blob: f12b0e6e6ab83c9e11d249e5c40f645a43628459 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
|
# SPDX-License-Identifier: GPL-3.0-or-later
"""Post-install checks: security/system hardening archsetup applies.
Expansion coverage (P4) — these were not in the original shell sweep. They
assert the system-level changes archsetup makes in place: sshd root hardening,
quiet kernel console, an emptied /etc/issue, the console font, and the EFI
mount permission tightening.
"""
import pytest
@pytest.mark.smoke
@pytest.mark.attribution("archsetup")
def test_sshd_root_prohibit_password(host):
conf = host.file("/etc/ssh/sshd_config.d/10-hardening.conf")
assert conf.exists, "sshd hardening drop-in missing"
assert "PermitRootLogin prohibit-password" in conf.content_string
@pytest.mark.attribution("archsetup")
def test_quiet_printk_sysctl(host):
conf = host.file("/etc/sysctl.d/20-quiet-printk.conf")
assert conf.exists
assert "kernel.printk" in conf.content_string
@pytest.mark.attribution("archsetup")
def test_issue_emptied(host):
# archsetup truncates /etc/issue to drop the distro/date banner.
assert host.file("/etc/issue").size == 0
@pytest.mark.attribution("archsetup")
def test_console_font_configured(host):
assert "ter-132n" in host.file("/etc/vconsole.conf").content_string
@pytest.mark.attribution("archsetup")
def test_efi_mount_permissions_tightened(host):
# archsetup adds fmask/dmask to the /efi vfat line so it isn't world-readable.
fstab = host.file("/etc/fstab").content_string
efi_lines = [
ln for ln in fstab.splitlines()
if ln.strip() and not ln.lstrip().startswith("#")
and " /efi " in ln and " vfat " in ln
]
if not efi_lines:
pytest.skip("no /efi vfat line in fstab")
assert all("fmask=" in ln for ln in efi_lines), "/efi mount not permission-tightened"
|
