From 6b8f5f283a716dfda29afdf1071108d4621aeb61 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Thu, 27 Jun 2024 13:16:28 -0500 Subject: [PATCH 1/2] Remove CentOS Stream 8 Test Suite Dockerfile CentOS Stream 8 is EoL. --- Dockerfiles/test_suite-cs8 | 24 ------------------------ 1 file changed, 24 deletions(-) delete mode 100644 Dockerfiles/test_suite-cs8 diff --git a/Dockerfiles/test_suite-cs8 b/Dockerfiles/test_suite-cs8 deleted file mode 100644 index 9072d9f725c..00000000000 --- a/Dockerfiles/test_suite-cs8 +++ /dev/null @@ -1,24 +0,0 @@ -# This Dockerfile is a minimal example for a Centos Stream 8 SSG test suite target container. -FROM quay.io/centos/centos:stream8 - -ENV AUTH_KEYS=/root/.ssh/authorized_keys - -ARG CLIENT_PUBLIC_KEY -ARG ADDITIONAL_PACKAGES - -# Install Python so Ansible remediations can work -# Don't clean all, as the test scenario may require package install. -RUN true \ - && yum install -y openssh-clients openssh-server openscap-scanner \ - python39 \ - $ADDITIONAL_PACKAGES \ - && true - -RUN true \ - && for key_type in rsa ecdsa; do ssh-keygen -N '' -t $key_type -f /etc/ssh/ssh_host_${key_type}_key; done \ - && mkdir -p /root/.ssh \ - && printf "%s\n" "$CLIENT_PUBLIC_KEY" >> "$AUTH_KEYS" \ - && chmod og-rw /root/.ssh "$AUTH_KEYS" \ - && sed -i '/session\s\+required\s\+pam_loginuid.so/d' /etc/pam.d/sshd \ -&& true - From 8eef73431dc02d14e309657e037f4ed8503d524a Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Thu, 27 Jun 2024 13:24:54 -0500 Subject: [PATCH 2/2] Add UBI8 Dockerfile and use in place of CS8 in Automatus testing --- .github/workflows/automatus-cs8.yaml | 4 ++-- Dockerfiles/test_suite-ubi | 24 ++++++++++++++++++++++++ 2 files changed, 26 insertions(+), 2 deletions(-) create mode 100644 Dockerfiles/test_suite-ubi diff --git a/.github/workflows/automatus-cs8.yaml b/.github/workflows/automatus-cs8.yaml index 9917af66f22..572013aea9c 100644 --- a/.github/workflows/automatus-cs8.yaml +++ b/.github/workflows/automatus-cs8.yaml @@ -1,4 +1,4 @@ -name: Automatus CS8 +name: Automatus UBI8 on: pull_request: branches: [ master, 'stabilization*' ] @@ -92,7 +92,7 @@ jobs: run: ssh-keygen -N '' -t rsa -f ~/.ssh/id_rsa - name: Build test suite container if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} - run: podman build --build-arg "CLIENT_PUBLIC_KEY=$(cat ~/.ssh/id_rsa.pub)" -t ssg_test_suite -f test_suite-cs8 + run: podman build --build-arg "CLIENT_PUBLIC_KEY=$(cat ~/.ssh/id_rsa.pub)" -t ssg_test_suite -f test_suite-ubi8 working-directory: ./Dockerfiles - name: Get oscap-ssh if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} diff --git a/Dockerfiles/test_suite-ubi b/Dockerfiles/test_suite-ubi new file mode 100644 index 00000000000..41b373aa949 --- /dev/null +++ b/Dockerfiles/test_suite-ubi @@ -0,0 +1,24 @@ +# This Dockerfile is a minimal example for a Red Hat UBI 8 Automatus test suite target container. +FROM registry.access.redhat.com/ubi8/ubi:latest + +ENV AUTH_KEYS=/root/.ssh/authorized_keys + +ARG CLIENT_PUBLIC_KEY +ARG ADDITIONAL_PACKAGES + +# Install Python so Ansible remediations can work +# Don't clean all, as the test scenario may require package install. +RUN true \ + && yum install -y openssh-clients openssh-server openscap-scanner \ + python39 \ + $ADDITIONAL_PACKAGES \ + && true + +RUN true \ + && for key_type in rsa ecdsa; do ssh-keygen -N '' -t $key_type -f /etc/ssh/ssh_host_${key_type}_key; done \ + && mkdir -p /root/.ssh \ + && printf "%s\n" "$CLIENT_PUBLIC_KEY" >> "$AUTH_KEYS" \ + && chmod og-rw /root/.ssh "$AUTH_KEYS" \ + && sed -i '/session\s\+required\s\+pam_loginuid.so/d' /etc/pam.d/sshd \ +&& true +