Merge pull request #1985 from 0intro/shadow-offline

evgenyz · web-flow · commit b7f6aa3d0df8 · 2023-06-20T10:57:35.000+02:00
Add offline capabilities to the shadow OVAL probe
diff --git a/src/OVAL/probes/probe-table.c b/src/OVAL/probes/probe-table.c
@@ -329,7 +329,7 @@ static const probe_table_entry_t probe_table[] = {
 	{OVAL_UNIX_RUNLEVEL, NULL, runlevel_probe_main, NULL, runlevel_probe_offline_mode_supported},
 #endif
 #ifdef OPENSCAP_PROBE_UNIX_SHADOW
-	{OVAL_UNIX_SHADOW, NULL, shadow_probe_main, NULL, NULL},
+	{OVAL_UNIX_SHADOW, NULL, shadow_probe_main, NULL, shadow_probe_offline_mode_supported},
 #endif
 #ifdef OPENSCAP_PROBE_UNIX_SYMLINK
 	{OVAL_UNIX_SYMLINK, NULL, symlink_probe_main, NULL, symlink_probe_offline_mode_supported},
diff --git a/src/OVAL/probes/unix/shadow_probe.c b/src/OVAL/probes/unix/shadow_probe.c
@@ -177,36 +177,62 @@ static void report_finding(struct result_info *res, probe_ctx *ctx)
         SEXP_free_r(&se_flg_mem);
 }
 
+static void _process_struct_shadow(struct spwd *sp, SEXP_t *un_ent, probe_ctx *ctx)
+{
+        SEXP_t *un;
+        struct result_info r;
+
+	dI("Have user: %s", sp->sp_namp);
+	un = SEXP_string_newf("%s", sp->sp_namp);
+	if (probe_entobj_cmp(un_ent, un) != OVAL_RESULT_TRUE) {
+		SEXP_free(un);
+		return;
+	}
+
+	r.username = sp->sp_namp;
+	r.password = sp->sp_pwdp;
+	r.chg_lst = sp->sp_lstchg;
+	r.chg_allow = sp->sp_min;
+	r.chg_req = sp->sp_max;
+	r.exp_warn = sp->sp_warn;
+	r.exp_inact = sp->sp_inact;
+	r.exp_date = sp->sp_expire;
+	r.flag = sp->sp_flag;
+
+	report_finding(&r, ctx);
+        SEXP_free(un);
+}
+
 static int read_shadow(SEXP_t *un_ent, probe_ctx *ctx)
 {
-	int err = 1;
-	struct spwd *pw;
-
-	while ((pw = getspent())) {
-		SEXP_t *un;
-
-		dI("Have user: %s", pw->sp_namp);
-		err = 0;
-		un = SEXP_string_newf("%s", pw->sp_namp);
-		if (probe_entobj_cmp(un_ent, un) == OVAL_RESULT_TRUE) {
-			struct result_info r;
-
-			r.username = pw->sp_namp;
-			r.password = pw->sp_pwdp;
-			r.chg_lst = pw->sp_lstchg;
-			r.chg_allow = pw->sp_min;
-			r.chg_req = pw->sp_max;
-			r.exp_warn = pw->sp_warn;
-			r.exp_inact = pw->sp_inact;
-			r.exp_date = pw->sp_expire;
-			r.flag = pw->sp_flag;
-
-			report_finding(&r, ctx);
+	struct spwd *sp;
+
+	if (ctx->offline_mode & PROBE_OFFLINE_OWN) {
+		const char *root = getenv("OSCAP_PROBE_ROOT");
+		char *shadow_file_path = oscap_path_join(root, "/etc/shadow");
+		FILE *fp = fopen(shadow_file_path, "r");
+		if (fp == NULL) {
+			free(shadow_file_path);
+			return 1;
 		}
-		SEXP_free(un);
+		while ((sp = fgetspent(fp))) {
+			_process_struct_shadow(sp, un_ent, ctx);
+		}
+		fclose(fp);
+		free(shadow_file_path);
+	} else {
+		while ((sp = getspent())) {
+			_process_struct_shadow(sp, un_ent, ctx);
+		}
+		endspent();
 	}
-	endspent();
-	return err;
+
+	return 0;
+}
+
+int shadow_probe_offline_mode_supported()
+{
+	return PROBE_OFFLINE_OWN;
 }
 
 int shadow_probe_main(probe_ctx *ctx, void *arg)
diff --git a/src/OVAL/probes/unix/shadow_probe.h b/src/OVAL/probes/unix/shadow_probe.h
@@ -25,6 +25,7 @@
 
