yakhatape
commented
1 year ago can you tell me if im on the right repository for this issue maybe i'm not in the right place ? Or if you need more details I'm stay open :)
Open yakhatape opened 1 year ago
yakhatape
commented
1 year ago can you tell me if im on the right repository for this issue maybe i'm not in the right place ? Or if you need more details I'm stay open :)
evgenyz
commented
1 year ago Yes, you're in a right place. The error appears to be very strange, it'd require some time to triage. In the mean time try and reproduce it with the latest release: 1.3.7 if you can.
yakhatape
commented
1 year ago Thanks @evgenyz for feedback, the v1.3.7 isn't for moment available on rockylinux official repository. Once its available I will try again and keep you in touch
teacup-on-rockingchair
commented
1 year ago :+1: I am reproducing this also on SUSE SLE15, with oscap releases 1.3.7 and 1.3.8 also:
sles-15-sp2:/ComplianceAsCodeContent/build # oscap -V
OpenSCAP command line tool (oscap) 1.3.8
Copyright 2009--2021 Red Hat Inc., Durham, North Carolina.
==== Supported specifications ====
SCAP Version: 1.3
XCCDF Version: 1.2
OVAL Version: 5.11.1
CPE Version: 2.3
CVSS Version: 2.0
CVE Version: 2.0
Asset Identification Version: 1.1
Asset Reporting Format Version: 1.1
CVRF Version: 1.1
==== Capabilities added by auto-loaded plugins ====
SCE Version: 1.0 (from libopenscap_sce.so.25)
==== Paths ====
Schema files: /usr/local/share/openscap/schemas
Default CPE files: /usr/local/share/openscap/cpe
==== Inbuilt CPE names ====
Red Hat Enterprise Linux - cpe:/o:redhat:enterprise_linux:-
Red Hat Enterprise Linux 5 - cpe:/o:redhat:enterprise_linux:5
Red Hat Enterprise Linux 6 - cpe:/o:redhat:enterprise_linux:6
Red Hat Enterprise Linux 7 - cpe:/o:redhat:enterprise_linux:7
Red Hat Enterprise Linux 8 - cpe:/o:redhat:enterprise_linux:8
Community Enterprise Operating System 5 - cpe:/o:centos:centos:5
Community Enterprise Operating System 6 - cpe:/o:centos:centos:6
Community Enterprise Operating System 7 - cpe:/o:centos:centos:7
Community Enterprise Operating System 8 - cpe:/o:centos:centos:8
Fedora 32 - cpe:/o:fedoraproject:fedora:32
Fedora 33 - cpe:/o:fedoraproject:fedora:33
Fedora 34 - cpe:/o:fedoraproject:fedora:34
Fedora 35 - cpe:/o:fedoraproject:fedora:35
==== Supported OVAL objects and associated OpenSCAP probes ====
OVAL family OVAL object OpenSCAP probe
---------- ---------- ----------
independent environmentvariable probe_environmentvariable
independent environmentvariable58 probe_environmentvariable58
independent family probe_family
independent filehash probe_filehash (MD5, SHA-1)
independent filehash58 probe_filehash58 (MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512)
independent system_info probe_system_info
independent textfilecontent probe_textfilecontent
independent textfilecontent54 probe_textfilecontent54
independent variable probe_variable
independent xmlfilecontent probe_xmlfilecontent
independent yamlfilecontent probe_yamlfilecontent
linux iflisteners probe_iflisteners
linux inetlisteningservers probe_inetlisteningservers
linux partition probe_partition
linux rpminfo probe_rpminfo
linux rpmverify probe_rpmverify
linux rpmverifyfile probe_rpmverifyfile
linux rpmverifypackage probe_rpmverifypackage
linux selinuxboolean probe_selinuxboolean
linux selinuxsecuritycontext probe_selinuxsecuritycontext
unix dnscache probe_dnscache
unix file probe_file
unix fileextendedattribute probe_fileextendedattribute
unix interface probe_interface
unix password probe_password
unix process probe_process
unix process58 probe_process58
unix routingtable probe_routingtable
unix runlevel probe_runlevel
unix shadow probe_shadow
unix symlink probe_symlink
unix sysctl probe_sysctl
unix uname probe_uname
unix xinetd probe_xinetd
#
# /usr/local/bin/oscap --verbose INFO xccdf eval --results /tmp/results.xml --profile anssi_bp28_high --rule xccdf_org.ssgproject.content_rule_sebool_selinuxuser_execheap ssg-sle15-ds.xml
I: oscap: Identified document type: data-stream-collection
I: oscap: Created a new XCCDF session from a SCAP Source Datastream 'ssg-sle15-ds.xml'.
