search

OpenSCAP / openscap-daemon

Manages continuous scans of your infrastructure
https://www.open-scap.org/tools/openscap-daemon
GNU Lesser General Public License v2.1
106 stars 32 forks source link

oscapd-evaluate should not report that evaluation was done if it wasn't done #97

Open jan-cerny opened 7 years ago

jan-cerny commented 7 years ago

I think that following output is horribly confusing, because in this case neither CVE scan nor Standard compliance scan was performed.

[root@thinkpad ~]# oscapd-evaluate scan --no-cve-scan --no-standard-compliance --output output/
INFO:OpenSCAP Daemon one-off evaluator 0.1.7
INFO:Successfully imported 'docker' and 'Atomic.mount', container scanning enabled.
INFO:Evaluated EvaluationSpec, exit_code=0.
INFO:[100.00%] Scanned target 'localhost'

The only thing that has been done was that applicable CPEs were determined, but I will not say that the "target was scanned". I see determining CPEs as a special use-case, that has to be done before scan.

I know that technically it's a scan, because it uses oscap xccdf eval under the hood, but user doesn't have to know that.

jan-cerny commented 7 years ago

It's even more confusing for me when I run oscapd-evaluate scan --no-cve-scan --output output and it says immediately:

INFO:OpenSCAP Daemon one-off evaluator 0.1.7
INFO:Successfully imported 'docker' and 'Atomic.mount', container scanning enabled.
INFO:Evaluated EvaluationSpec, exit_code=0.

and then nothing happens for tens of seconds and my CPU cooler starts to spin. It gives me an impression that it's stalled and I should kill it. But actually it's evaluating "Verify and Correct File Permissions with RPM" rule, which take some time.

If I'm patient enough, I'll get 

[root@thinkpad ~]# oscapd-evaluate scan --no-cve-scan  --output output/
INFO:OpenSCAP Daemon one-off evaluator 0.1.7
INFO:Successfully imported 'docker' and 'Atomic.mount', container scanning enabled.
INFO:Evaluated EvaluationSpec, exit_code=0.
WARNING:Evaluated EvaluationSpec, exit_code=2.
INFO:[100.00%] Scanned target 'localhost'

I think that's not a good user experience.

jan-cerny commented 7 years ago

@mpreisler I'm interested in your opinion on this. I suggest handling CPEs determination in a special way so that it is not reported as a scan.

Also I think that we could show the progress while evaluating, that would be beneficial especially for profiles with many rules. Waiting for tens of seconds without any output isn't user friendly.

jan-cerny commented 7 years ago

Any suggestions?

jan-cerny commented 7 years ago

@OpenSCAP/daemon-developers ???

mpreisler commented 6 years ago

@mpreisler I'm interested in your opinion on this. I suggest handling CPEs determination in a special way so that it is not reported as a scan.

Also I think that we could show the progress while evaluating, that would be beneficial especially for profiles with many rules. Waiting for tens of seconds without any output isn't user friendly.

Yeah, sure.