search

OpenSCAP / openscap-daemon

Manages continuous scans of your infrastructure
https://www.open-scap.org/tools/openscap-daemon
GNU Lesser General Public License v2.1
106 stars 32 forks source link

atomic scan tracebacks when scanning image using invalid profile #113

Closed matusmarhefka closed 6 years ago

matusmarhefka commented 6 years ago

For example, scanning fedora docker base image using DISA STIG profile results in a following traceback:

# atomic --debug scan --scan_type configuration_compliance --scanner_args profile=xccdf_org.ssgproject.content_profile_stig-rhel7-disa fedora
Created /run/atomic/2017-09-26-05-02-56-008578
docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2017-09-26-05-02-56-008578:/scanin -v /var/lib/atomic/openscap/2017-09-26-05-02-56-008578:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro test/openscap_base oscapd-evaluate scan --targets chroots-in-dir:///scanin --output /scanout --no-cve-scan --fix_type bash -j1 --profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa
Created /run/atomic/2017-09-26-05-02-56-008578/4ef26f1dc556e54d5b957593a7f678644f4f02ae30d5a115f18bf6916f322c19
Mounted 4ef26f1dc556e54d5b957593a7f678644f4f02ae30d5a115f18bf6916f322c19 to /run/atomic/2017-09-26-05-02-56-008578/4ef26f1dc556e54d5b957593a7f678644f4f02ae30d5a115f18bf6916f322c19
Creating the output dir at /var/lib/atomic/openscap/2017-09-26-05-02-56-008578
INFO:OpenSCAP Daemon one-off evaluator 0.1.7
WARNING:Can't import the 'docker' package. Container scanning functionality will be disabled.
INFO:Creating tasks directory at '/var/lib/oscapd/tasks' because it didn't exist.
INFO:Creating results directory at '/var/lib/oscapd/results' because it didn't exist.
INFO:Creating results work in progress directory at '/var/lib/oscapd/work_in_progress' because it didn't exist.
INFO:Evaluated EvaluationSpec, exit_code=0.
INFO:Found 3 profile choices in '/usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml' with tailoring file 'None'.
ERROR:'ProfileSuffixMatchError' object has no attribute 'message'
Traceback (most recent call last):
  File "/usr/bin/oscapd-evaluate", line 174, in scan_worker
    args.profile = es.select_profile_by_suffix(args.profile)
  File "/usr/lib/python3.6/site-packages/openscap_daemon/evaluation_spec.py", line 373, in select_profile_by_suffix
    profile_suffix
openscap_daemon.evaluation_spec.ProfileSuffixMatchError: No profile with suffix xccdf_org.ssgproject.content_profile_stig-rhel7-disa

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/bin/oscapd-evaluate", line 179, in scan_worker
    % (args.profile, target, e.message)
AttributeError: 'ProfileSuffixMatchError' object has no attribute 'message'
INFO:[100.00%] Scanned target 'chroot:///scanin/4ef26f1dc556e54d5b957593a7f678644f4f02ae30d5a115f18bf6916f322c19'
Fatal error encountered while evaluating! Failed to evaluate at least 0 targets!

fedora (4ef26f1dc556e54)

     fedora is not supported for this scan.

Files associated with this scan are in /var/lib/atomic/openscap/2017-09-26-05-02-56-008578.

Unmounted /run/atomic/2017-09-26-05-02-56-008578/4ef26f1dc556e54d5b957593a7f678644f4f02ae30d5a115f18bf6916f322c19
yuumasato commented 6 years ago

Closed via #127