine" == "" ]]; then + rlFail "check_root_account: Missing user or machine parameter." + return 1 + fi + + if [ $ROOT_ACCOUNT_LOCKED == 0 ]; then + rlRun -t -c "ssh $ssh_opts ${user}@${machine} \"sudo grep '^root::' /etc/shadow\"" \ + 0 "Password for root account in /etc/shadow is empty" + else + # ssh returns 255 in case of any ssh error, so it's better to grep the specific error message + rlRun -t -c "ssh $ssh_opts -o PubkeyAuthentication=no root@${machine} 2>&1 | grep -i 'permission denied ('" \ + 0 "Can't ssh to '$machine' as root using password-based auth" + rlRun -t -c "ssh $ssh_opts ${user}@${machine} \"sudo grep -E '^root:(\*LOCK\*|!):' /etc/shadow\"" \ + 0 "root account is disabled in /etc/shadow" + rlRun -t -c "ssh $ssh_opts ${user}@${machine} \"sudo grep 'USER_LOGIN.*acct=\\\"root\\\".*terminal=ssh.*res=failed' /var/log/audit/audit.log\"" \ + 0 "audit.log contains entry about unsuccessful root login" + # We modify the default sshd settings on live ISO, so we can only check the default empty password setting + # outside of live ISO + rlRun -t -c "ssh $ssh_opts ${user}@${machine} 'grep -E \"^[[:blank:]]*PermitEmptyPasswords[[:blank:]]*yes\" /etc/ssh/sshd_config'" 1 \ + "Login with empty passwords is disabled in sshd config file" + fi + rlRun -t -c "ssh $ssh_opts ${user}@${machine} 'cat /etc/redhat-release'" + +} + diff --git a/tests/cli/test_build_and_deploy_aws.sh b/tests/cli/test_build_and_deploy_aws.sh index 9a85d752..31c1a912 100755 --- a/tests/cli/test_build_and_deploy_aws.sh +++ b/tests/cli/test_build_and_deploy_aws.sh @@ -185,8 +185,9 @@ __EOF__ CLOUD_USER="fedora" fi - # verify we can login into that instance and maybe some other details - rlRun -t -c "ssh -oStrictHostKeyChecking=no -i $SSH_KEY_DIR/id_rsa $CLOUD_USER@$IP_ADDRESS 'cat /etc/redhat-release'" + # verify we can login into that instance and root account is disabled + . ./tests/cli/lib/root_account.sh + check_root_account $CLOUD_USER $IP_ADDRESS "-i $SSH_KEY_DIR/id_rsa" rlPhaseEnd rlPhaseStartCleanup diff --git a/tests/cli/test_build_and_deploy_azure.sh b/tests/cli/test_build_and_deploy_azure.sh index 4e388108..4ba3b6d2 100755 --- a/tests/cli/test_build_and_deploy_azure.sh +++ b/tests/cli/test_build_and_deploy_azure.sh @@ -139,8 +139,9 @@ __EOF__ rlPhaseEnd rlPhaseStartTest "Verify VM instance" - # verify we can login into that instance - rlRun -t -c "ssh -oStrictHostKeyChecking=no -i $SSH_KEY_DIR/id_rsa azure-user@$IP_ADDRESS 'cat /etc/redhat-release'" + # verify we can login into that instance and root account is disabled + . ./tests/cli/lib/root_account.sh + check_root_account azure-user $IP_ADDRESS "-i $SSH_KEY_DIR/id_rsa" rlPhaseEnd rlPhaseStartCleanup diff --git a/tests/cli/test_build_and_deploy_openstack.sh b/tests/cli/test_build_and_deploy_openstack.sh index f3411369..ce530bd2 100755 --- a/tests/cli/test_build_and_deploy_openstack.sh +++ b/tests/cli/test_build_and_deploy_openstack.sh @@ -118,8 +118,9 @@ __EOF__ CLOUD_USER="fedora" fi - # verify we can login