OpenSCAP · jan-cerny · Aug 9, 2024 · Aug 7, 2024
diff --git a/src/XCCDF_POLICY/xccdf_policy_remediate.c b/src/XCCDF_POLICY/xccdf_policy_remediate.c
@@ -1776,17 +1776,21 @@ static int _xccdf_policy_generate_fix_kickstart(struct oscap_list *rules_to_fix,
  oscap_iterator_free(rules_to_fix_it);
 
  _write_text_to_fd(output_fd, "\n");
- const char *common = (
+ const char *common_template = (
  "# Default values for automated installation\n"
  "lang en_US.UTF-8\n"
  "keyboard --vckeymap us\n"
  "timezone --utc America/New_York\n"
  "\n"
  "# Root password is required for system rescue tasks\n"
- "rootpw changeme\n"
+ "rootpw %s\n"
  "\n"
  );
+ char *password = oscap_generate_random_string(24, NULL);
+ char *common = oscap_sprintf(common_template, password);
  _write_text_to_fd(output_fd, common);
+ free(password);
+ free(common);
 
  _generate_kickstart_pre(&cmds, output_fd);
 

diff --git a/src/common/util.c b/src/common/util.c
@@ -25,6 +25,7 @@
 #include <config.h>
 #endif
 
+#include <time.h>
 #include <fcntl.h>
 #include <string.h>
 #include <ctype.h>
@@ -50,6 +51,24 @@
 
 #define PATH_SEPARATOR '/'
 
+char *oscap_generate_random_string(size_t len, char *charset)
+{
+ char default_charset[] = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
+ char *res = NULL;
+ charset = (charset != NULL && strlen(charset) > 0) ? charset : default_charset;
+ size_t charset_len = strlen(charset);
+ if (len > 0) {
+ srand(time(NULL));
+ res = malloc(len+1);
+ res[len] = 0;
+ while (len-- > 0) {
+ size_t index = (double) rand() / RAND_MAX * (charset_len-1);
+ res[len] = charset[index];
+ }
+ }
+ return res;
+}
+
 int oscap_string_to_enum(const struct oscap_string_map *map, const char *str)
 {
  __attribute__nonnull__(map);

diff --git a/src/common/util.h b/src/common/util.h
@@ -384,6 +384,18 @@ char *oscap_trim(char *str);
 /// Print to a newly allocated string using a va_list.
 char *oscap_vsprintf(const char *fmt, va_list ap);
 
+/**
+ * Generates a pseudorandom string of a given length.
+ * If charset string is not NULL and its length is greater than 0,
+ * it will be used as a dictionary, otherwise a default alphanumeric set
+ * will be the base for the generated string.
+ * Caller is responsible for freeing the returned string.
+ * @param len desired string length (must be greater than 0)
+ * @param charset a dictionary string, could be NULL
+ * @return A random string of desired length.
+ */
+char *oscap_generate_random_string(size_t len, char *charset);
+
 /**
  * Join 2 paths in an intelligent way.
  * Both paths are allowed to be NULL.

diff --git a/tests/API/XCCDF/unittests/test_remediation_kickstart.sh b/tests/API/XCCDF/unittests/test_remediation_kickstart.sh
@@ -10,11 +10,13 @@ function test_normal {
  kickstart_modified=$(mktemp)
 
  sed "/This file was generated by OpenSCAP .* using:/d" "$srcdir/test_remediation_kickstart_expected.cfg" > "$expected_modified"
+ sed "/rootpw .*/d" "$srcdir/test_remediation_kickstart_expected.cfg" > "$expected_modified"
  sed -i "s;TEST_DATA_STREAM_PATH;$srcdir/test_remediation_kickstart.ds.xml;" "$expected_modified"
 
  $OSCAP xccdf generate fix --fix-type kickstart --output "$kickstart" --profile common "$srcdir/test_remediation_kickstart.ds.xml"
 
  sed "/This file was generated by OpenSCAP .* using:/d" "$kickstart" > "$kickstart_modified"
+ sed "/rootpw .*/d" "$kickstart" > "$kickstart_modified"
 
  diff -u "$expected_modified" "$kickstart_modified"