Bugzilla – Bug 1221452
[SECURITY] Several test result differences to baseline with CC setup
Last modified: 2024-05-07 11:47:49 UTC
We have multiple new Common Criteria audit-test differences compared to expected baseline. trustedprograms: passwd02 passwd03 Current: [38] database passwd02 FAIL Baseline: [38] database passwd02 PASS Current: [39] database passwd03 FAIL Baseline: [39] database passwd03 PASS polkit_tests: polkit_success Current: [2] polkit_success FAIL Baseline: [2] polkit_success PASS libpam: ssh04 Current: [7] ssh04 FAIL Baseline: [7] ssh04 PASS These are happening on the 15-SP5 QU snapshot (https://openqa.suse.de/tests/13708532), compared to the previous QU (https://openqa.suse.de/tests/13102166) where the testsuite used to pass. This is also different from what happens on 15-SP5 GA daily updated with updates: https://openqa.suse.de/tests/13787708
error for polkit: [2] polkit_success FAIL --- begin output ----------------------------------------------------------- rotate_audit_logs: Attempting to rotate using USR1 spawn /usr/bin/hostnamectl set-hostname --pretty myserver_9wHA [1;31m==== AUTHENTICATING FOR org.freedesktop.hostname1.set-static-hostname ==== [0mAuthentication is required to set the statically configured local hostname, as well as the pretty hostname. Authenticating as: root polkit-agent-helper-1: needs to be setuid root Error: Incorrect permissions on /usr/lib/polkit-1/polkit-agent-helper-1 (needs to be setuid root) [1;31m==== AUTHENTICATION FAILED ==== [0m[0;1;31mCould not set pretty hostname: Access denied[0m send: spawn id exp4 not open while executing "send -- "$rootpwd\r"" (file "set_hostname.expect" line 15) fail: hostname wasnt set via polkit
ssh04 error: Testcase Result -------- ------ [7] ssh04 FAIL --- begin output ----------------------------------------------------------- rotate_audit_logs: Attempting to rotate using USR1 spawn ssh root@localhost Password: Password: augrok output ------------- type=SERVICE_STOP msg=audit(1709583918.656:14948): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg_1='unit=sshd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=SERVICE_START msg=audit(1709583919.112:14949): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg_1='unit=sshd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=SERVICE_STOP msg=audit(1709583919.484:14950): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg_1='unit=sshd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=SERVICE_START msg=audit(1709583919.876:14951): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg_1='unit=sshd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=CRYPTO_SESSION msg=audit(1709583920.136:14952): pid=17122 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg_1='op=start direction=from-server cipher=aes128-ctr ksize=128 mac=hmac-sha2-256-etm@openssh.com pfs=ecdh-sha2-nistp256 spid=17123 suid=471 rport=52538 laddr=::1 lport=22 exe="/usr/sbin/sshd" hostname=? addr=::1 terminal=? res=success' type=CRYPTO_SESSION msg=audit(1709583920.140:14953): pid=17122 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg_1='op=start direction=from-client cipher=aes128-ctr ksize=128 mac=hmac-sha2-256-etm@openssh.com pfs=ecdh-sha2-nistp256 spid=17123 suid=471 rport=52538 laddr=::1 lport=22 exe="/usr/sbin/sshd" hostname=? addr=::1 terminal=? res=success' type=USER_AUTH msg=audit(1709583920.180:14954): pid=17124 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg_1='op=PAM:authentication grantors=? acct="root" exe="/usr/sbin/sshd" hostname=::1 addr=::1 terminal=ssh res=failed' type=USER_AUTH msg=audit(1709583921.468:14955): pid=17122 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg_1='op=challenge-response acct="root" exe="/usr/sbin/sshd" hostname=? addr=::1 terminal=ssh res=failed' type=CRYPTO_KEY_USER msg=audit(1709583921.476:14956): pid=17122 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg_1='op=destroy kind=session fp=? direction=both spid=17123 suid=471 rport=52538 laddr=::1 lport=22 exe="/usr/sbin/sshd" hostname=? addr=::1 terminal=? res=success' type=USER_ERR msg=audit(1709583921.476:14957): pid=17122 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg_1='op=PAM:bad_ident grantors=? acct="?" exe="/usr/sbin/sshd" hostname=::1 addr=::1 terminal=ssh res=failed' type=USER_LOGIN msg=audit(1709583921.476:14958): pid=17122 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg_1='op=login acct="root" exe="/usr/sbin/sshd" hostname=? addr=::1 terminal=ssh res=failed' --- end output -------------------------------------------------------------
passwd02 test seems not to detect the cc_role using check_cc_role(), which might just be caused by the installation method. polkit same using check_cc_role_enabled same for the others. function check_cc_role_enabled { cat /etc/YaST2/ProductFeatures | grep 'default_patterns' | grep 'common-criteria' > /dev/null 2>&1 return $? } Your installation method should result in this to happen too.
