ComplianceAsCode / content

Security automation content in SCAP, Bash, Ansible, and other formats
https://complianceascode.readthedocs.io/en/latest/
Other
2.19k stars 695 forks source link

CLI Segmentation Fault running DISA IASE XCCDF #3207

Closed boydhako closed 2 years ago

boydhako commented 6 years ago

Description of problem:

Using the OSCAP command results in a segmentation fault with using DISA IASE XCCDF benchmark.

SCAP Security Guide Version:

OpenSCAP command line tool (oscap) 1.2.16
Copyright 2009--2017 Red Hat Inc., Durham, North Carolina.

==== Supported specifications ====
XCCDF Version: 1.2
OVAL Version: 5.11.1
CPE Version: 2.3
CVSS Version: 2.0
CVE Version: 2.0
Asset Identification Version: 1.1
Asset Reporting Format Version: 1.1
CVRF Version: 1.1

==== Capabilities added by auto-loaded plugins ====
No plugins have been auto-loaded...

==== Paths ====
Schema files: /usr/share/openscap/schemas
Default CPE files: /usr/share/openscap/cpe
Probes: /usr/libexec/openscap

==== Inbuilt CPE names ====
Red Hat Enterprise Linux - cpe:/o:redhat:enterprise_linux
Red Hat Enterprise Linux 5 - cpe:/o:redhat:enterprise_linux:5
Red Hat Enterprise Linux 6 - cpe:/o:redhat:enterprise_linux:6
Red Hat Enterprise Linux 7 - cpe:/o:redhat:enterprise_linux:7
Oracle Linux 5 - cpe:/o:oracle:linux:5
Oracle Linux 6 - cpe:/o:oracle:linux:6
Oracle Linux 7 - cpe:/o:oracle:linux:7
Community Enterprise Operating System 5 - cpe:/o:centos:centos:5
Community Enterprise Operating System 6 - cpe:/o:centos:centos:6
Community Enterprise Operating System 7 - cpe:/o:centos:centos:7
Scientific Linux 5 - cpe:/o:scientificlinux:scientificlinux:5
Scientific Linux 6 - cpe:/o:scientificlinux:scientificlinux:6
Scientific Linux 7 - cpe:/o:scientificlinux:scientificlinux:7
Fedora 16 - cpe:/o:fedoraproject:fedora:16
Fedora 17 - cpe:/o:fedoraproject:fedora:17
Fedora 18 - cpe:/o:fedoraproject:fedora:18
Fedora 19 - cpe:/o:fedoraproject:fedora:19
Fedora 20 - cpe:/o:fedoraproject:fedora:20
Fedora 21 - cpe:/o:fedoraproject:fedora:21
Fedora 22 - cpe:/o:fedoraproject:fedora:22
Fedora 23 - cpe:/o:fedoraproject:fedora:23
Fedora 24 - cpe:/o:fedoraproject:fedora:24
Fedora 25 - cpe:/o:fedoraproject:fedora:25
Fedora 26 - cpe:/o:fedoraproject:fedora:26
Fedora 27 - cpe:/o:fedoraproject:fedora:27
Fedora 28 - cpe:/o:fedoraproject:fedora:28
SUSE Linux Enterprise all versions - cpe:/o:suse:sle
SUSE Linux Enterprise Server 10 - cpe:/o:suse:sles:10
SUSE Linux Enterprise Desktop 10 - cpe:/o:suse:sled:10
SUSE Linux Enterprise Server 11 - cpe:/o:suse:linux_enterprise_server:11
SUSE Linux Enterprise Desktop 11 - cpe:/o:suse:linux_enterprise_desktop:11
SUSE Linux Enterprise Server 12 - cpe:/o:suse:sles:12
SUSE Linux Enterprise Desktop 12 - cpe:/o:suse:sled:12
openSUSE 11.4 - cpe:/o:opensuse:opensuse:11.4
openSUSE 13.1 - cpe:/o:opensuse:opensuse:13.1
openSUSE 13.2 - cpe:/o:opensuse:opensuse:13.2
openSUSE 42.1 - cpe:/o:novell:leap:42.1
openSUSE 42.2 - cpe:/o:novell:leap:42.2
openSUSE All Versions - cpe:/o:opensuse:opensuse
Red Hat Enterprise Linux Optional Productivity Applications - cpe:/a:redhat:rhel_productivity
Red Hat Enterprise Linux Optional Productivity Applications 5 - cpe:/a:redhat:rhel_productivity:5
Wind River Linux all versions - cpe:/o:windriver:wrlinux
Wind River Linux 8 - cpe:/o:windriver:wrlinux:8

