Skip to content

Commit

Permalink
Generate random passwords for Kickstart's rootpw section
Browse files Browse the repository at this point in the history
While the password is pseudo-random it is still better than
accidentally having a server with 'changeme' password.
  • Loading branch information
evgenyz committed Aug 7, 2024
1 parent 66b58f1 commit eba82f3
Show file tree
Hide file tree
Showing 4 changed files with 39 additions and 2 deletions.
8 changes: 6 additions & 2 deletions src/XCCDF_POLICY/xccdf_policy_remediate.c
Original file line number Diff line number Diff line change
Expand Up @@ -1776,17 +1776,21 @@ static int _xccdf_policy_generate_fix_kickstart(struct oscap_list *rules_to_fix,
oscap_iterator_free(rules_to_fix_it);

_write_text_to_fd(output_fd, "\n");
const char *common = (
const char *common_template = (
"# Default values for automated installation\n"
"lang en_US.UTF-8\n"
"keyboard --vckeymap us\n"
"timezone --utc America/New_York\n"
"\n"
"# Root password is required for system rescue tasks\n"
"rootpw changeme\n"
"rootpw %s\n"
"\n"
);
char *password = oscap_generate_random_string(24, NULL);
char *common = oscap_sprintf(common_template, password);
_write_text_to_fd(output_fd, common);
free(password);
free(common);

_generate_kickstart_pre(&cmds, output_fd);

Expand Down
19 changes: 19 additions & 0 deletions src/common/util.c
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@
#include <config.h>
#endif

#include <time.h>
#include <fcntl.h>
#include <string.h>
#include <ctype.h>
Expand All @@ -50,6 +51,24 @@

#define PATH_SEPARATOR '/'

char *oscap_generate_random_string(size_t len, char *charset)
{
char default_charset[] = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
char *res = NULL;
charset = (charset != NULL && strlen(charset) > 0) ? charset : default_charset;
size_t charset_len = strlen(charset);
if (len > 0) {
srand(time(NULL));
res = malloc(len+1);
res[len] = 0;
while (len-- > 0) {
size_t index = (double) rand() / RAND_MAX * (charset_len-1);
res[len] = charset[index];
}
}
return res;
}

int oscap_string_to_enum(const struct oscap_string_map *map, const char *str)
{
__attribute__nonnull__(map);
Expand Down
12 changes: 12 additions & 0 deletions src/common/util.h
Original file line number Diff line number Diff line change
Expand Up @@ -384,6 +384,18 @@ char *oscap_trim(char *str);
/// Print to a newly allocated string using a va_list.
char *oscap_vsprintf(const char *fmt, va_list ap);

/**
* Generates a pseudorandom string of a given length.
* If charset string is not NULL and its length is greater than 0,
* it will be used as a dictionary, otherwize a default alphanumeric set
* will be the base for the generated string.
* Caller is responsible for freeing the returned string.
* @param len desired string length (must be greater than 0)
* @param charset a dictionary string, could be NULL
* @return A random string of desired length.
*/
char *oscap_generate_random_string(size_t len, char *charset);

/**
* Join 2 paths in an intelligent way.
* Both paths are allowed to be NULL.
Expand Down
2 changes: 2 additions & 0 deletions tests/API/XCCDF/unittests/test_remediation_kickstart.sh
Original file line number Diff line number Diff line change
Expand Up @@ -10,11 +10,13 @@ function test_normal {
kickstart_modified=$(mktemp)

sed "/This file was generated by OpenSCAP .* using:/d" "$srcdir/test_remediation_kickstart_expected.cfg" > "$expected_modified"
sed "/rootpw .*/d" "$srcdir/test_remediation_kickstart_expected.cfg" > "$expected_modified"
sed -i "s;TEST_DATA_STREAM_PATH;$srcdir/test_remediation_kickstart.ds.xml;" "$expected_modified"

$OSCAP xccdf generate fix --fix-type kickstart --output "$kickstart" --profile common "$srcdir/test_remediation_kickstart.ds.xml"

sed "/This file was generated by OpenSCAP .* using:/d" "$kickstart" > "$kickstart_modified"
sed "/rootpw .*/d" "$kickstart" > "$kickstart_modified"

diff -u "$expected_modified" "$kickstart_modified"

Expand Down

0 comments on commit eba82f3

Please sign in to comment.