(Or fix audit-test-sle15)
we are now using the proper installation method (selecting the role from the installer), but we still get those failures: passwd02: -> Test #4 : Trying chfn change finger of self to valid data for user [cs_user1]: `chfn -w c -h d` Password: Password: Cannot change ID to root. Connection to localhost closed. ==> Test #4 : FAIL (chfn change finger of self to valid data) *** Text #4 expected exit code [0] but got [1] no crontab for cs_user1 no crontab for cs_user2 Summary of Results ==> Test #0 : PASS (chfn change finger of a non-existant user) ==> Test #1 : PASS (chfn change finger of some other user) ==> Test #2 : PASS (chfn change finger of self to invalid data) ==> Test #3 : PASS (chfn change finger of self to invalid data) ==> Test #4 : FAIL (chfn change finger of self to valid data) *** Text #4 expected exit code [0] but got [1] ======================================================== passwd03: -> Test #2 : Trying chsh change shell of self to valid shell for user [cs_user1]: `chsh -s /bin/bash` Password: Password: Cannot change ID to root. Connection to localhost closed. ==> Test #2 : FAIL (chsh change shell of self to valid shell) *** Text #2 expected exit code [0] but got [1] no crontab for cs_user1 no crontab for cs_user2 Summary of Results ==> Test #0 : PASS (chsh change shell of self to non-existant shell) ==> Test #1 : PASS (chsh change shell of self to dev-null shell) ==> Test #2 : FAIL (chsh change shell of self to valid shell) *** Text #2 expected exit code [0] but got [1] ======================================================================== End execution of passwd03 ======================================================================== polkit: Testcase Result -------- ------ [2] polkit_success FAIL --- begin output ----------------------------------------------------------- rotate_audit_logs: Attempting to rotate using USR1 spawn /usr/bin/hostnamectl set-hostname --pretty myserver_SdwF [1;31m==== AUTHENTICATING FOR org.freedesktop.hostname1.set-static-hostname ==== [0mAuthentication is required to set the statically configured local hostname, as well as the pretty hostname. Authenticating as: root polkit-agent-helper-1: needs to be setuid root Error: Incorrect permissions on /usr/lib/polkit-1/polkit-agent-helper-1 (needs to be setuid root) [1;31m==== AUTHENTICATION FAILED ==== [0m[0;1;31mCould not set pretty hostname: Access denied[0m send: spawn id exp4 not open while executing "send -- "$rootpwd\r"" (file "set_hostname.expect" line 15) fail: hostname wasnt set via polkit ssh04: Testcase Result -------- ------ [7] ssh04 FAIL --- begin output ----------------------------------------------------------- rotate_audit_logs: Attempting to rotate using USR1 spawn ssh root@localhost Password: Password:
Is it expected that 'common-criteria' is no longer present in the `default_patterns` in `/etc/YaST2/ProductFeatures even though the installation was done by selecting the Common Criteria role during standard installation?
It seems that the package `system-role-common-criteria` is not installed even if the pattern `common-criteria` and the package `patterns-certification-common-criteria` are installed.
Interesting, on 15-SP4 the system-role-common-criteria package is not installed too, but "default_patterns=base common-criteria fips" while on 15-SP5-QR and 15-SP6 is "minimal_base".
Atsec also complained that on SLES15 SP4 QU3.1 installed (I installed servers) in CC role /etc/sudoers.d/common-criteria does not exist that indicates that CC role was not installed and applied.
That file is present in 15-SP5-QR (137.7)
Please delete all I wrote. The test was configured with the wrong HDD variable. Installation works fine and result is as expected on 15-SP5-QR and 15-SP6 (default_patterns = base common-criteria fips) Now running tests with the correct image.
Thank you everyone. We have - or Paolo has, to be exact - now switched Common Criteria installation creation from autoyast (which still has this mentioned omission of not functioning 100% identical to installer's role feature, even with the post-install script) to libyui and can confirm 15-SP5 QU behaves as expected again: https://openqa.suse.de/tests/13992343 On 15-SP6 there are still differences from the baseline, but those should need a separate bug.