Project

General

Profile

action #99096

action #93441: [sle][security][sle15sp4][CC] CC hand over

[sle][security][sle15sp4][CC][s390x] handle "permit_root_ssh" login issue on s390x

Added by rfan1 9 months ago. Updated about 2 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Bugs in existing tests
Target version:
-
Start date:
2021-09-23
Due date:
% Done:

100%

Estimated time:
60.00 h
Difficulty:

Description

https://progress.opensuse.org/issues/98715

Based on the comments from Marcus, You cannot remove a security condition of the CC setup. ("root ssh access is not allowed" is a hard CC requirement)

We should find a way to fix the openqa failed case:

http://openqa.suse.de/tests/7198526#step/system_prepare/3

We may need use non-root user to access the system rather than root as a solutioin.


Related issues

Copied to openQA Tests - action #105564: [sle][security][CC][s390x] [backlog]re-connect root console may fail after rebootResolved2021-09-23

History

#1 Updated by rfan1 9 months ago

okurz
Xiaojing_liu

May I ask for your kindly help to take a look at this issue?

When testing Common Criteria system role based VM, root ssh is not permitted by default, and this is CC hard requirement based on Marcus's comment.

CC is supported on 3 platforms x86_64/aarch64 and s390x, for x86_64 and aarch64, we used to connect to the VM via qemu VNC while we try to connect root console via "select_console 'root-console'".

But for s390x, it seems another story, we should have to ssh access to the VM via root user. then the problem shows up.

I did some changes like below and seems it can work well:

-    select_console 'root-console';
+    select_console('user-console', ensure_tty_selected => 0, skip_setterm => 1);
+    my $password = $testapi::password;
+    type_string("sudo -i\n");
+    type_string("$password\n");

However, it is not an easy to fix this issue, since so many test modules have "select_console 'root-console';" function. I have to apply my changes one by one.

Do you have any suggestion here?

BR//Richard.

#2 Updated by okurz 9 months ago

  • Category set to Bugs in existing tests

#3 Updated by openqa_review 5 months ago

This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: cc_audit-test-part2
https://openqa.suse.de/tests/8003959

To prevent further reminder comments one of the following options should be followed:

  1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
  2. The openQA job group is moved to "Released" or "EOL" (End-of-Life)
  3. The bugref in the openQA scenario is removed or replaced, e.g. label:wontfix:boo1234

#4 Updated by rfan1 5 months ago

  • Status changed from New to In Progress
  • % Done changed from 0 to 10

I have a new idea on how to test CC + s390x test.

  1. Keep the workaround at the installation phase, and then we can access the host via root since many basic test code need root access via ssh
    I will continue to ask for tool teams's help to enhance the function "select_console" https://progress.opensuse.org/issues/105040

  2. I will create a new test module to restore ssh configuration

  3. for test modules which are CC specific, I will modify the test code like below:

  4. select_console 'root-console';

  5. select_console('user-console', ensure_tty_selected => 0, skip_setterm => 1);

  6. my $password = $testapi::password;

  7. type_string("sudo -i\n");

  8. type_string("$password\n");

Any suggestion here?

#5 Updated by rfan1 5 months ago

  • % Done changed from 10 to 20

openqa-clone-job --from http://openqa.suse.de --host http://openqa.suse.de 8018749 --skip-chained-deps --skip-download _GROUP=0 CASEDIR="https://github.com/rfan1/os-autoinst-distri-opensuse.git#s390x_cc_disable_rootssh"

https://openqa.suse.de/tests/8025298#step/trustedprograms/46 [We can see the root ssh login is failed, and it is by design]

Good news is that, most of the test cases don't need more code changes if we don't need to re-connect the root console.

Then I think it is good enough to submit this PR.

#6 Updated by rfan1 5 months ago

Schedule example

name: cc_audit_tests
description:    >
    This is for cc audit tests in single node
schedule:
    - '{{bootloader_zkvm}}'
    - boot/boot_to_desktop
    - '{{disable_root_ssh}}'
    - security/cc/cc_audit_test_setup
    - security/cc/filter
    - security/cc/syscalls
    - security/cc/polkit_tests
    - security/cc/audit_trail_protection
    - security/cc/trustedprograms
    - security/selinux/selinux_setup
    - security/cc/libpam
conditional_schedule:
    bootloader_zkvm:
        ARCH:
            s390x:
                - installation/bootloader_zkvm
    disable_root_ssh:
        ARCH:
            s390x:
                - security/cc/cc_disable_root_ssh

#7 Updated by rfan1 5 months ago

  • Status changed from In Progress to Resolved
  • % Done changed from 20 to 100

#8 Updated by rfan1 5 months ago

  • Copied to action #105564: [sle][security][CC][s390x] [backlog]re-connect root console may fail after reboot added

#9 Updated by openqa_review 5 months ago

This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: cc_audit-test-part2
https://openqa.suse.de/tests/8125761

To prevent further reminder comments one of the following options should be followed:

  1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
  2. The openQA job group is moved to "Released" or "EOL" (End-of-Life)
  3. The bugref in the openQA scenario is removed or replaced, e.g. label:wontfix:boo1234

#10 Updated by openqa_review 4 months ago

This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: cc_audit-test-part2
https://openqa.suse.de/tests/8291132

To prevent further reminder comments one of the following options should be followed:

  1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
  2. The openQA job group is moved to "Released" or "EOL" (End-of-Life)
  3. The bugref in the openQA scenario is removed or replaced, e.g. label:wontfix:boo1234

Expect the next reminder at the earliest in 56 days if nothing changes in this ticket.

#11 Updated by openqa_review about 2 months ago

This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: cc_audit-test-part2
https://openqa.suse.de/tests/8685059

To prevent further reminder comments one of the following options should be followed:

  1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
  2. The openQA job group is moved to "Released" or "EOL" (End-of-Life)
  3. The bugref in the openQA scenario is removed or replaced, e.g. label:wontfix:boo1234

Expect the next reminder at the earliest in 112 days if nothing changes in this ticket.

Also available in: Atom PDF