From 9d0c1762829d21dee17ac44bfd85f8637ac41e22 Mon Sep 17 00:00:00 2001 From: Evgeny Kolesnikov Date: Tue, 6 Aug 2024 22:51:26 +0200 Subject: [PATCH] Generate random root password in the Kickstart fix header This will make generated scripts more secure. --- src/XCCDF_POLICY/xccdf_policy_remediate.c | 8 ++++++-- src/common/util.c | 19 +++++++++++++++++++ src/common/util.h | 12 ++++++++++++ 3 files changed, 37 insertions(+), 2 deletions(-) diff --git a/src/XCCDF_POLICY/xccdf_policy_remediate.c b/src/XCCDF_POLICY/xccdf_policy_remediate.c index acb63f9914..6b09a0ba47 100644 --- a/src/XCCDF_POLICY/xccdf_policy_remediate.c +++ b/src/XCCDF_POLICY/xccdf_policy_remediate.c @@ -1776,18 +1776,22 @@ static int _xccdf_policy_generate_fix_kickstart(struct oscap_list *rules_to_fix, oscap_iterator_free(rules_to_fix_it); _write_text_to_fd(output_fd, "\n"); - const char *common = ( + const char *common_template = ( "# Default values for automated installation\n" "lang en_US.UTF-8\n" "keyboard --vckeymap us\n" "timezone --utc America/New_York\n" "\n" "# Root password is required for system rescue tasks\n" - "rootpw changeme\n" + "rootpw %s\n" "\n" ); if (raw == 0) { + char *password = oscap_generate_random_string(24, NULL); + char *common = oscap_sprintf(common_template, password); _write_text_to_fd(output_fd, common); + free(password); + free(common); } _generate_kickstart_pre(&cmds, output_fd); diff --git a/src/common/util.c b/src/common/util.c index af4e704077..0134ee379e 100644 --- a/src/common/util.c +++ b/src/common/util.c @@ -25,6 +25,7 @@ #include #endif +#include #include #include #include @@ -50,6 +51,24 @@ #define PATH_SEPARATOR '/' +char *oscap_generate_random_string(size_t len, char *charset) +{ + char default_charset[] = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"; + char *res = NULL; + charset = (charset != NULL && strlen(charset) > 0) ? charset : default_charset; + size_t charset_len = strlen(charset); + if (len > 0) { + srand(time(NULL)); + res = malloc(len+1); + res[len] = 0; + while (len-- > 0) { + size_t index = (double) rand() / RAND_MAX * (charset_len-1); + res[len] = charset[index]; + } + } + return res; +} + int oscap_string_to_enum(const struct oscap_string_map *map, const char *str) { __attribute__nonnull__(map); diff --git a/src/common/util.h b/src/common/util.h index f7e2044134..24fb7363a8 100644 --- a/src/common/util.h +++ b/src/common/util.h @@ -384,6 +384,18 @@ char *oscap_trim(char *str); /// Print to a newly allocated string using a va_list. char *oscap_vsprintf(const char *fmt, va_list ap); +/** + * Generates a pseudorandom string of a given lenght. + * If charset string is not NULL and its lenght is greater than 0, + * it will be used as a dictionary, otherwize a default alphanumeric + * would be the base for the generated string. + * Caller is responsible for freeing the returned string. + * @param len desired string length (must be greater than 0) + * @param charset a dictionary string, could be NULL + * @return A random string of desired lenght. + */ +char *oscap_generate_random_string(size_t len, char *charset); + /** * Join 2 paths in an intelligent way. * Both paths are allowed to be NULL.