From 2198eef2d45bbcf7b77cb4ba545dabb433d434db Mon Sep 17 00:00:00 2001 From: Evgeny Kolesnikov Date: Wed, 7 Aug 2024 21:20:56 +0200 Subject: [PATCH] Generate random passwords for Kickstart's rootpw section While the password is pseudo-random it is still better than accidentally having a server with 'changeme' password. --- src/XCCDF_POLICY/xccdf_policy_remediate.c | 8 ++++++-- src/common/util.c | 19 +++++++++++++++++++ src/common/util.h | 12 ++++++++++++ .../unittests/test_remediation_kickstart.sh | 2 ++ 4 files changed, 39 insertions(+), 2 deletions(-) diff --git a/src/XCCDF_POLICY/xccdf_policy_remediate.c b/src/XCCDF_POLICY/xccdf_policy_remediate.c index 2b442837b5..31a4bc2017 100644 --- a/src/XCCDF_POLICY/xccdf_policy_remediate.c +++ b/src/XCCDF_POLICY/xccdf_policy_remediate.c @@ -1776,17 +1776,21 @@ static int _xccdf_policy_generate_fix_kickstart(struct oscap_list *rules_to_fix, oscap_iterator_free(rules_to_fix_it); _write_text_to_fd(output_fd, "\n"); - const char *common = ( + const char *common_template = ( "# Default values for automated installation\n" "lang en_US.UTF-8\n" "keyboard --vckeymap us\n" "timezone --utc America/New_York\n" "\n" "# Root password is required for system rescue tasks\n" - "rootpw changeme\n" + "rootpw %s\n" "\n" ); + char *password = oscap_generate_random_string(24, NULL); + char *common = oscap_sprintf(common_template, password); _write_text_to_fd(output_fd, common); + free(password); + free(common); _generate_kickstart_pre(&cmds, output_fd); diff --git a/src/common/util.c b/src/common/util.c index af4e704077..0134ee379e 100644 --- a/src/common/util.c +++ b/src/common/util.c @@ -25,6 +25,7 @@ #include #endif +#include #include #include #include @@ -50,6 +51,24 @@ #define PATH_SEPARATOR '/' +char *oscap_generate_random_string(size_t len, char *charset) +{ + char default_charset[] = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"; + char *res = NULL; + charset = (charset != NULL && strlen(charset) > 0) ? charset : default_charset; + size_t charset_len = strlen(charset); + if (len > 0) { + srand(time(NULL)); + res = malloc(len+1); + res[len] = 0; + while (len-- > 0) { + size_t index = (double) rand() / RAND_MAX * (charset_len-1); + res[len] = charset[index]; + } + } + return res; +} + int oscap_string_to_enum(const struct oscap_string_map *map, const char *str) { __attribute__nonnull__(map); diff --git a/src/common/util.h b/src/common/util.h index f7e2044134..ca0c387215 100644 --- a/src/common/util.h +++ b/src/common/util.h @@ -384,6 +384,18 @@ char *oscap_trim(char *str); /// Print to a newly allocated string using a va_list. char *oscap_vsprintf(const char *fmt, va_list ap); +/** + * Generates a pseudorandom string of a given length. + * If charset string is not NULL and its length is greater than 0, + * it will be used as a dictionary, otherwise a default alphanumeric set + * will be the base for the generated string. + * Caller is responsible for freeing the returned string. + * @param len desired string length (must be greater than 0) + * @param charset a dictionary string, could be NULL + * @return A random string of desired length. + */ +char *oscap_generate_random_string(size_t len, char *charset); + /** * Join 2 paths in an intelligent way. * Both paths are allowed to be NULL. diff --git a/tests/API/XCCDF/unittests/test_remediation_kickstart.sh b/tests/API/XCCDF/unittests/test_remediation_kickstart.sh index 97fbf7124a..22bdc92118 100755 --- a/tests/API/XCCDF/unittests/test_remediation_kickstart.sh +++ b/tests/API/XCCDF/unittests/test_remediation_kickstart.sh @@ -10,11 +10,13 @@ function test_normal { kickstart_modified=$(mktemp) sed "/This file was generated by OpenSCAP .* using:/d" "$srcdir/test_remediation_kickstart_expected.cfg" > "$expected_modified" + sed "/rootpw .*/d" "$srcdir/test_remediation_kickstart_expected.cfg" > "$expected_modified" sed -i "s;TEST_DATA_STREAM_PATH;$srcdir/test_remediation_kickstart.ds.xml;" "$expected_modified" $OSCAP xccdf generate fix --fix-type kickstart --output "$kickstart" --profile common "$srcdir/test_remediation_kickstart.ds.xml" sed "/This file was generated by OpenSCAP .* using:/d" "$kickstart" > "$kickstart_modified" + sed "/rootpw .*/d" "$kickstart" > "$kickstart_modified" diff -u "$expected_modified" "$kickstart_modified"