action #99096
action #93441: [sle][security][sle15sp4][CC] CC hand over
[sle][security][sle15sp4][CC][s390x] handle "permit_root_ssh" login issue on s390x
100%
Description
https://progress.opensuse.org/issues/98715
Based on the comments from Marcus, You cannot remove a security condition of the CC setup. ("root ssh access is not allowed" is a hard CC requirement)
We should find a way to fix the openqa failed case:
http://openqa.suse.de/tests/7198526#step/system_prepare/3
We may need use non-root user to access the system rather than root as a solutioin.
Related issues
History
#1
Updated by rfan1 9 months ago
May I ask for your kindly help to take a look at this issue?
When testing Common Criteria system role based VM, root ssh is not permitted by default, and this is CC hard requirement based on Marcus's comment.
CC is supported on 3 platforms x86_64/aarch64 and s390x, for x86_64 and aarch64, we used to connect to the VM via qemu VNC while we try to connect root console via "select_console 'root-console'".
But for s390x, it seems another story, we should have to ssh access to the VM via root user. then the problem shows up.
I did some changes like below and seems it can work well:
- select_console 'root-console';
+ select_console('user-console', ensure_tty_selected => 0, skip_setterm => 1);
+ my $password = $testapi::password;
+ type_string("sudo -i\n");
+ type_string("$password\n");
However, it is not an easy to fix this issue, since so many test modules have "select_console 'root-console';" function. I have to apply my changes one by one.
Do you have any suggestion here?
BR//Richard.
#3
Updated by openqa_review 5 months ago
This is an autogenerated message for openQA integration by the openqa_review script:
This bug is still referenced in a failing openQA test: cc_audit-test-part2
https://openqa.suse.de/tests/8003959
To prevent further reminder comments one of the following options should be followed:
- The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
- The openQA job group is moved to "Released" or "EOL" (End-of-Life)
- The bugref in the openQA scenario is removed or replaced, e.g.
label:wontfix:boo1234
#4
Updated by rfan1 5 months ago
- Status changed from New to In Progress
- % Done changed from 0 to 10
I have a new idea on how to test CC + s390x test.
Keep the workaround at the installation phase, and then we can access the host via root since many basic test code need root access via ssh
I will continue to ask for tool teams's help to enhance the function "select_console" https://progress.opensuse.org/issues/105040I will create a new test module to restore ssh configuration
for test modules which are CC specific, I will modify the test code like below:
select_console 'root-console';
select_console('user-console', ensure_tty_selected => 0, skip_setterm => 1);
my $password = $testapi::password;
type_string("sudo -i\n");
type_string("$password\n");
Any suggestion here?
#5
Updated by rfan1 5 months ago
- % Done changed from 10 to 20
openqa-clone-job --from http://openqa.suse.de --host http://openqa.suse.de 8018749 --skip-chained-deps --skip-download _GROUP=0 CASEDIR="https://github.com/rfan1/os-autoinst-distri-opensuse.git#s390x_cc_disable_rootssh"
https://openqa.suse.de/tests/8025298#step/trustedprograms/46 [We can see the root ssh login is failed, and it is by design]
Good news is that, most of the test cases don't need more code changes if we don't need to re-connect the root console.
Then I think it is good enough to submit this PR.
#6
Updated by rfan1 5 months ago
Schedule example
name: cc_audit_tests
description: >
This is for cc audit tests in single node
schedule:
- '{{bootloader_zkvm}}'
- boot/boot_to_desktop
- '{{disable_root_ssh}}'
- security/cc/cc_audit_test_setup
- security/cc/filter
- security/cc/syscalls
- security/cc/polkit_tests
- security/cc/audit_trail_protection
- security/cc/trustedprograms
- security/selinux/selinux_setup
- security/cc/libpam
conditional_schedule:
bootloader_zkvm:
ARCH:
s390x:
- installation/bootloader_zkvm
disable_root_ssh:
ARCH:
s390x:
- security/cc/cc_disable_root_ssh
#8
Updated by rfan1 5 months ago
- Copied to action #105564: [sle][security][CC][s390x] [backlog]re-connect root console may fail after reboot added
#9
Updated by openqa_review 5 months ago
This is an autogenerated message for openQA integration by the openqa_review script:
This bug is still referenced in a failing openQA test: cc_audit-test-part2
https://openqa.suse.de/tests/8125761
To prevent further reminder comments one of the following options should be followed:
- The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
- The openQA job group is moved to "Released" or "EOL" (End-of-Life)
- The bugref in the openQA scenario is removed or replaced, e.g.
label:wontfix:boo1234
#10
Updated by openqa_review 4 months ago
This is an autogenerated message for openQA integration by the openqa_review script:
This bug is still referenced in a failing openQA test: cc_audit-test-part2
https://openqa.suse.de/tests/8291132
To prevent further reminder comments one of the following options should be followed:
- The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
- The openQA job group is moved to "Released" or "EOL" (End-of-Life)
- The bugref in the openQA scenario is removed or replaced, e.g.
label:wontfix:boo1234
Expect the next reminder at the earliest in 56 days if nothing changes in this ticket.
#11
Updated by openqa_review about 2 months ago
This is an autogenerated message for openQA integration by the openqa_review script:
This bug is still referenced in a failing openQA test: cc_audit-test-part2
https://openqa.suse.de/tests/8685059
To prevent further reminder comments one of the following options should be followed:
- The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
- The openQA job group is moved to "Released" or "EOL" (End-of-Life)
- The bugref in the openQA scenario is removed or replaced, e.g.
label:wontfix:boo1234
Expect the next reminder at the earliest in 112 days if nothing changes in this ticket.