 #include "probe-api.h"
 
+int shadow_probe_offline_mode_supported(void);
 int shadow_probe_main(probe_ctx *ctx, void *arg);
 
 #endif /* OPENSCAP_SHADOW_PROBE_H */
diff --git a/tests/probes/shadow/CMakeLists.txt b/tests/probes/shadow/CMakeLists.txt
@@ -1,3 +1,4 @@
 if(ENABLE_PROBES_UNIX)
 	add_oscap_test("test_probes_shadow.sh")
+	add_oscap_test("test_probes_shadow_offline.sh")
 endif()
diff --git a/tests/probes/shadow/test_probes_shadow_offline.sh b/tests/probes/shadow/test_probes_shadow_offline.sh
@@ -0,0 +1,57 @@
+#!/usr/bin/env bash
+
+# Copyright 2009 Red Hat Inc., Durham, North Carolina.
+# All Rights Reserved.
+#
+# OpenScap Probes Test Suite.
+#
+# Created on: Nov 30, 2009
+#
+# Authors:
+#      Peter Vrabec, <pvrabec@redhat.com>
+#      David Niemoller
+#      Ondrej Moris, <omoris@redhat.com>
+
+. $builddir/tests/test_common.sh
+
+set -e -o pipefail
+
+# Test Cases.
+
+function test_probes_shadow {
+
+    probecheck "shadow" || return 255
+
+    local ret_val=0;
+    local DF="${srcdir}/test_probes_shadow_offline.xml"
+    local RF="results.xml"
+
+    [ -f $RF ] && rm -f $RF
+
+    tmpdir=$(make_temp_dir /tmp "test_offline_mode_shadow")
+    mkdir -p "${tmpdir}/etc"
+    echo "root:!locked::0:99999:7:::" > "${tmpdir}/etc/shadow"
+    set_chroot_offline_test_mode "${tmpdir}"
+
+    $OSCAP oval eval --results $RF $DF
+
+    unset_chroot_offline_test_mode
+    rm -rf "${tmpdir}"
+
+    if [ -f $RF ]; then
+	verify_results "def" $DF $RF 1 && verify_results "tst" $DF $RF $LINES
+	ret_val=$?
+    else
+	ret_val=1
+    fi
+
+    return $ret_val
+}
+
+# Testing.
+
+test_init
+
+test_run "test_probes_shadow" test_probes_shadow
+
+test_exit
diff --git a/tests/probes/shadow/test_probes_shadow_offline.xml b/tests/probes/shadow/test_probes_shadow_offline.xml
@@ -0,0 +1,54 @@
+<?xml version="1.0"?>
+<oval_definitions xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" xmlns:lin-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd">
+
+      <generator>
+            <oval:product_name>shadow</oval:product_name>
+            <oval:product_version>1.0</oval:product_version>
+            <oval:schema_version>5.4</oval:schema_version>
+            <oval:timestamp>2008-03-31T00:00:00-00:00</oval:timestamp>
+      </generator>
+
+  <definitions>
+
+    <definition class="compliance" version="1" id="oval:1:def:1">  <!-- comment="true" -->
+      <metadata>
+        <title></title>
+        <description></description>
+      </metadata>
+      <criteria>
+        <criteria operator="AND">
+          <criterion test_ref="oval:1:tst:1"/>
+        </criteria>
+      </criteria>
+    </definition>
+
+  </definitions>
+
+  <tests>
+
+    <shadow_test version="1" id="oval:1:tst:1" check="all" comment="true" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix">
+      <object object_ref="oval:1:obj:1"/>
+      <state state_ref="oval:1:ste:1"/>
+    </shadow_test>
+  </tests>
+
+  <objects>
+    <shadow_object version="1" id="oval:1:obj:1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix">
+      <username>root</username>
+    </shadow_object>
+  </objects>
+
+  <states>
+    <shadow_state version="1" id="oval:1:ste:1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix">
+      <username>root</username>
+      <password>!locked</password>
+      <chg_lst datatype="int">-1</chg_lst>
+      <chg_allow datatype="int">0</chg_allow>
+      <chg_req datatype="int">99999</chg_req>
+      <exp_warn datatype="int">7</exp_warn>
+      <exp_inact datatype="int">-1</exp_inact>
+      <exp_date datatype="int">-1</exp_date>
+    </shadow_state>
+  </states>
+
+</oval_definitions>
