Implement possibility to scan by sudoers.

- The remote scanning dialog got a "user is sudoer" checkbox.
- Dry run can make use of sudo in connection with oscap-ssh.
- The scanning procedure uses sudo invocation as part of the ssh command.

Author: matejak

include/OscapScannerRemoteSsh.h

@@ -36,6 +36,7 @@ class OscapScannerRemoteSsh : public OscapScannerBase
         OscapScannerRemoteSsh();
         virtual ~OscapScannerRemoteSsh();
 
+        void setUserIsSudoer(bool userIsSudoer);
         virtual void setTarget(const QString& target);
         virtual void setSession(ScanningSession* session);
 
@@ -57,6 +58,7 @@ class OscapScannerRemoteSsh : public OscapScannerBase
         void removeRemoteDirectory(const QString& path, const QString& desc);
 
         SshConnection mSshConnection;
+        bool mUserIsSudoer;
 };
 
 #endif

include/RemoteMachineComboBox.h

@@ -44,6 +44,7 @@ class RemoteMachineComboBox : public QWidget
 
         void setRecentMachineCount(unsigned int count);
         unsigned int getRecentMachineCount() const;
+        bool userIsSudoer() const;
 
     public slots:
         void notifyTargetUsed(const QString& target);
@@ -65,6 +66,7 @@ class RemoteMachineComboBox : public QWidget
 
         QStringList mRecentTargets;
         QComboBox* mRecentComboBox;
+        QCheckBox* mUserIsSudoer;
 };
 
 #endif

src/MainWindow.cpp

@@ -678,6 +678,7 @@ void MainWindow::scanAsync(ScannerMode scannerMode)
     // In the OscapScannerRemoteSsh class the port will be parsed out again...
     const QString target = mUI.localMachineRadioButton->isChecked() ?
         "localhost" : mUI.remoteMachineDetails->getTarget();
+    const bool userIsSudoer = mUI.remoteMachineDetails->userIsSudoer();
 
     bool fetchRemoteResources = mUI.fetchRemoteResourcesCheckbox->isChecked();
     try
@@ -689,7 +690,10 @@ void MainWindow::scanAsync(ScannerMode scannerMode)
             if (target == "localhost")
                 mScanner = new OscapScannerLocal();
             else
+            {
                 mScanner = new OscapScannerRemoteSsh();
+                ((OscapScannerRemoteSsh *)mScanner)->setUserIsSudoer(userIsSudoer);
+            }
 
             mScanner->setTarget(target);
 

src/OscapScannerRemoteSsh.cpp

@@ -37,7 +37,8 @@ extern "C"
 
 OscapScannerRemoteSsh::OscapScannerRemoteSsh():
     OscapScannerBase(),
-    mSshConnection(this)
+    mSshConnection(this),
+    mUserIsSudoer(false)
 {
     mSshConnection.setCancelRequestSource(&mCancelRequested);
 }
@@ -87,6 +88,11 @@ void OscapScannerRemoteSsh::setTarget(const QString& target)
     mSshConnection.setPort(port);
 }
 
+void OscapScannerRemoteSsh::setUserIsSudoer(bool userIsSudoer)
+{
+    mUserIsSudoer = userIsSudoer;
+}
+
 void OscapScannerRemoteSsh::setSession(ScanningSession* session)
 {
     OscapScannerBase::setSession(session);
@@ -99,6 +105,10 @@ void OscapScannerRemoteSsh::setSession(ScanningSession* session)
 QStringList OscapScannerRemoteSsh::getCommandLineArgs() const
 {
     QStringList args("oscap-ssh");
+    if (mUserIsSudoer)
+    {
+	    args.append("--sudo");
+    }
     args.append(mSshConnection.getTarget());
     args.append(QString::number(mSshConnection.getPort()));
 