==== Supported OVAL objects and associated OpenSCAP probes ====
OVAL family   OVAL object                  OpenSCAP probe              
----------    ----------                   ----------                  
(null)        system_info                  probe_system_info           
independent   family                       probe_family                
independent   filehash                     probe_filehash              
independent   environmentvariable          probe_environmentvariable   
independent   textfilecontent54            probe_textfilecontent54     
independent   textfilecontent              probe_textfilecontent       
independent   variable                     probe_variable              
independent   xmlfilecontent               probe_xmlfilecontent        
independent   environmentvariable58        probe_environmentvariable58 
independent   filehash58                   probe_filehash58            
linux         inetlisteningservers         probe_inetlisteningservers  
linux         rpminfo                      probe_rpminfo               
linux         partition                    probe_partition             
linux         iflisteners                  probe_iflisteners           
linux         rpmverify                    probe_rpmverify             
linux         rpmverifyfile                probe_rpmverifyfile         
linux         rpmverifypackage             probe_rpmverifypackage      
linux         selinuxboolean               probe_selinuxboolean        
linux         selinuxsecuritycontext       probe_selinuxsecuritycontext
linux         systemdunitproperty          probe_systemdunitproperty   
linux         systemdunitdependency        probe_systemdunitdependency 
unix          file                         probe_file                  
unix          interface                    probe_interface             
unix          password                     probe_password              
unix          process                      probe_process               
unix          runlevel                     probe_runlevel              
unix          shadow                       probe_shadow                
unix          uname                        probe_uname                 
unix          xinetd                       probe_xinetd                
unix          sysctl                       probe_sysctl                
unix          process58                    probe_process58             
unix          fileextendedattribute        probe_fileextendedattribute 
unix          routingtable                 probe_routingtable          
unix          symlink                      probe_symlink               

#### Operating System Version:
NAME="Red Hat Enterprise Linux Workstation"
VERSION="7.5 (Maipo)"
ID="rhel"
ID_LIKE="fedora"
VARIANT="Workstation"
VARIANT_ID="workstation"
VERSION_ID="7.5"
PRETTY_NAME="Red Hat Enterprise Linux"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:7.5:GA:workstation"
HOME_URL="https://www.redhat.com/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 7"
REDHAT_BUGZILLA_PRODUCT_VERSION=7.5
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="7.5"

Steps to Reproduce:

  1. Extract XCCDF from DISA IASE for RHEL7; https://iasecontent.disa.mil/stigs/zip/U_Red_Hat_Enterprise_Linux_7_V1R2_STIG_SCAP_1-2_Benchmark.zip

  2. Run oscap xccdf eval --profile xccdf_mil.disa.stig_profile_MAC-2_Sensitive --results oscap-results-xccdf.xml --stig-viewer oscap-results-xccdf-stig-viewer.xml --oval-results --check-engine-results --fetch-remote-resources --verbose-log-file oscap-xccdf-eval-$(date +%F_%H%M%S).log --verbose DEVEL ./U_Red_Hat_Enterprise_Linux_7_V1R2_STIG_SCAP_1-2_Benchmark.xml

Actual Results:

Last output before seg fault dump

Title The system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages. Rule xccdf_mil.disa.stig_rule_SV-87827r3_rule Ident CCE-80158-9 Ident CCI-000366 Result pass

Segmentation fault (core dumped)

Expected Results:

... not a segmentation fault ...

Addition Information/Debugging Steps:

