Skip to content

Commit

Permalink
Generate random root password in the Kickstart fix header
Browse files Browse the repository at this point in the history
This will make generated scripts more secure.
  • Loading branch information
evgenyz committed Aug 7, 2024
1 parent 40d5fa6 commit d1ec3ed
Show file tree
Hide file tree
Showing 4 changed files with 39 additions and 2 deletions.
8 changes: 6 additions & 2 deletions src/XCCDF_POLICY/xccdf_policy_remediate.c
Original file line number Diff line number Diff line change
Expand Up @@ -1776,18 +1776,22 @@ static int _xccdf_policy_generate_fix_kickstart(struct oscap_list *rules_to_fix,
oscap_iterator_free(rules_to_fix_it);

_write_text_to_fd(output_fd, "\n");
const char *common = (
const char *common_template = (
"# Default values for automated installation\n"
"lang en_US.UTF-8\n"
"keyboard --vckeymap us\n"
"timezone --utc America/New_York\n"
"\n"
"# Root password is required for system rescue tasks\n"
"rootpw changeme\n"
"rootpw %s\n"
"\n"
);
if (raw == 0) {
char *password = oscap_generate_random_string(24, NULL);
char *common = oscap_sprintf(common_template, password);
_write_text_to_fd(output_fd, common);
free(password);
free(common);
}

_generate_kickstart_pre(&cmds, output_fd);
Expand Down
19 changes: 19 additions & 0 deletions src/common/util.c
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@
#include <config.h>
#endif

#include <time.h>
#include <fcntl.h>
#include <string.h>
#include <ctype.h>
Expand All @@ -50,6 +51,24 @@

#define PATH_SEPARATOR '/'

char *oscap_generate_random_string(size_t len, char *charset)
{
char default_charset[] = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
char *res = NULL;
charset = (charset != NULL && strlen(charset) > 0) ? charset : default_charset;
size_t charset_len = strlen(charset);
if (len > 0) {
srand(time(NULL));
res = malloc(len+1);
res[len] = 0;
while (len-- > 0) {
size_t index = (double) rand() / RAND_MAX * (charset_len-1);
res[len] = charset[index];
}
}
return res;
}

int oscap_string_to_enum(const struct oscap_string_map *map, const char *str)
{
__attribute__nonnull__(map);
Expand Down
12 changes: 12 additions & 0 deletions src/common/util.h
Original file line number Diff line number Diff line change
Expand Up @@ -384,6 +384,18 @@ char *oscap_trim(char *str);
/// Print to a newly allocated string using a va_list.
char *oscap_vsprintf(const char *fmt, va_list ap);

/**
* Generates a pseudorandom string of a given lenght.
* If charset string is not NULL and its lenght is greater than 0,
* it will be used as a dictionary, otherwize a default alphanumeric
* would be the base for the generated string.
* Caller is responsible for freeing the returned string.
* @param len desired string length (must be greater than 0)
* @param charset a dictionary string, could be NULL
* @return A random string of desired lenght.
*/
char *oscap_generate_random_string(size_t len, char *charset);

/**
* Join 2 paths in an intelligent way.
* Both paths are allowed to be NULL.
Expand Down
2 changes: 2 additions & 0 deletions tests/API/XCCDF/unittests/test_remediation_kickstart.sh
Original file line number Diff line number Diff line change
Expand Up @@ -10,11 +10,13 @@ function test_normal {
kickstart_modified=$(mktemp)

sed "/This file was generated by OpenSCAP .* using:/d" "$srcdir/test_remediation_kickstart_expected.cfg" > "$expected_modified"
sed "/rootpw .*/d" "$srcdir/test_remediation_kickstart_expected.cfg" > "$expected_modified"
sed -i "s;TEST_DATA_STREAM_PATH;$srcdir/test_remediation_kickstart.ds.xml;" "$expected_modified"

$OSCAP xccdf generate fix --fix-type kickstart --output "$kickstart" --profile common "$srcdir/test_remediation_kickstart.ds.xml"

sed "/This file was generated by OpenSCAP .* using:/d" "$kickstart" > "$kickstart_modified"
sed "/rootpw .*/d" "$kickstart" > "$kickstart_modified"

diff -u "$expected_modified" "$kickstart_modified"

Expand Down

0 comments on commit d1ec3ed

Please sign in to comment.