I: oscap: Validating XML signature.
I: oscap: Signature node not found
WARNING: Datastream component 'scap_org.open-scap_cref_pub-projects-security-oval-suse.linux.enterprise.15.xml' points out to the remote 'https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.15.xml'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.15.xml' file which is referenced from datastream
I: oscap: Identified document type: Benchmark
I: oscap: File ssg-sle15-cpe-oval.xml has already been registered in Source DataStream session: ssg-sle15-ds.xml
I: oscap: Identified document type: cpe-list
WARNING: Skipping ./pub-projects-security-oval-suse.linux.enterprise.15.xml file which is referenced from XCCDF content
I: oscap: Started new OVAL agent ssg-sle15-oval.xml.
I: oscap: Querying system information.
I: oscap: Starting probe on URI 'queue://system_info'.
I: oscap: I will run system_info_probe_main:
--- Starting Evaluation ---
I: oscap: Evaluating a XCCDF policy with selected 'xccdf_org.ssgproject.content_profile_anssi_bp28_high' profile.
Title Disable the selinuxuser_execheap SELinux Boolean
Rule xccdf_org.ssgproject.content_rule_sebool_selinuxuser_execheap
Ident CCE-91424-2
I: oscap: Evaluating XCCDF rule 'xccdf_org.ssgproject.content_rule_sebool_selinuxuser_execheap'.
I: oscap: Started new OVAL agent ssg-sle15-cpe-oval.xml.
I: oscap: Querying system information.
I: oscap: Starting probe on URI 'queue://system_info'.
I: oscap: I will run system_info_probe_main:
I: oscap: Evaluating definition 'oval:ssg-installed_OS_is_sle15:def:1': SUSE Linux Enterprise 15.
I: oscap: Evaluating family test 'oval:ssg-test_sle15_unix_family:tst:1': installed OS part of unix family.
I: oscap: Querying family object 'oval:ssg-obj_sle15_unix_family:obj:1', flags: 0.
I: oscap: Creating new syschar for family_object 'oval:ssg-obj_sle15_unix_family:obj:1'.
I: oscap: Starting probe on URI 'queue://family'.
I: oscap: I will run family_probe_main:
I: oscap: Test 'oval:ssg-test_sle15_unix_family:tst:1' requires that at least one object defined by 'oval:ssg-obj_sle15_unix_family:obj:1' exists on the system.
I: oscap: 1 objects defined by 'oval:ssg-obj_sle15_unix_family:obj:1' exist on the system.
I: oscap: All items matching object 'oval:ssg-obj_sle15_unix_family:obj:1' were collected. (flag=complete)
I: oscap: In test 'oval:ssg-test_sle15_unix_family:tst:1' all of the collected items must satisfy these states: 'oval:ssg-state_sle15_unix_family:ste:1'.
I: oscap: Entity 'family'='unix' of item '1130033' matches corresponding entity in state 'oval:ssg-state_sle15_unix_family:ste:1'.
I: oscap: Item '1130033' compared to state 'oval:ssg-state_sle15_unix_family:ste:1' with result true.
I: oscap: Test 'oval:ssg-test_sle15_unix_family:tst:1' evaluated as true.
I: oscap: Evaluating rpminfo test 'oval:ssg-test_sle15_desktop:tst:1': sled-release is version 15.
I: oscap: Querying rpminfo object 'oval:ssg-obj_sle15_desktop:obj:1', flags: 0.
I: oscap: Creating new syschar for rpminfo_object 'oval:ssg-obj_sle15_desktop:obj:1'.
I: oscap: Starting probe on URI 'queue://rpminfo'.
I: oscap: I will run rpminfo_probe_main:
I: oscap: Package "sled-release" not found.
I: oscap: Test 'oval:ssg-test_sle15_desktop:tst:1' requires that at least one object defined by 'oval:ssg-obj_sle15_desktop:obj:1' exists on the system.