# Tailing end of verbose DEVEL log output. 

I: probe_sysctl: MIB: vm.percpu_pagelist_fraction [probe_sysctl(22403):probe_worker(7f5849d3a700):sysctl.c:141:probe_main]
I: probe_sysctl: MIB: vm.stat_interval [probe_sysctl(22403):probe_worker(7f5849d3a700):sysctl.c:141:probe_main]
I: probe_sysctl: MIB: vm.swappiness [probe_sysctl(22403):probe_worker(7f5849d3a700):sysctl.c:141:probe_main]
I: probe_sysctl: MIB: vm.user_reserve_kbytes [probe_sysctl(22403):probe_worker(7f5849d3a700):sysctl.c:141:probe_main]
I: probe_sysctl: MIB: vm.vfs_cache_pressure [probe_sysctl(22403):probe_worker(7f5849d3a700):sysctl.c:141:probe_main]
I: probe_sysctl: MIB: vm.zone_reclaim_mode [probe_sysctl(22403):probe_worker(7f5849d3a700):sysctl.c:141:probe_main]
D: probe_sysctl: NOP [probe_sysctl(22403):probe_worker(7f5849d3a700):icache.c:404:probe_icache_nop]
D: probe_sysctl: Signaling `notempty' [probe_sysctl(22403):probe_worker(7f5849d3a700):icache.c:429:probe_icache_nop]
D: probe_sysctl: Waiting for icache worker to handle the NOP [probe_sysctl(22403):probe_worker(7f5849d3a700):icache.c:439:probe_icache_nop]
I: probe_sysctl: Extracting item from the cache queue: cnt=1, beg=19 [probe_sysctl(22403):icache_worker(7f584b53d700):icache.c:198:probe_icache_worker]
D: probe_sysctl: Signaling `notfull' [probe_sysctl(22403):icache_worker(7f584b53d700):icache.c:217:probe_icache_worker]
D: probe_sysctl: Handling NOP [probe_sysctl(22403):icache_worker(7f584b53d700):icache.c:239:probe_icache_worker]
D: probe_sysctl: Sync [probe_sysctl(22403):probe_worker(7f5849d3a700):icache.c:447:probe_icache_nop]
D: probe_sysctl: old flag: 0, new flag: 2. [probe_sysctl(22403):probe_worker(7f5849d3a700):probe-api.c:689:probe_cobj_set_flag]
D: probe_sysctl: handler result = 0x7f583c0008c0, return code = 0 [probe_sysctl(22403):probe_worker(7f5849d3a700):worker.c:58:probe_worker_runfn]
D: probe_sysctl: probe thread deleted [probe_sysctl(22403):probe_worker(7f5849d3a700):worker.c:77:probe_worker_runfn]
D: probe_sysctl: Sorting blocks & building iterator array [probe_sysctl(22403):probe_worker(7f5849d3a700):sexp-manip.c:1402:SEXP_list_sort]
D: probe_sysctl: Iterator count = 1 [probe_sysctl(22403):probe_worker(7f5849d3a700):sexp-manip.c:1429:SEXP_list_sort]
D: probe_sysctl: cnt = 0 [probe_sysctl(22403):probe_worker(7f5849d3a700):seap-message.c:138:SEAP_msgattr_exists]
D: probe_sysctl: no-reply not set: sending full reply [probe_sysctl(22403):probe_worker(7f5849d3a700):seap.c:480:SEAP_reply]
D: probe_sysctl: MSG -> SEXP [probe_sysctl(22403):probe_worker(7f5849d3a700):seap-packet.c:261:SEAP_packet_msg2sexp]
D: probe_sysctl: ("seap.msg" ":id" 9 ":reply-id" 9 (2 () ((("sysctl_item" ":id" "12240310" ) ("name" "net.ipv4.conf.all.accept_redirects" ) ("value" "0" ) ) ) () ) ) [probe_sysctl(22403):probe_worker(7f5849d3a700):seap-packet.c:262:SEAP_packet_msg2sexp]
D: probe_sysctl: packet size: 1087 [probe_sysctl(22403):probe_worker(7f5849d3a700):seap-packet.c:263:SEAP_packet_msg2sexp]
D: probe_sysctl: total I/O vectors = 1 [probe_sysctl(22403):probe_worker(7f5849d3a700):strbuf.c:294:strbuf_write]
D: probe_sysctl: iot (1) < IOV_MAX (1024) [probe_sysctl(22403):probe_worker(7f5849d3a700):strbuf.c:305:strbuf_write]
D: probe_sysctl: ioc = 1 [probe_sysctl(22403):probe_worker(7f5849d3a700):strbuf.c:321:strbuf_write]
D: probe_sysctl: total bytes written: 155 [probe_sysctl(22403):probe_worker(7f5849d3a700):strbuf.c:338:strbuf_write]
D: probe_sysctl: name=reply-id, value=0x7f583c002690 [probe_sysctl(22403):probe_worker(7f5849d3a700):seap-message.c:76:SEAP_msg_free]
D: oscap:       return from select [oscap(19865):oscap(7f90c1b3f840):seap-packet.c:637:SEAP_packet_recv]
D: oscap:       Received packet [oscap(19865):oscap(7f90c1b3f840):seap-packet.c:902:SEAP_packet_recv]
D: oscap: ("seap.msg" ":id" 9 ":reply-id" 9 (2 () ((("sysctl_item" ":id" "12240310" ) ("name" "net.ipv4.conf.all.accept_redirects" ) ("value" "0" ) ) ) () ) ) [oscap(19865):oscap(7f90c1b3f840):seap-packet.c:903:SEAP_packet_recv]
D: oscap:       packet size: 1074 [oscap(19865):oscap(7f90c1b3f840):seap-packet.c:904:SEAP_packet_recv]
D: oscap:       Message received. [oscap(19865):oscap(7f90c1b3f840):oval_probe_ext.c:586:oval_probe_comm]
D: oscap:       name=(null), value=0x562c5b6ec050 [oscap(19865):oscap(7f90c1b3f840):seap-message.c:76:SEAP_msg_free]