@@ -235,28 +245,34 @@ void OscapScannerRemoteSsh::evaluate()
 
     if (mScannerMode == SM_OFFLINE_REMEDIATION)
     {
-        args = buildOfflineRemediationArgs(inputFile,
+        args.append(buildOfflineRemediationArgs(inputFile,
                 resultFile,
                 reportFile,
-                arfFile);
+                arfFile));
     }
     else
     {
-        args = buildEvaluationArgs(inputFile,
+        args.append(buildEvaluationArgs(inputFile,
                 tailoringFile,
                 resultFile,
                 reportFile,
                 arfFile,
-                mScannerMode == SM_SCAN_ONLINE_REMEDIATION);
+                mScannerMode == SM_SCAN_ONLINE_REMEDIATION));
     }
 
     const QString sshCmd = args.join(" ");
 
     emit infoMessage(QObject::tr("Starting the remote process..."));
 
     QProcess process(this);
+    QString sudo;
+    if (mUserIsSudoer)
+    {
+	    // tell sudo not to bother to read password from the terminal
+	    sudo = " sudo -n";
+    }
 
-    process.start(SCAP_WORKBENCH_LOCAL_SSH_PATH, baseArgs + QStringList(QString("cd '%1'; " SCAP_WORKBENCH_REMOTE_OSCAP_PATH " %2").arg(workingDir).arg(sshCmd)));
+    process.start(SCAP_WORKBENCH_LOCAL_SSH_PATH, baseArgs + QStringList(QString("cd '%1';" "%2 " SCAP_WORKBENCH_REMOTE_OSCAP_PATH " %3").arg(workingDir).arg(sudo).arg(sshCmd)));
     process.waitForStarted();
 
     if (process.state() != QProcess::Running)

src/RemoteMachineComboBox.cpp

@@ -41,6 +41,8 @@ RemoteMachineComboBox::RemoteMachineComboBox(QWidget* parent):
         this, SLOT(updateHostPort(int))
     );
 
+    mUserIsSudoer = mUI.userIsSudoer;
+
     setRecentMachineCount(5);
     syncFromQSettings();
 
@@ -51,6 +53,11 @@ RemoteMachineComboBox::~RemoteMachineComboBox()
     delete mQSettings;
 }
 
+bool RemoteMachineComboBox::userIsSudoer() const
+{
+    return mUserIsSudoer->isChecked();
+}
+
 QString RemoteMachineComboBox::getTarget() const
 {
     return QString("%1:%2").arg(mUI.host->text()).arg(mUI.port->value());

ui/RemoteMachineComboBox.ui

@@ -6,15 +6,24 @@
    <rect>
     <x>0</x>
     <y>0</y>
-    <width>553</width>
-    <height>29</height>
+    <width>609</width>
+    <height>42</height>
    </rect>
   </property>
   <property name="windowTitle">
    <string>RemoteMachineComboBox</string>
   </property>
   <layout class="QHBoxLayout" name="horizontalLayout">
-   <property name="margin">
+   <property name="leftMargin">
+    <number>0</number>
+   </property>
+   <property name="topMargin">
+    <number>0</number>
+   </property>
+   <property name="rightMargin">
+    <number>0</number>
+   </property>
+   <property name="bottomMargin">
     <number>0</number>
    </property>
    <item>
@@ -73,8 +82,17 @@
    </item>
    <item>
     <widget class="QSpinBox" name="port">
+     <property name="enabled">
+      <bool>true</bool>
+     </property>
+     <property name="sizePolicy">
+      <sizepolicy hsizetype="Minimum" vsizetype="Fixed">
+       <horstretch>0</horstretch>
+       <verstretch>0</verstretch>
+      </sizepolicy>
+     </property>
      <property name="buttonSymbols">
-      <enum>QAbstractSpinBox::UpDownArrows</enum>
+      <enum>QAbstractSpinBox::NoButtons</enum>
      </property>
      <property name="minimum">
       <number>1</number>
@@ -87,6 +105,16 @@
      </property>
     </widget>
    </item>
+   <item>
+    <widget class="QCheckBox" name="userIsSudoer">
+     <property name="toolTip">
+      <string>Check if the remote user doesn't have root privileges, but they can perform administrative tasks using paswordless sudo.</string>
+     </property>
+     <property name="text">
+      <string>user is sudoer</string>
+     </property>
+    </widget>
+   </item>
    <item>
     <widget class="QComboBox" name="recentComboBox">
      <property name="sizePolicy">