85 lines
3.5 KiB
Diff
85 lines
3.5 KiB
Diff
From 25eff3169450888e4afa33df2c4a455f58671fe5 Mon Sep 17 00:00:00 2001
|
|
From: Jakub Jelen <jjelen@redhat.com>
|
|
Date: Wed, 30 Mar 2022 14:30:07 +0200
|
|
Subject: [PATCH 15/39] Add OpenSSH Drop-in directory check to emit info report
|
|
about modifying sshd_config
|
|
|
|
---
|
|
.../opensshdropindirectorycheck/actor.py | 64 +++++++++++++++++++
|
|
1 file changed, 64 insertions(+)
|
|
create mode 100644 repos/system_upgrade/el8toel9/actors/opensshdropindirectorycheck/actor.py
|
|
|
|
diff --git a/repos/system_upgrade/el8toel9/actors/opensshdropindirectorycheck/actor.py b/repos/system_upgrade/el8toel9/actors/opensshdropindirectorycheck/actor.py
|
|
new file mode 100644
|
|
index 00000000..e8b0385a
|
|
--- /dev/null
|
|
+++ b/repos/system_upgrade/el8toel9/actors/opensshdropindirectorycheck/actor.py
|
|
@@ -0,0 +1,64 @@
|
|
+from leapp import reporting
|
|
+from leapp.actors import Actor
|
|
+from leapp.exceptions import StopActorExecutionError
|
|
+from leapp.libraries.common.rpms import has_package
|
|
+from leapp.libraries.stdlib import api
|
|
+from leapp.models import InstalledRedHatSignedRPM, OpenSshConfig, Report
|
|
+from leapp.tags import ChecksPhaseTag, IPUWorkflowTag
|
|
+
|
|
+
|
|
+class OpenSshDropInDirectoryCheck(Actor):
|
|
+ """
|
|
+ Trigger a notice that the main sshd_config will be updated to contain
|
|
+ the Include directive so the other configuration files dropped by the
|
|
+ RHEL9 packages are effective.
|
|
+
|
|
+ This might change the sshd behavior so it is advised to verify by the
|
|
+ customer that the updated system behaves as expected.
|
|
+ """
|
|
+
|
|
+ name = 'open_ssh_drop_in_directory_check'
|
|
+ consumes = (OpenSshConfig, InstalledRedHatSignedRPM,)
|
|
+ produces = (Report,)
|
|
+ tags = (IPUWorkflowTag, ChecksPhaseTag,)
|
|
+
|
|
+ def process(self):
|
|
+ openssh_messages = self.consume(OpenSshConfig)
|
|
+ config = next(openssh_messages, None)
|
|
+ if list(openssh_messages):
|
|
+ api.current_logger().warning('Unexpectedly received more than one OpenSshConfig message.')
|
|
+ if not config:
|
|
+ raise StopActorExecutionError(
|
|
+ 'Could not check openssh configuration', details={'details': 'No OpenSshConfig facts found.'}
|
|
+ )
|
|
+
|
|
+ # If the package is not installed, there is no need to do anything
|
|
+ if not has_package(InstalledRedHatSignedRPM, 'openssh-server'):
|
|
+ return
|
|
+
|
|
+ # If the configuration file was not modified, the rpm update will bring the new
|
|
+ # changes by itself
|
|
+ if not config.modified:
|
|
+ return
|
|
+
|
|
+ # otherwise we will prepend the Include directive to the main sshd_config
|
|
+ resources = [
|
|
+ reporting.RelatedResource('package', 'openssh-server'),
|
|
+ reporting.RelatedResource('file', '/etc/ssh/sshd_config')
|
|
+ ]
|
|
+ reporting.create_report([
|
|
+ reporting.Title('The upgrade will prepend the Incude directive to OpenSSH sshd_config'),
|
|
+ reporting.Summary(
|
|
+ 'OpenSSH server configuration needs to be modified to contain Include directive '
|
|
+ 'for the RHEL9 to work properly and integrate with the other parts of the OS. '
|
|
+ 'The following snippet will be added to the /etc/ssh/sshd_config during the '
|
|
+ 'ApplicationsPhase: `Include /etc/ssh/sshd_config.d/*.conf`'
|
|
+ ),
|
|
+ reporting.Severity(reporting.Severity.INFO),
|
|
+ reporting.Tags([
|
|
+ reporting.Tags.AUTHENTICATION,
|
|
+ reporting.Tags.SECURITY,
|
|
+ reporting.Tags.NETWORK,
|
|
+ reporting.Tags.SERVICES
|
|
+ ]),
|
|
+ ] + resources)
|
|
--
|
|
2.35.3
|
|
|