into that instance - rlRun -t -c "ssh -oStrictHostKeyChecking=no -i $SSH_KEY_DIR/id_rsa $CLOUD_USER@$IP_ADDRESS 'cat /etc/redhat-release'" + # verify we can login into that instance and root account is disabled + . ./tests/cli/lib/root_account.sh + check_root_account $CLOUD_USER $IP_ADDRESS "-i $SSH_KEY_DIR/id_rsa" rlPhaseEnd rlPhaseStartCleanup diff --git a/tests/cli/test_build_and_deploy_vmware.sh b/tests/cli/test_build_and_deploy_vmware.sh index b0aba656..6ce0c318 100755 --- a/tests/cli/test_build_and_deploy_vmware.sh +++ b/tests/cli/test_build_and_deploy_vmware.sh @@ -140,8 +140,9 @@ __EOF__ rlPhaseEnd rlPhaseStartTest "Verify VM instance" - # verify we can login into that instance - rlRun -t -c "ssh -oStrictHostKeyChecking=no -i $SSH_KEY_DIR/id_rsa root@$IP_ADDRESS 'cat /etc/redhat-release'" + # verify we can login into that instance and root account is disabled + . ./tests/cli/lib/root_account.sh + check_root_account root $IP_ADDRESS "-i $SSH_KEY_DIR/id_rsa" rlPhaseEnd rlPhaseStartCleanup diff --git a/tests/cli/test_compose_live-iso.sh b/tests/cli/test_compose_live-iso.sh index 820b5c2d..63eeb889 100755 --- a/tests/cli/test_compose_live-iso.sh +++ b/tests/cli/test_compose_live-iso.sh @@ -51,7 +51,8 @@ rlJournalStart rlPhaseStartTest "Verify VM instance" # verify we can login into that instance *WITHOUT* a password - rlRun -t -c "ssh -oStrictHostKeyChecking=no -p 2222 root@localhost 'cat /etc/redhat-release'" + . ./tests/cli/lib/root_account.sh + ROOT_ACCOUNT_LOCKED=0 check_root_account root localhost "-p 2222" rlPhaseEnd rlPhaseStartCleanup diff --git a/tests/cli/test_compose_qcow2.sh b/tests/cli/test_compose_qcow2.sh index fe5b0c6c..d4bb79bd 100755 --- a/tests/cli/test_compose_qcow2.sh +++ b/tests/cli/test_compose_qcow2.sh @@ -73,8 +73,9 @@ __EOF__ rlPhaseEnd rlPhaseStartTest "Verify VM instance" - # verify we can login into that instance - rlRun -t -c "ssh -oStrictHostKeyChecking=no -i $SSH_KEY_DIR/id_rsa -p 2222 root@localhost 'cat /etc/redhat-release'" + # verify we can login into that instance and root account is disabled + . ./tests/cli/lib/root_account.sh + check_root_account $CLOUD_USER $IP_ADDRESS "-i $SSH_KEY_DIR/id_rsa -p 2222" rlPhaseEnd rlPhaseStartCleanup diff --git a/tests/test_cli.sh b/tests/test_cli.sh index 8e359376..faa4c853 100755 --- a/tests/test_cli.sh +++ b/tests/test_cli.sh @@ -8,6 +8,13 @@ function setup_tests { # explicitly enable sshd for live-iso b/c it is disabled by default # due to security concerns (no root password required) sed -i.orig 's/^services.*/services --disabled="network" --enabled="NetworkManager,sshd"/' $1/composer/live-iso.ks + # explicitly enable logging in with empty passwords via ssh, because + # the default sshd setting for PermitEmptyPasswords is 'no' + awk -i inplace " + /%post/ && FLAG != 2 {FLAG=1} + /%end/ && FLAG == 1 {print \"sed -i 's/.*PermitEmptyPasswords.*/PermitEmptyPasswords yes/' /etc/ssh/sshd_config\"; FLAG=2} + {print}" \ + $1/composer/live-iso.ks } function teardown_tests {