I: oscap: 0 objects defined by 'oval:ssg-obj_sle15_desktop:obj:1' exist on the system.
I: oscap: No item matching object 'oval:ssg-obj_sle15_desktop:obj:1' was found on the system. (flag=does not exist)
I: oscap: Test 'oval:ssg-test_sle15_desktop:tst:1' evaluated as false.
I: oscap: Evaluating rpminfo test 'oval:ssg-test_sle15_server:tst:1': sles-release is version 15.
I: oscap: Querying rpminfo object 'oval:ssg-obj_sle15_server:obj:1', flags: 0.
I: oscap: Creating new syschar for rpminfo_object 'oval:ssg-obj_sle15_server:obj:1'.
I: oscap: I will run rpminfo_probe_main:
I: oscap: Test 'oval:ssg-test_sle15_server:tst:1' requires that at least one object defined by 'oval:ssg-obj_sle15_server:obj:1' exists on the system.
I: oscap: 1 objects defined by 'oval:ssg-obj_sle15_server:obj:1' exist on the system.
I: oscap: All items matching object 'oval:ssg-obj_sle15_server:obj:1' were collected. (flag=complete)
I: oscap: In test 'oval:ssg-test_sle15_server:tst:1' all of the collected items must satisfy these states: 'oval:ssg-state_sle15_server:ste:1'.
I: oscap: Entity 'version'='15.2' of item '1130034' matches corresponding entity in state 'oval:ssg-state_sle15_server:ste:1'.
I: oscap: Item '1130034' compared to state 'oval:ssg-state_sle15_server:ste:1' with result true.
I: oscap: Test 'oval:ssg-test_sle15_server:tst:1' evaluated as true.
I: oscap: Evaluating rpminfo test 'oval:ssg-test_sles_15_for_sap:tst:1': SLES_SAP-release is version 15.
I: oscap: Querying rpminfo object 'oval:ssg-obj_sles_15_for_sap:obj:1', flags: 0.
I: oscap: Creating new syschar for rpminfo_object 'oval:ssg-obj_sles_15_for_sap:obj:1'.
I: oscap: I will run rpminfo_probe_main:
I: oscap: Package "SLES_SAP-release" not found.
I: oscap: Test 'oval:ssg-test_sles_15_for_sap:tst:1' requires that at least one object defined by 'oval:ssg-obj_sles_15_for_sap:obj:1' exists on the system.
I: oscap: 0 objects defined by 'oval:ssg-obj_sles_15_for_sap:obj:1' exist on the system.
I: oscap: No item matching object 'oval:ssg-obj_sles_15_for_sap:obj:1' was found on the system. (flag=does not exist)
I: oscap: Test 'oval:ssg-test_sles_15_for_sap:tst:1' evaluated as false.
I: oscap: Evaluating rpminfo test 'oval:ssg-test_suma_4:tst:1': SUMA is version 4.
I: oscap: Querying rpminfo object 'oval:ssg-obj_suma_4:obj:1', flags: 0.
I: oscap: Creating new syschar for rpminfo_object 'oval:ssg-obj_suma_4:obj:1'.
I: oscap: I will run rpminfo_probe_main:
I: oscap: Package "SUSE-Manager-Server-release" not found.
I: oscap: Test 'oval:ssg-test_suma_4:tst:1' requires that at least one object defined by 'oval:ssg-obj_suma_4:obj:1' exists on the system.
I: oscap: 0 objects defined by 'oval:ssg-obj_suma_4:obj:1' exist on the system.
I: oscap: No item matching object 'oval:ssg-obj_suma_4:obj:1' was found on the system. (flag=does not exist)
I: oscap: Test 'oval:ssg-test_suma_4:tst:1' evaluated as false.
I: oscap: Evaluating rpminfo test 'oval:ssg-test_sle_hpc:tst:1': SLE HPC release is version 15.
I: oscap: Querying rpminfo object 'oval:ssg-obj_sle_hpc:obj:1', flags: 0.
I: oscap: Creating new syschar for rpminfo_object 'oval:ssg-obj_sle_hpc:obj:1'.
I: oscap: I will run rpminfo_probe_main:
I: oscap: Package "SLE_HPC-release" not found.
I: oscap: Test 'oval:ssg-test_sle_hpc:tst:1' requires that at least one object defined by 'oval:ssg-obj_sle_hpc:obj:1' exists on the system.
