Project

General

Profile

action #98715

action #93441: [sle][security][sle15sp4][CC] CC hand over

[sle][security][sle15sp4][CC] automation: enhance "SYSTEM_ROLE=Common_Criteria" hdd creating related hardcode

Added by llzhao about 1 month ago. Updated 21 days ago.

Status:
Resolved
Priority:
Low
Assignee:
Category:
Enhancement to existing tests
Target version:
-
Start date:
2021-09-16
Due date:
% Done:

100%

Estimated time:
40.00 h
Difficulty:

Description

In file ".../tests/installation # vi logs_from_installation_system.pm"
We hardcode the "/dev/vda2" as currently we can not figure out a better way to revise "/etc/ssh/sshd_config" file before reboot after/during installation.
This poo aims to track this issue.

    # permit ssh root login as it is disabled in "Common Criteria" "System Role" system
    if (check_var('SYSTEM_ROLE', 'Common_Criteria') && is_sle) {
        record_soft_failure('poo#');
        assert_script_run('mount /dev/vda2 /mnt');
        assert_script_run("sed -i -e 's/PermitRootLogin/#PermitRootLogin/g' /mnt/etc/ssh/sshd_config");
        assert_script_run('echo PermitRootLogin yes >> /mnt/etc/ssh/sshd_config');
        assert_script_run('cat /mnt/etc/ssh/sshd_config');
        assert_script_run('umount /mnt');
    }

History

#1 Updated by llzhao about 1 month ago

  • Parent task set to #93441

#2 Updated by llzhao about 1 month ago

  • Assignee set to rfan1

#3 Updated by rfan1 about 1 month ago

Let me try to find the real root disk name during the installation phase at first

#4 Updated by rfan1 about 1 month ago

The below command can be used to get the root disk name:

#cat /var/log/YaST2/storage-inst/*committed.yml |grep -B4 'mount_point: "/"'|grep name|awk -F\" '{print $2}'

#6 Updated by rfan1 29 days ago

x86_64: https://openqa.suse.de/tests/7150051#
arm: https://openqa.suse.de/tests/7150662#
s390x: https://openqa.suse.de/tests/7150052#

`-    # permit ssh root login as it is disabled in "Common Criteria" "System Role" system
+    # permit root ssh login for CC test:
+    # in "Common Criteria" "System Role" system, root ssh login is disabled
+    # by default, we need enable it
     if (check_var('SYSTEM_ROLE', 'Common_Criteria') && is_sle) {
-        record_soft_failure('workaround for poo#98715');
-        assert_script_run('mount /dev/vda2 /mnt');
-        assert_script_run("sed -i -e 's/PermitRootLogin/#PermitRootLogin/g' /mnt/etc/ssh/sshd_config");
-        assert_script_run('echo PermitRootLogin yes >> /mnt/etc/ssh/sshd_config');
-        assert_script_run('cat /mnt/etc/ssh/sshd_config');
+        my $stor_inst = "/var/log/YaST2/storage-inst/*committed.yml";
+        my $root_hd   = script_output("cat $stor_inst | grep -B4 'mount_point: \"/\"' | grep name | awk -F \\\" '{print \$2}'");
+        assert_script_run("mount $root_hd /mnt");
+        assert_script_run("sed -i -e 's/PermitRootLogin no/PermitRootLogin yes/g' /mnt/etc/ssh/sshd_config");
         assert_script_run('umount /mnt');
     }`

#7 Updated by msmeissn 25 days ago

Hi,

You cannot remove a security condition of the CC setup. ("root ssh access is not allowed" is a hard CC requirement)

Thanks, revised my code on x86 and arm, but for s390x, openqa worker uses root ssh to access the VM guests. for now, we will keep this change to complete the installation process.

I will file a new poo to fix it on s390x platform as well.

#8 Updated by rfan1 24 days ago

  • Status changed from New to In Progress
  • % Done changed from 0 to 30

#9 Updated by rfan1 21 days ago

  • Status changed from In Progress to Resolved
  • % Done changed from 30 to 100

Also available in: Atom PDF