D: oscap:       Syschar entry type: 13012 'sysctl' => decoded OK [oscap(19865):oscap(7f90c1b3f840):oval_sexp.c:954:oval_sexp_to_sysitem]
I: oscap:       State 'oval:mil.disa.stig.rhel7:ste:2168' references external_variable 'oval:mil.disa.stig.rhel7:var:3770'. [oscap(19865):oscap(7f90c1b3f840):oval_probe.c:372:oval_probe_query_var_ref]
I: oscap:       Querying variable 'oval:mil.disa.stig.rhel7:var:3770'. [oscap(19865):oscap(7f90c1b3f840):oval_variable.c:527:oval_probe_query_variable]
I: oscap:       Variable 'oval:mil.disa.stig.rhel7:var:3770' is not local, skipping. [oscap(19865):oscap(7f90c1b3f840):oval_variable.c:530:oval_probe_query_variable]
I: oscap:       Variable 'oval:mil.disa.stig.rhel7:var:3770' has values "0". [oscap(19865):oscap(7f90c1b3f840):oval_variable.c:512:_dump_variable_values]
I: oscap:       Test 'oval:mil.disa.stig.rhel7:tst:320' requires that every object defined by 'oval:mil.disa.stig.rhel7:obj:2167' exists on the system. [oscap(19865):oscap(7f90c1b3f840):oval_resultTest.c:813:_oval_result_test_evaluate_items]
I: oscap:       1 objects defined by 'oval:mil.disa.stig.rhel7:obj:2167' exist on the system. [oscap(19865):oscap(7f90c1b3f840):oval_resultTest.c:831:_oval_result_test_evaluate_items]
I: oscap:       All items matching object 'oval:mil.disa.stig.rhel7:obj:2167' were collected. (flag=complete) [oscap(19865):oscap(7f90c1b3f840):oval_resultTest.c:876:_oval_result_test_evaluate_items]
I: oscap:       In test 'oval:mil.disa.stig.rhel7:tst:320' all of the collected items must satisfy these states: 'oval:mil.disa.stig.rhel7:ste:2168'. [oscap(19865):oscap(7f90c1b3f840):oval_resultTest.c:640:eval_check_state]
I: oscap:       Entity 'value'='0' of item '12240310' matches corresponding entity in state 'oval:mil.disa.stig.rhel7:ste:2168'. [oscap(19865):oscap(7f90c1b3f840):oval_resultTest.c:565:eval_item]
I: oscap:       Item '12240310' compared to state 'oval:mil.disa.stig.rhel7:ste:2168' with result true. [oscap(19865):oscap(7f90c1b3f840):oval_resultTest.c:597:eval_item]
I: oscap:     Test 'oval:mil.disa.stig.rhel7:tst:320' evaluated as true. [oscap(19865):oscap(7f90c1b3f840):oval_resultTest.c:1073:oval_result_test_eval]
I: oscap:   Definition 'oval:mil.disa.stig.rhel7:def:250' evaluated as true. [oscap(19865):oscap(7f90c1b3f840):oval_resultDefinition.c:163:oval_result_definition_eval]
I: oscap: Definition 'oval:mil.disa.stig.rhel7:def:248' evaluated as true. [oscap(19865):oscap(7f90c1b3f840):oval_resultDefinition.c:163:oval_result_definition_eval]
D: oscap: rbt_str_add: non-zero return code [oscap(19865):oscap(7f90c1b3f840):oval_string_map.c:211:oval_string_map_put]
D: oscap: rbt_str_add: non-zero return code [oscap(19865):oscap(7f90c1b3f840):oval_string_map.c:211:oval_string_map_put]
D: oscap: rbt_str_add: non-zero return code [oscap(19865):oscap(7f90c1b3f840):oval_string_map.c:211:oval_string_map_put]
D: oscap: rbt_str_add: non-zero return code [oscap(19865):oscap(7f90c1b3f840):oval_string_map.c:211:oval_string_map_put]
D: oscap: rbt_str_add: non-zero return code [oscap(19865):oscap(7f90c1b3f840):oval_string_map.c:211:oval_string_map_put]
D: oscap: rbt_str_add: non-zero return code [oscap(19865):oscap(7f90c1b3f840):oval_string_map.c:211:oval_string_map_put]
D: oscap: rbt_str_add: non-zero return code [oscap(19865):oscap(7f90c1b3f840):oval_string_map.c:211:oval_string_map_put]
D: oscap: rbt_str_add: non-zero return code [oscap(19865):oscap(7f90c1b3f840):oval_string_map.c:211:oval_string_map_put]
D: oscap: rbt_str_add: non-zero return code [oscap(19865):oscap(7f90c1b3f840):oval_string_map.c:211:oval_string_map_put]
D: oscap: rbt_str_add: non-zero return code [oscap(19865):oscap(7f90c1b3f840):oval_string_map.c:211:oval_string_map_put]
D: oscap: rbt_str_add: non-zero return code [oscap(19865):oscap(7f90c1b3f840):oval_string_map.c:211:oval_string_map_put]
D: oscap: rbt_str_add: non-zero return code [oscap(19865):oscap(7f90c1b3f840):oval_string_map.c:211:oval_string_map_put]
D: oscap: rbt_str_add: non-zero return code [oscap(19865):oscap(7f90c1b3f840):oval_string_map.c:211:oval_string_map_put]
D: oscap: rbt_str_add: non-zero return code [oscap(19865):oscap(7f90c1b3f840):oval_string_map.c:211:oval_string_map_put]
D: oscap: rbt_str_add: non-zero return code [oscap(19865):oscap(7f90c1b3f840):oval_string_map.c:211:oval_string_map_put]
D: oscap: rbt_str_add: non-zero return code [oscap(19865):oscap(7f90c1b3f840):oval_string_map.c:211:oval_string_map_put]