I: oscap: 0 objects defined by 'oval:ssg-obj_sle_hpc:obj:1' exist on the system.
I: oscap: No item matching object 'oval:ssg-obj_sle_hpc:obj:1' was found on the system. (flag=does not exist)
I: oscap: Test 'oval:ssg-test_sle_hpc:tst:1' evaluated as false.
I: oscap: Definition 'oval:ssg-installed_OS_is_sle15:def:1' evaluated as true.
I: oscap: Evaluating definition 'oval:ssg-installed_OS_is_sle15:def:1': SUSE Linux Enterprise 15.
I: oscap: Definition 'oval:ssg-installed_OS_is_sle15:def:1' evaluated as true.
I: oscap: Evaluating definition 'oval:ssg-installed_env_is_a_machine:def:1': Check if the scan target is a machine.
I: oscap: Criteria are extended by definition 'oval:ssg-installed_env_is_a_container:def:1'.
I: oscap: Evaluating definition 'oval:ssg-installed_env_is_a_container:def:1': Check if the scan target is a container.
I: oscap: Evaluating file test 'oval:ssg-test_installed_env_is_a_docker_container:tst:1': Check if /.dockerenv exists.
I: oscap: Querying file object 'oval:ssg-object_installed_env_is_a_docker_container:obj:1', flags: 0.
I: oscap: Creating new syschar for file_object 'oval:ssg-object_installed_env_is_a_docker_container:obj:1'.
I: oscap: Starting probe on URI 'queue://file'.
I: oscap: I will run file_probe_main:
I: oscap: Opening file '/.dockerenv'.
I: oscap: Test 'oval:ssg-test_installed_env_is_a_docker_container:tst:1' requires that every object defined by 'oval:ssg-object_installed_env_is_a_docker_container:obj:1' exists on the system.
I: oscap: 0 objects defined by 'oval:ssg-object_installed_env_is_a_docker_container:obj:1' exist on the system.
I: oscap: Test 'oval:ssg-test_installed_env_is_a_docker_container:tst:1' does not contain any state to compare object with.
I: oscap: No item matching object 'oval:ssg-object_installed_env_is_a_docker_container:obj:1' was found on the system. (flag=does not exist)
I: oscap: Test 'oval:ssg-test_installed_env_is_a_docker_container:tst:1' evaluated as false.
I: oscap: Evaluating file test 'oval:ssg-test_installed_env_is_a_podman_container:tst:1': Check if /run/.containerenv exists.
I: oscap: Querying file object 'oval:ssg-object_installed_env_is_a_podman_container:obj:1', flags: 0.
I: oscap: Creating new syschar for file_object 'oval:ssg-object_installed_env_is_a_podman_container:obj:1'.
I: oscap: I will run file_probe_main:
I: oscap: Opening file '/run/.containerenv'.
I: oscap: Test 'oval:ssg-test_installed_env_is_a_podman_container:tst:1' requires that every object defined by 'oval:ssg-object_installed_env_is_a_podman_container:obj:1' exists on the system.
I: oscap: 0 objects defined by 'oval:ssg-object_installed_env_is_a_podman_container:obj:1' exist on the system.
I: oscap: Test 'oval:ssg-test_installed_env_is_a_podman_container:tst:1' does not contain any state to compare object with.
I: oscap: No item matching object 'oval:ssg-object_installed_env_is_a_podman_container:obj:1' was found on the system. (flag=does not exist)
I: oscap: Test 'oval:ssg-test_installed_env_is_a_podman_container:tst:1' evaluated as false.
I: oscap: Definition 'oval:ssg-installed_env_is_a_container:def:1' evaluated as false.
I: oscap: Definition 'oval:ssg-installed_env_is_a_machine:def:1' evaluated as true.
I: oscap: Evaluating definition 'oval:ssg-installed_env_is_osbuild:def:1': Check if the environment is a OSBuild pipeline.
I: oscap: Evaluating environmentvariable58 test 'oval:ssg-test_installed_env_is_osbuild:tst:1': environment variable container is set to bwrap-osbuild.
I: oscap: Querying environmentvariable58 object 'oval:ssg-object_installed_env_is_osbuild:obj:1', flags: 0.
I: oscap: Creating new syschar for environmentvariable58_object 'oval:ssg-object_installed_env_is_osbuild:obj:1'.
