W: oscap: Filesystem tree cycle detected at /dev/...

gaure commented 1 month ago

Is this an issue with SCAP Workbench? NO
- If so, report it here: https://github.com/OpenSCAP/scap-workbench/issues
Is this an issue with SCAP Security Guide (i.e., related to the content of scans, not the scanner proper)? NO
- If so, report it here: https://github.com/OpenSCAP/scap-security-guide/issues
Is this an issue during the OS installation process? NO
- If so, report it here: https://github.com/OpenSCAP/oscap-anaconda-addon/issues

Thanks!

Description of Problem:

When running oscap command:

$ oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --results-arf arf.xml --report report.html --oval-results scap-security-guide-0.1.73/ssg-ubuntu2204-ds-1.2.xml

The oscap goes into an infinite loop with the following error:

W: oscap: Filesystem tree cycle detected at '/dev/groqA3.pci/driver/0000:01:00.0/subsystem/devices/0000:03:00.0/firmware_node/wakeup/wakeup33/subsystem/wakeup58/device/device:e4/physical_node/0000:e5:00.0/i2c-3/subsystem/devices/i2c-1/device/iommu_group/devices/0000:00:14.3/firmware_node/PNP0501:01/physical_node/driver/00:03/firmware_node/subsystem/devices/device:158/physical_node/iommu/devices/0000:a0:07.1/firmware_node/device:156/physical_node/dma/dma14chan0/subsystem/dma3chan0/device/driver/0000:02:00.2/iommu/devices/0000:03:00.3/usb1/firmware_node/physical_node3/subsystem/devices/5-2/5-2.4/driver/usb5/5-2

OpenSCAP Version:

==== Supported specifications ==== SCAP Version: 1.3 XCCDF Version: 1.2 OVAL Version: 5.11.1 CPE Version: 2.3 Asset Identification Version: 1.1 Asset Reporting Format Version: 1.1

Operating System & Version:

Ubunut 22.04.

Steps to Reproduce:

Compile openscanlib from source.
Run the oscap eval command using the Ubuntu22.04 datastream file on a hardware with "groq LPU hardware and software installed"

Actual Results:

Infinite loop. --- Starting Evaluation ---

Title Install AIDE Rule xccdf_org.ssgproject.content_rule_package_aide_installed Result fail

Title Build and Test AIDE Database Rule xccdf_org.ssgproject.content_rule_aide_build_database Result fail

Title Configure AIDE to Verify the Audit Tools Rule xccdf_org.ssgproject.content_rule_aide_check_audit_tools Result fail

Title Configure AIDE To Notify Personnel if Baseline Configurations Are Altered Rule xccdf_org.ssgproject.content_rule_aide_disable_silentreports W: oscap: Filesystem tree cycle detected at '/dev/groqA3.pci/iommu_group/devices/0000:61:00.0'. W: oscap: Filesystem tree cycle detected at '/dev/groqA3.pci/driver/0000:01:00.0/iommu_group/devices/0000:01:00.0'. W: oscap: Filesystem tree cycle detected at '/dev/groqA3.pci/driver/0000:01:00.0/driver'. W: oscap: Filesystem tree cycle detected at '/dev/groqA3.pci/driver/0000:01:00.0/subsystem/devices/0000:03:00.0/iommu_group/devices/0000:03:00.0'. W: oscap: Filesystem tree cycle detected at '/dev/groqA3.pci/driver/0000:01:00.0/subsystem/devices/0000:03:00.0/firmware_node/wakeup/wakeup33/device'. W: oscap: Filesystem tree cycle detected at '/dev/groqA3.pci/driver/0000:01:00.0/subsystem/devices/0000:03:00.0/firmware_node/wakeup/wakeup33/subsystem/wakeup58/device/device:e4/wakeup/wakeup60/device'. W: oscap: Filesystem tree cycle detected at '/dev/groqA3.pci/driver/0000:01:00.0/subsystem/devices/0000:03:00.0/firmware_node/wakeup/wakeup33/subsystem/wakeup58/device/device:e4/wakeup/wakeup60/subsystem'. W: oscap: Filesystem tree cycle detected at '/dev/groqA3.pci/driver/0000:01:00.0/subsystem/devices/0000:03:00.0/firmware_node/wakeup/wakeup33/subsystem/wakeup58/device/device:e4/physical_node/iommu_group/devices/0000:e3:02.0'

Expected Results:

Recursion problem solved as stays in https://github.com/OpenSCAP/openscap/pull/1534.

Additional Information / Debugging Steps:

NA

gaure commented 1 month ago

This problem is most likely caused by the symbolic links in the /dev directory.

evgenyz commented 1 month ago

I wonder which rule actually fails, it can't be xccdf_org.ssgproject.content_rule_aide_disable_silentreports. Can you please provide full verbose log?

gaure commented 1 month ago

Hi evgenyz, thanks for the prompt response.

Yes it is the Aide rule, I customized the profile, removed the rule and the scan job finished in less than 2 minutes.

I am working on the verbose logs.

gaure commented 1 month ago

Hi evgenyz Attached is the verbose logs. It is a big file so I just captured a few lines at the beginning of the aide rule. You will see when the rule is parsing the "proc" file system, but the issue is when it starts parsing "/dev". I have the scan running for 62 hours and it does not get out of the "/dev" filesystem. Eventually it crashes because memory problems. Thanks! log-trim.txt.gz

evgenyz commented 1 month ago

You can use --rule rule_id to execute just a single rule to avoid collecting unrelated logs.

gaure commented 1 month ago

Hi Evgenyz Any idea why the probe_file doesn't stop after a predefined depth to avoid the loop? Or you still need the verbose logs only for that rule? Even with a single rule selection still the logs will be very large. Best, GA

evgenyz commented 1 month ago

Is the definition of the object in your DS like this:

<unix:file_object id="oval:ssg-obj_aide_disable_silentreports_config_file:obj:1" version="1" comment="The configuration file /etc/default/aide for aide_disable_silentreports">
   <unix:filepath operation="pattern match">^/etc/default/aide</unix:filepath>
</unix:file_object>

?

evgenyz commented 1 month ago

Probably your problem is this: https://github.com/ComplianceAsCode/content/pull/11973

gaure commented 1 month ago

Thanks a million @evgenyz I will apply the patch. Have a great weekend.

gaure commented 1 month ago

Problem with the scap-security-guide-0.1.73 content

OpenSCAP / openscap