D: oscap: rbt_str_add: non-zero return code [oscap(19865):oscap(7f90c1b3f840):oval_string_map.c:211:oval_string_map_put]
D: oscap: rbt_str_add: non-zero return code [oscap(19865):oscap(7f90c1b3f840):oval_string_map.c:211:oval_string_map_put]
D: oscap: rbt_str_add: non-zero return code [oscap(19865):oscap(7f90c1b3f840):oval_string_map.c:211:oval_string_map_put]
D: oscap: rbt_str_add: non-zero return code [oscap(19865):oscap(7f90c1b3f840):oval_string_map.c:211:oval_string_map_put]
D: oscap: rbt_str_add: non-zero return code [oscap(19865):oscap(7f90c1b3f840):oval_string_map.c:211:oval_string_map_put]
D: oscap: rbt_str_add: non-zero return code [oscap(19865):oscap(7f90c1b3f840):oval_string_map.c:211:oval_string_map_put]
D: probe_sysctl: return from select [probe_sysctl(22403):input_handler(7f584a53b700):seap-packet.c:637:SEAP_packet_recv]
D: probe_process58: Received signal 15 from 19865 (not my parent) [probe_process58(21131):signal_handler(7f8d8bb73700):signal_handler.c:100:probe_signal_handler]
D: probe_file: Received signal 15 from 19865 (not my parent) [probe_file(21102):signal_handler(7f2e373ba700):signal_handler.c:100:probe_signal_handler]
D: probe_variable: Received signal 15 from 19865 (not my parent) [probe_variable(21144):signal_handler(7f87db79c700):signal_handler.c:100:probe_signal_handler]
D: probe_family: Received signal 15 from 19865 (not my parent) [probe_family(21154):signal_handler(7f1503e2d700):signal_handler.c:100:probe_signal_handler]
D: probe_partition: Received signal 15 from 19865 (not my parent) [probe_partition(22026):signal_handler(7fcd6a463700):signal_handler.c:100:probe_signal_handler]
D: probe_textfilecontent54: Received signal 15 from 19865 (not my parent) [probe_textfilecontent54(19939):signal_handler(7f7b78628700):signal_handler.c:100:probe_signal_handler]
D: probe_family: Received signal 15 from 19865 (not my parent) [probe_family(19917):signal_handler(7f40c1d73700):signal_handler.c:100:probe_signal_handler]
D: probe_password: Received signal 15 from 19865 (not my parent) [probe_password(21067):signal_handler(7fbc1b70b700):signal_handler.c:100:probe_signal_handler]
D: probe_textfilecontent54: Received signal 15 from 19865 (not my parent) [probe_textfilecontent54(21040):signal_handler(7f85720b2700):signal_handler.c:100:probe_signal_handler]
D: probe_shadow: Received signal 15 from 19865 (not my parent) [probe_shadow(21072):signal_handler(7fe6099cd700):signal_handler.c:100:probe_signal_handler]
D: probe_rpmverifyfile: Received signal 15 from 19865 (not my parent) [probe_rpmverifyfile(19877):signal_handler(7f6e115da700):signal_handler.c:100:probe_signal_handler]
D: probe_system_info: Received signal 15 from 19865 (not my parent) [probe_system_info(19909):signal_handler(7f3de7eb5700):signal_handler.c:100:probe_signal_handler]
D: probe_sysctl: Received signal 15 from 19865 (not my parent) [probe_sysctl(22403):signal_handler(7f584ad3c700):signal_handler.c:100:probe_signal_handler]
D: probe_rpminfo: Received signal 15 from 19865 (not my parent) [probe_rpminfo(21035):signal_handler(7f737e113700):signal_handler.c:100:probe_signal_handler]
D: probe_system_info: Received signal 15 from 19865 (not my parent) [probe_system_info(19872):signal_handler(7fb5ac9d7700):signal_handler.c:100:probe_signal_handler]
D: probe_rpmverifyfile: Received signal 15 from 19865 (not my parent) [probe_rpmverifyfile(19948):signal_handler(7fed53374700):signal_handler.c:100:probe_signal_handler]
D: probe_rpminfo: Received signal 15 from 19865 (not my parent) [probe_rpminfo(19925):signal_handler(7f548d231700):signal_handler.c:100:probe_signal_handler]
D: probe_uname: Received signal 15 from 19865 (not my parent) [probe_uname(22057):signal_handler(7fb6a0f6d700):signal_handler.c:100:probe_signal_handler]
D: probe_rpminfo: Received signal 15 from 19865 (not my parent) [probe_rpminfo(19899):signal_handler(7f833ab77700):signal_handler.c:100:probe_signal_handler]
D: probe_system_info: Received signal 15 from 19865 (not my parent) [probe_system_info(19867):signal_handler(7ff9303ea700):signal_handler.c:100:probe_signal_handler]
D: probe_textfilecontent54: Received signal 15 from 19865 (not my parent) [probe_textfilecontent54(19904):signal_handler(7f7314da3700):signal_handler.c:100:probe_signal_handler]
shawndwells commented 6 years ago