I: oscap: Starting probe on URI 'queue://environmentvariable58'.
I: oscap: I will run environmentvariable58_probe_main:
I: oscap: Can't find process with requested PID.
I: oscap: Test 'oval:ssg-test_installed_env_is_osbuild:tst:1' requires that every object defined by 'oval:ssg-object_installed_env_is_osbuild:obj:1' exists on the system.
I: oscap: 0 objects defined by 'oval:ssg-object_installed_env_is_osbuild:obj:1' exist on the system.
I: oscap: No item matching object 'oval:ssg-object_installed_env_is_osbuild:obj:1' was found on the system. (flag=does not exist)
I: oscap: Test 'oval:ssg-test_installed_env_is_osbuild:tst:1' evaluated as false.
I: oscap: Definition 'oval:ssg-installed_env_is_osbuild:def:1' evaluated as false.
I: oscap: This rule requires an OCIL check. OCIL checks are not supported by OpenSCAP.
I: oscap: Adding external variable oval:ssg-var_selinuxuser_execheap:var:1.
I: oscap: Evaluating definition 'oval:ssg-sebool_selinuxuser_execheap:def:1': Disable the selinuxuser_execheap SELinux Boolean.
I: oscap: Evaluating selinuxboolean test 'oval:ssg-test_sebool_selinuxuser_execheap:tst:1': selinuxuser_execheap is configured correctly.
I: oscap: Querying selinuxboolean object 'oval:ssg-object_sebool_selinuxuser_execheap:obj:1', flags: 0.
I: oscap: Creating new syschar for selinuxboolean_object 'oval:ssg-object_sebool_selinuxuser_execheap:obj:1'.
I: oscap: Starting probe on URI 'queue://selinuxboolean'.
I: oscap: I will run selinuxboolean_probe_main:
W: oscap: Can't receive message: 125, Operation canceled.
E: oscap: Recv: retry limit (0) reached.
I: oscap: Test 'oval:ssg-test_sebool_selinuxuser_execheap:tst:1' evaluated as (null).
I: oscap: Definition 'oval:ssg-sebool_selinuxuser_execheap:def:1' evaluated as unknown.
Result unknown
OpenSCAP Error: Probe at sd=1 (selinuxboolean) reported an error: Invalid type, value or format [/usr/local/openscap-1.3.8/src/OVAL/oval_probe_ext.c:384]
Unable to receive a message from probe [/usr/local/openscap-1.3.8/src/OVAL/oval_probe_ext.c:572]
Invalid oval result type: -1. [/usr/local/openscap-1.3.8/src/OVAL/results/oval_resultTest.c:181]
#
Seems that the problem appears with the selinuxboolean_object and friends
evgenyz
commented
1 year ago It looks like we need more logs in the probe. It either crashes or hangs.
teacup-on-rockingchair
commented
1 year ago I think I opened it with gdb and it exited but did not produce coredump.. if you think I can debug some specific function I guess I can walk through and provide some initial feedback
evgenyz
commented
1 year ago I think I opened it with gdb and it exited but did not produce coredump.. if you think I can debug some specific function I guess I can walk through and provide some initial feedback
Something is wrong in selinuxboolean_probe.c. No idea what is it, but OTOH the probe is not that complex, all it does is a couple of calls to selinux library. If you can pinpoint the location where it all goes south (not being able to retrieve a value) that would be great.
teacup-on-rockingchair
commented
1 year ago Just to document the effort, we have debugged the oscap tool in the reported situation, and it was caused by the oscap tool returning an error when one attempts to check selinuxboolean_object, when the system does not have selinux, i.e. security_get_boolean_names syscall returns error and sets errno ENOENT, i.e. there is no /selinux directory to keep selinux variables :)
Description of Problem:
Trying to scan my RockyLinux8 host with the ANSSI security test and I have the following error :
OpenSCAP Version:
Operating System & Version:
Rocky Linux 8.7 4.18.0-425.13.1.el8_7.x86_64 #1 SMP Tue Feb 21 19:25:54 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
Steps to Reproduce:
sudo oscap xccdf eval --report unit-test-anssi-enhanced-scan.html --profile anssi_bp28_intermediary /usr/share/xml/scap/ssg/content/ssg-rl8-ds-1.2.xmlActual Results: