action #99096
closedaction #93441: [sle][security][sle15sp4][CC] CC hand over
[sle][security][sle15sp4][CC][s390x] handle "permit_root_ssh" login issue on s390x
Added by rfan1 over 3 years ago. Updated over 2 years ago.
100%
Description
https://progress.opensuse.org/issues/98715
Based on the comments from Marcus, You cannot remove a security condition of the CC setup. ("root ssh access is not allowed" is a hard CC requirement)
We should find a way to fix the openqa failed case:
http://openqa.suse.de/tests/7198526#step/system_prepare/3
We may need use non-root user to access the system rather than root as a solutioin.
Updated by rfan1 over 3 years ago
May I ask for your kindly help to take a look at this issue?
When testing Common Criteria system role based VM, root ssh is not permitted by default, and this is CC hard requirement based on Marcus's comment.
CC is supported on 3 platforms x86_64/aarch64 and s390x, for x86_64 and aarch64, we used to connect to the VM via qemu VNC while we try to connect root console via "select_console 'root-console'".
But for s390x, it seems another story, we should have to ssh access to the VM via root user. then the problem shows up.
I did some changes like below and seems it can work well:
- select_console 'root-console';
+ select_console('user-console', ensure_tty_selected => 0, skip_setterm => 1);
+ my $password = $testapi::password;
+ type_string("sudo -i\n");
+ type_string("$password\n");
However, it is not an easy to fix this issue, since so many test modules have "select_console 'root-console';" function. I have to apply my changes one by one.
Do you have any suggestion here?
BR//Richard.
Updated by openqa_review almost 3 years ago
This is an autogenerated message for openQA integration by the openqa_review script:
This bug is still referenced in a failing openQA test: cc_audit-test-part2
https://openqa.suse.de/tests/8003959
To prevent further reminder comments one of the following options should be followed:
- The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
- The openQA job group is moved to "Released" or "EOL" (End-of-Life)
- The bugref in the openQA scenario is removed or replaced, e.g.
label:wontfix:boo1234
Updated by rfan1 almost 3 years ago
- Status changed from New to In Progress
- % Done changed from 0 to 10
I have a new idea on how to test CC + s390x test.
Keep the workaround at the installation phase, and then we can access the host via root since many basic test code need root access via ssh
I will continue to ask for tool teams's help to enhance the function "select_console" https://progress.opensuse.org/issues/105040I will create a new test module to restore ssh configuration
for test modules which are CC specific, I will modify the test code like below:
select_console 'root-console';
select_console('user-console', ensure_tty_selected => 0, skip_setterm => 1);
my $password = $testapi::password;
type_string("sudo -i\n");
type_string("$password\n");
Any suggestion here?
Updated by rfan1 almost 3 years ago
- % Done changed from 10 to 20
openqa-clone-job --from http://openqa.suse.de --host http://openqa.suse.de 8018749 --skip-chained-deps --skip-download _GROUP=0 CASEDIR="https://github.com/rfan1/os-autoinst-distri-opensuse.git#s390x_cc_disable_rootssh"
https://openqa.suse.de/tests/8025298#step/trustedprograms/46 [We can see the root ssh login is failed, and it is by design]
Good news is that, most of the test cases don't need more code changes if we don't need to re-connect the root console.
Then I think it is good enough to submit this PR.
Updated by rfan1 almost 3 years ago
Schedule example
name: cc_audit_tests
description: >
This is for cc audit tests in single node
schedule:
- '{{bootloader_zkvm}}'
- boot/boot_to_desktop
- '{{disable_root_ssh}}'
- security/cc/cc_audit_test_setup
- security/cc/filter
- security/cc/syscalls
- security/cc/polkit_tests
- security/cc/audit_trail_protection
- security/cc/trustedprograms
- security/selinux/selinux_setup
- security/cc/libpam
conditional_schedule:
bootloader_zkvm:
ARCH:
s390x:
- installation/bootloader_zkvm
disable_root_ssh:
ARCH:
s390x:
- security/cc/cc_disable_root_ssh
Updated by rfan1 almost 3 years ago
- Status changed from In Progress to Resolved
- % Done changed from 20 to 100
Updated by rfan1 almost 3 years ago
- Copied to action #105564: [sle][security][CC][s390x] [backlog]re-connect root console may fail after reboot added
Updated by openqa_review almost 3 years ago
This is an autogenerated message for openQA integration by the openqa_review script:
This bug is still referenced in a failing openQA test: cc_audit-test-part2
https://openqa.suse.de/tests/8125761
To prevent further reminder comments one of the following options should be followed:
- The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
- The openQA job group is moved to "Released" or "EOL" (End-of-Life)
- The bugref in the openQA scenario is removed or replaced, e.g.
label:wontfix:boo1234
Updated by openqa_review almost 3 years ago
This is an autogenerated message for openQA integration by the openqa_review script:
This bug is still referenced in a failing openQA test: cc_audit-test-part2
https://openqa.suse.de/tests/8291132
To prevent further reminder comments one of the following options should be followed:
- The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
- The openQA job group is moved to "Released" or "EOL" (End-of-Life)
- The bugref in the openQA scenario is removed or replaced, e.g.
label:wontfix:boo1234
Expect the next reminder at the earliest in 56 days if nothing changes in this ticket.
Updated by openqa_review over 2 years ago
This is an autogenerated message for openQA integration by the openqa_review script:
This bug is still referenced in a failing openQA test: cc_audit-test-part2
https://openqa.suse.de/tests/8685059
To prevent further reminder comments one of the following options should be followed:
- The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
- The openQA job group is moved to "Released" or "EOL" (End-of-Life)
- The bugref in the openQA scenario is removed or replaced, e.g.
label:wontfix:boo1234
Expect the next reminder at the earliest in 112 days if nothing changes in this ticket.