(edited OP to add formatting of console output)

shawndwells commented 6 years ago

Running a basic scan does not generate a core dump. Using:

oscap xccdf eval --profile xccdf_mil.disa.stig_profile_MAC-2_Sensitive ./U_Red_Hat_Enterprise_Linux_7_V1R2_STIG_SCAP_1-2_Benchmark.xml

However when using all the flags from the OP, I get the exact same results:

$ oscap xccdf eval --profile xccdf_mil.disa.stig_profile_MAC-2_Sensitive --results oscap-results-xccdf.xml --stig-viewer oscap-results-xccdf-stig-viewer.xml --oval-results --check-engine-results --fetch-remote-resources --verbose-log-file oscap-xccdf-eval-$(date +%F_%H%M%S).log --verbose DEVEL ./U_Red_Hat_Enterprise_Linux_7_V1R2_STIG_SCAP_1-2_Benchmark.xml
.............
..........

Title   The system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.
Rule    xccdf_mil.disa.stig_rule_SV-87827r3_rule
Ident   CCE-80158-9
Ident   CCI-000366
Result  fail

Segmentation fault (core dumped)
shawndwells commented 6 years ago

after running scans, incrementally adding all the various flags, the core dump only happens when --stig-viewer is used.

e.g.

oscap xccdf eval --profile xccdf_mil.disa.stig_profile_MAC-2_Sensitive --stig-viewer oscap-results-xccdf-stig-viewer.xml ./U_Red_Hat_Enterprise_Linux_7_V1R2_STIG_SCAP_1-2_Benchmark.xml
shawndwells commented 6 years ago

@boydhako if you're able, because this effects OpenSCAP in RHEL, would you consider opening a formal support case? In reality the issue will be worked on by the same people anyway, but a formal support case carries Red Hat-backed SLAs and helps engineers justify/document why they're spending time on this.

Here's the link: https://access.redhat.com/support/cases/#/case/new

boydhako commented 6 years ago

CASE 02164600 created as requested. Kind of really need the STIG Viewer thing to work to switch off of depending on the SPAWAR SCC.

boydhako commented 6 years ago

Sorry... Fat fingers...

jan-cerny commented 6 years ago

Hi @boydhako,

Thank you very much for reporting your problem.

It seems to me that DISA STIG content has changed its format. The --stig-viewer option relies on having a <reference> element with href attribute set to "http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx". See the relevant section in OpenSCAP User manual for more details: https://github.com/OpenSCAP/openscap/blob/maint-1.2/docs/manual/manual.adoc#235-result-stig-viewer

But there is no such URL in content at https://iasecontent.disa.mil/stigs/zip/U_Red_Hat_Enterprise_Linux_7_V1R2_STIG_SCAP_1-2_Benchmark.zip I think the assumptions about the DISA STIG content are not valid anymore and therefore the --stig-viewer feature needs to be reworked completely.

The segmentation fault is caused by a null pointer deference at https://github.com/OpenSCAP/openscap/blob/afd18c1e5ffdc6ade20ab56701c84a8507e1a721/src/XCCDF/result.c#L1099 , where oscap_reference_get_href(ref) retures NULL because the file contains reference elements without href attribute.

EDIT: Note for investigation: See https://github.com/OpenSCAP/openscap/pull/894 for implementation details.

jan-cerny commented 6 years ago

On the other hand, our SCAP Security guide contains those elements.

boydhako commented 6 years ago

Yeah, the DISA XCCDF format changed recently. Rumor has it that it was changed to be more compliant with the open standard. Emphasis on "more". The STIG viewer and stuff still go by the Vulnerability IDs instead of the other stuff in the results and reports.

matusmarhefka commented 6 years ago

Hello, please try the following:

  1. Scan your machine using oscap tool and use rhel7 datastream file from scap-security-guide package:

    # oscap xccdf eval --profile stig-rhel7-disa --stig-viewer results-stig.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
  2. Open DISA STIG Viewer (DSV), you might first need to configure java not to use openjdk, run:

    alternatives --config java

    and select the java binary from oracle. Then in DSV select File -> Import STIG and choose the .zip file you downloaded from DISA: https://iasecontent.disa.mil/stigs/zip/U_Red_Hat_Enterprise_Linux_7_V1R2_STIG_SCAP_1-2_Benchmark.zip

  3. Then in DSV, in STIGs table select the "RHEL7 security implementation guide" and create a checklist by selecting Checklist -> Create Checklist - this will open a new tab for you in DSV.

  4. In new checklist tab, select Import -> XCCDF Results File and select the results-stig.xml file which you have generated in the first step using oscap tool.

  5. You should see the results of the scan in DSV.

shawndwells commented 6 years ago

+cc @tbrunell: any chance you're aware of DISA's specification roadmap? Having insight could mean getting ahead of tools breaking in RHEL (or at least documenting what versions are interoperable).

tedbrunell commented 6 years ago

@shawndwells I am not aware of any specification changes, but I will request that they keep the project aware of any changes.

jmackani commented 6 years ago

According to the XCCDF schema the min occurs for the references is 0. Did we have a previous agreement that we would always provide this field from the DISA? I do not see this reference to the best of my knowledge being used in other xccdf by DISA unless it was specific to RHEL7.

On Mon, Aug 20, 2018 at 11:34 AM, tedbrunell notifications@github.com wrote:

@shawndwells https://github.com/shawndwells I am not aware of any specification changes, but I will request that they keep the project aware of any changes.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/OpenSCAP/scap-security-guide/issues/3207#issuecomment-414360802, or mute the thread https://github.com/notifications/unsubscribe-auth/AKA2v7eHhsdDCP4FCgF7XISp89Y0JIA6ks5uStbsgaJpZM4WCUih .

boydhako commented 6 years ago

@tedbrunell @shawndwells They moved to using SCAP 1.2 Content about a few months ago using some NVD schema.

https://scap.nist.gov/specifications/xccdf/#resource-1.2 https://scap.nist.gov/revision/1.2/index.html https://scap.nist.gov/events/2011/itsac/presentations/day3/Halbardier%20-%20SCAP%201.2%20Data%20Model.pdf

@matusmarhefka Thanks. But, I can see the stuff using the obligatory trusted SPAWAR SCC scanner. I'm trying to setup OpenSCAP for remediation/fixes based off of the DISA STIG XCCDF.

jan-cerny commented 6 years ago

I have looked into this further. I think we are mixing multiple things together. I'm sorry for the initial confusion. Correct me if I'm wrong but here is what I think:

When we implemented --stig-viewer feature in OpenSCAP in October 2017 we have used this content from DISA: https://iasecontent.disa.mil/stigs/zip/U_Red_Hat_Enterprise_Linux_7_V1R3_STIG.zip which we got from: https://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx This content is just XCCDF 1.1, there is no OVAL. (There is an updated version, but it is still the same format).

Since there was no OVAL in that content, the expected workflow was to:

  1. perform a scan using OpenSCAP using content from scap-security-guide package and export results using --stig-viewer
  2. open the file from the aforementioned zip by DISA in STIG VIewer
  3. import the results generated by OpenSCAP in (1) to STIG VIewer

Which is basically the workflow described by @matusmarhefka in on of the previous posts here. That means int was never meant to run OpenSCAP on their file from the aforementioned zip.

I was wrong in my previous reply, because there is no <reference> element with href attribute set to "http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx" in the aforementioned zip by DISA. That element is always only in content in scap-security-guide package. AFAIK, in SCAP Security Guide we have a mapping from our rule IDs to their IDs which are populated to the <reference> element.

The new content from DISA used by @boydhako https://iasecontent.disa.mil/stigs/zip/U_Red_Hat_Enterprise_Linux_7_V1R2_STIG_SCAP_1-2_Benchmark.zip can be found at different place on DISA website. https://iase.disa.mil/stigs/scap/Pages/index.aspx . It is very different from the previous one. It's a SCAP 1.2 datastream. And it contains OVALs, which means it is normally usable for scanning by OpenSCAP.

So I think it's expected to run OpenSCAP scan on that content directly and see the results in STIG viewer. (No exporting using special options). However, if I remember it well, STIG Viewer didn't support standard XCCDF results, it wanted a document with TestResults as a root element. That needs to be checked if it's still the case. Also, we need to check if it still expects the rule IDs without prefix. If those limitations of STIG Viewer are still valid, we need to implement another output option to enable the import into STIG Viewer. @matusmarhefka Could you check if it's possible to use the XCCDF results directly? If not, wouldn't it be enough to just extract the TestResults element from XCCDF results?

@tedbrunell @shawndwells I'm confused that there are 2 different STIGs for RHEL7 on DISA website at 2 different places:

  1. https://iase.disa.mil/stigs/scap/Pages/index.aspx which provides SCAP 1.2 Datastream https://iasecontent.disa.mil/stigs/zip/U_Red_Hat_Enterprise_Linux_7_V1R2_STIG_SCAP_1-2_Benchmark.zip
  2. https://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx which provides XCCDF only: https://iasecontent.disa.mil/stigs/zip/U_Red_Hat_Enterprise_Linux_7_V1R4_STIG.zip which then has to be used together with SSG.

Both of them have the same release date. The version is confusing here. Could you please clarify which of these 2 pages is the right page? Which content is expected to be used by users? Which of them is supposed to be used with STIG Viewer?

jmackani commented 6 years ago

Option 1 is to be used by tools for automation. Option two is only meant for manually reviewing a system. In the early days, xccdf did not have a test type for ocil. So we had to separate the files for people who were only needing to read and secure a system manually which is option two.

Sent from my iPad

On Aug 21, 2018, at 3:36 AM, Jan Černý notifications@github.com wrote:

I have looked into this further. I think we are mixing multiple things together. I'm sorry for the initial confusion. Correct me if I'm wrong but here is what I think:

When we implemented --stig-viewer feature in OpenSCAP in October 2017 we have used this content from DISA: https://iasecontent.disa.mil/stigs/zip/U_Red_Hat_Enterprise_Linux_7_V1R3_STIG.zip which we got from: https://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx This content is just XCCDF 1.1, there is no OVAL. (There is an updated version, but it is still the same format).

Since there was no OVAL in that content, the expected workflow was to:

perform a scan using OpenSCAP using content from scap-security-guide package and export results using --stig-viewer open the file from the aforementioned zip by DISA in STIG VIewer import the results generated by OpenSCAP in (1) to STIG VIewer Which is basically the workflow described by @matusmarhefka in on of the previous posts here. That means int was never meant to run OpenSCAP on their file from the aforementioned zip.

I was wrong in my previous reply, because there is no element with href attribute set to "http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx" in the aforementioned zip by DISA. That element is always only in content in scap-security-guide package. AFAIK, in SCAP Security Guide we have a mapping from our rule IDs to their IDs which are populated to the element.

The new content from DISA used by @boydhako https://iasecontent.disa.mil/stigs/zip/U_Red_Hat_Enterprise_Linux_7_V1R2_STIG_SCAP_1-2_Benchmark.zip can be found at different place on DISA website. https://iase.disa.mil/stigs/scap/Pages/index.aspx . It is very different from the previous one. It's a SCAP 1.2 datastream. And it contains OVALs, which means it is normally usable for scanning by OpenSCAP.

So I think it's expected to run OpenSCAP scan on that content directly and see the results in STIG viewer. (No exporting using special options). However, if I remember it well, STIG Viewer didn't support standard XCCDF results, it wanted a document with TestResults as a root element. That needs to be checked if it's still the case. Also, we need to check if it still expects the rule IDs without prefix. If those limitations of STIG Viewer are still valid, we need to implement another output option to enable the import into STIG Viewer. @matusmarhefka Could you check if it's possible to use the XCCDF results directly? If not, wouldn't it be enough to just extract the TestResults element from XCCDF results?

