action #98715
closedaction #93441: [sle][security][sle15sp4][CC] CC hand over
[sle][security][sle15sp4][CC] automation: enhance "SYSTEM_ROLE=Common_Criteria" hdd creating related hardcode
100%
Description
In file ".../tests/installation # vi logs_from_installation_system.pm"
We hardcode the "/dev/vda2" as currently we can not figure out a better way to revise "/etc/ssh/sshd_config" file before reboot after/during installation.
This poo aims to track this issue.
# permit ssh root login as it is disabled in "Common Criteria" "System Role" system
if (check_var('SYSTEM_ROLE', 'Common_Criteria') && is_sle) {
record_soft_failure('poo#');
assert_script_run('mount /dev/vda2 /mnt');
assert_script_run("sed -i -e 's/PermitRootLogin/#PermitRootLogin/g' /mnt/etc/ssh/sshd_config");
assert_script_run('echo PermitRootLogin yes >> /mnt/etc/ssh/sshd_config');
assert_script_run('cat /mnt/etc/ssh/sshd_config');
assert_script_run('umount /mnt');
}
Updated by rfan1 over 2 years ago
Let me try to find the real root disk name during the installation phase at first
Updated by rfan1 over 2 years ago
The below command can be used to get the root disk name:
#cat /var/log/YaST2/storage-inst/*committed.yml |grep -B4 'mount_point: "/"'|grep name|awk -F\" '{print $2}'
Updated by rfan1 over 2 years ago
x86_64: https://openqa.suse.de/tests/7150051#
arm: https://openqa.suse.de/tests/7150662#
s390x: https://openqa.suse.de/tests/7150052#
`- # permit ssh root login as it is disabled in "Common Criteria" "System Role" system
+ # permit root ssh login for CC test:
+ # in "Common Criteria" "System Role" system, root ssh login is disabled
+ # by default, we need enable it
if (check_var('SYSTEM_ROLE', 'Common_Criteria') && is_sle) {
- record_soft_failure('workaround for poo#98715');
- assert_script_run('mount /dev/vda2 /mnt');
- assert_script_run("sed -i -e 's/PermitRootLogin/#PermitRootLogin/g' /mnt/etc/ssh/sshd_config");
- assert_script_run('echo PermitRootLogin yes >> /mnt/etc/ssh/sshd_config');
- assert_script_run('cat /mnt/etc/ssh/sshd_config');
+ my $stor_inst = "/var/log/YaST2/storage-inst/*committed.yml";
+ my $root_hd = script_output("cat $stor_inst | grep -B4 'mount_point: \"/\"' | grep name | awk -F \\\" '{print \$2}'");
+ assert_script_run("mount $root_hd /mnt");
+ assert_script_run("sed -i -e 's/PermitRootLogin no/PermitRootLogin yes/g' /mnt/etc/ssh/sshd_config");
assert_script_run('umount /mnt');
}`
Updated by msmeissn over 2 years ago
Hi,
You cannot remove a security condition of the CC setup. ("root ssh access is not allowed" is a hard CC requirement)
Thanks, revised my code on x86 and arm, but for s390x, openqa worker uses root ssh to access the VM guests. for now, we will keep this change to complete the installation process.
I will file a new poo to fix it on s390x platform as well.
Updated by rfan1 over 2 years ago
- Status changed from New to In Progress
- % Done changed from 0 to 30
Updated by rfan1 over 2 years ago
- Status changed from In Progress to Resolved
- % Done changed from 30 to 100