diff --git a/.github/workflows/automatus-cs8.yaml b/.github/workflows/automatus-cs8.yaml index 9917af66f22..572013aea9c 100644 --- a/.github/workflows/automatus-cs8.yaml +++ b/.github/workflows/automatus-cs8.yaml @@ -1,4 +1,4 @@ -name: Automatus CS8 +name: Automatus UBI8 on: pull_request: branches: [ master, 'stabilization*' ] @@ -92,7 +92,7 @@ jobs: run: ssh-keygen -N '' -t rsa -f ~/.ssh/id_rsa - name: Build test suite container if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} - run: podman build --build-arg "CLIENT_PUBLIC_KEY=$(cat ~/.ssh/id_rsa.pub)" -t ssg_test_suite -f test_suite-cs8 + run: podman build --build-arg "CLIENT_PUBLIC_KEY=$(cat ~/.ssh/id_rsa.pub)" -t ssg_test_suite -f test_suite-ubi8 working-directory: ./Dockerfiles - name: Get oscap-ssh if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} diff --git a/Dockerfiles/test_suite-ubi b/Dockerfiles/test_suite-ubi new file mode 100644 index 00000000000..41b373aa949 --- /dev/null +++ b/Dockerfiles/test_suite-ubi @@ -0,0 +1,24 @@ +# This Dockerfile is a minimal example for a Red Hat UBI 8 Automatus test suite target container. +FROM registry.access.redhat.com/ubi8/ubi:latest + +ENV AUTH_KEYS=/root/.ssh/authorized_keys + +ARG CLIENT_PUBLIC_KEY +ARG ADDITIONAL_PACKAGES + +# Install Python so Ansible remediations can work +# Don't clean all, as the test scenario may require package install. +RUN true \ + && yum install -y openssh-clients openssh-server openscap-scanner \ + python39 \ + $ADDITIONAL_PACKAGES \ + && true + +RUN true \ + && for key_type in rsa ecdsa; do ssh-keygen -N '' -t $key_type -f /etc/ssh/ssh_host_${key_type}_key; done \ + && mkdir -p /root/.ssh \ + && printf "%s\n" "$CLIENT_PUBLIC_KEY" >> "$AUTH_KEYS" \ + && chmod og-rw /root/.ssh "$AUTH_KEYS" \ + && sed -i '/session\s\+required\s\+pam_loginuid.so/d' /etc/pam.d/sshd \ +&& true +