@tedbrunell @shawndwells I'm confused that there are 2 different STIGs for RHEL7 on DISA website at 2 different places:

https://iase.disa.mil/stigs/scap/Pages/index.aspx which provides SCAP 1.2 Datastream https://iasecontent.disa.mil/stigs/zip/U_Red_Hat_Enterprise_Linux_7_V1R2_STIG_SCAP_1-2_Benchmark.zip https://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx which provides XCCDF only: https://iasecontent.disa.mil/stigs/zip/U_Red_Hat_Enterprise_Linux_7_V1R4_STIG.zip which then has to be used together with SSG. Both of them have the same release date. The version is confusing here. Could you please clarify which of these 2 pages is the right page? Which content is expected to be used by users? Which of them is supposed to be used with STIG Viewer?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

shawndwells commented 6 years ago

@jan-cerny both would be expected for use with STIG Viewer

shawndwells commented 6 years ago

two different uses like @jmackani shared

boydhako commented 6 years ago

@jan-cerny @jmackani @shawndwells Note that the file names one has Benchmark. The benchmark one is normally used with the SPAWAR SCC since it somehow contains the means of doing the "checks" for the finds. The one that doesn't have the benchmark in the name doesn't really check the newly added items. In short the Benchmark has more info and does more and the other is like a documented checklist.

The scanning does work using the DISA XCCDF. However, the output doesn't match the STIG viewer since it notes findings by the Vulnerability ID (V-XXXXX). I was under the impression that the --stig-viewer option would output the results file using the VID association instead of the CCE and CCI references.

If possible, I recommend seeing if "Red Hat" can get a copy of the new SCC scanner. You kind of need PKI access to download it.

https://powhatan.iiie.disa.mil/stigs/downloads/zip/scc-5.0.2_rhel7_x86_64_bundle.zip

jan-cerny commented 6 years ago

--stig-viewer option is supposed to work with SCAP Security Guide DSs, which contains <reference> elements

jmackani commented 6 years ago

On August 22, 2018 at 4:09 AM Jan Černý notifications@github.com wrote:

--stig-viewer option is supposed to work with SCAP Security Guide DSs, which contains <reference> elements

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub https://github.com/OpenSCAP/scap-security-guide/issues/3207#issuecomment-414949070 , or mute the thread https://github.com/notifications/unsubscribe-auth/AKA2v-OaD8jRCVfaQvfQ6SzYyJeEcgQHks5uTRGdgaJpZM4WCUih .

The DISA STIG Viewer can ingest regular SCAP 1.2/XCCDF 1.2 Results files. It has had the capability since version 2.6, released almost a year ago. OpenSCAP does not need a special XCCDF export format.

jan-cerny commented 6 years ago

Thank @jmackani for clarification. @boydhako Do you use STIG VIewer >= 2.6? If yes, does using --result instead of --stig-viewer work for you with the STIG Viewer?

mpreisler commented 6 years ago

@jmackani Thank you for your input. Could you please refer the exact version and release changelog? I want to verify and include it in our docs that you only need this option if you are using the old STIG Viewer.

boydhako commented 6 years ago

@jan-cerny Sorry for the delay. Got busy manually STIG checking stuff.

Okay, so yes just doing the --results does work with the STIG Viewer.

However... I might need some guidance on how oscap is supposed to work to get the remediation scripts. Because the Results file literally lists all the STIGs in the STIG viewer; not just the open ones. I tried doing the oscap xccdf generate fix thing using the Results file and it lists all the STIGSs as well.

Attached are the files I got from it.

lphl26927f-stig-stuff.zip

jamescassell commented 5 years ago

Hello,

I've reproduced this issue. I'd guess the issue is actually with the openscap tool.

With the ssg content, I'm able to successfully run oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa --stig-viewer results.xml scap-security-guide-0.1.43/ssg-rhel7-ds.xml

I'm then able to import that into the STIG Viewer.

However, when I substitute the profile and file for the DISA IASE-provided benchmark file using oscap xccdf eval xccdf_mil.disa.stig_profile_MAC-1_Classified --stig-viewer results.xml U_Red_Hat_Enterprise_Linux_7_V2R2_STIG_SCAP_1-2_Benchmark.xml, I get a segfault at the end:

[  648.535392] oscap[6584]: segfault at 0 ip 00007ff7b7bd8ba0 sp 00007ffd0dd99430 error 4 in libopenscap.so.8.14.1[7ff7b7b1b000+112000]
E: probe_sysctl: An error ocured while receiving SEAP message. errno=103, Software caused connection abort.
Segmentation fault

I get a successful result with the DISA benchmark using: oscap xccdf eval --profile xccdf_mil.disa.stig_profile_MAC-1_Classified --results results.xml U_Red_Hat_Enterprise_Linux_7_V2R2_STIG_SCAP_1-2_Benchmark.xml

The segfault is a bug, but otherwise it seems there should be a warning that says "use --results rather than --stig-viewer when using DISA content"

This is on RHEL 7.6 latest.

marcusburghardt commented 2 years ago

I agree this is related to the scanner and not to the content. There is already an issue reported in the OpenSCAP project: https://github.com/OpenSCAP/openscap/issues/1613 I am closing this issue here and recommend any follow up in the mentioned issue.