[Open-scap] Library debugging and "OpenSCAP Error: Unable to receive a message from probe"

Daniel Kopecek dkopecek at redhat.com
Mon Apr 15 15:12:03 UTC 2013 

On 04/15/2013 04:39 PM, Richard W.M. Jones wrote:
> Whenever I run 'oscap oval eval' (both from git and from the version
> in Fedora) I get this opaque error message:
>
>    OpenSCAP Error: Unable to receive a message from probe
>
> After enabling debugging, the true story seems to be some sort of
> S-expression type incompatibility in the internal protocol.  The real
> error appears to be:
>
>    (15460:7f8751dd8800) [I:seap-packet.c:476:SEAP_packet_sexp2err] Invalid type of :orig_id value
>    (15460:7f8751dd8800) [I:seap-packet.c:867:SEAP_packet_recv] Invalid SEAP packet received: can't translate to err struct.
>
> You'd never know that from the printed error message, nor be able to
> diagnose this in the field because enabling debug messages has to
> happen at compile time, and they get sent to random
> 'oscap_debug.log.<PID>' files in whatever happens to be the current
> directory.
>
> It has to be said, this behaviour is not great for usability, and I
> predict it will cause endless problems in production.
>
> I think debugging should always be included in the library, even in
> production builds, and it should be possible to switch it on at any
> time by flipping a switch (eg. config file, environment variable,
> command line flag), and that debug messages should go somewhere
> useful, eg. stderr.
>
> This is a rather large change, so I wonder if you'd be happy to
> receive patches to this end?
Sure.
> I'd also be interested in why the original bug happens in the first
> place.
There is for sure a bug in the error packet translation code. The probe 
sent a valid
error packet as a reply to the object it received. I'll look at this.

However, it looks like there's also a bug in the content, which is 
rather old (F-14)
and I don't know how much it was tested. The textfilecontent54 probe doesn't
like something about the regexp it received with the object. CCing the 
author
of the probe, he should be able to explain the problem in more detail. 
Here's the
message from the probe's debug log:

(19887:7f8064919700) [I:probes/probe-api.c:921:probe_msg_creatf] 
pcre_compile() 'alias[:space:]net\-pf\-31[:space:]off' POSIX named 
classes are supported only within a class.

The input object was:
------
  ("seap.msg" ":id" 74 (("textfilecontent54_object" ":id" 
"oval:org.open-scap.f14:obj:2020151" ":oval_version" 84213760 ) (("path" 
":operation" 5 ":var_check" 1 ) "/etc/modprobe.d" ) (("filename" 
":operation" 11 ":var_check" 1 ) ".*\.conf" ) (("pattern" ":operation" 
11 ":var_check" 1 ) "alias[:space:]net\-pf\-31[:space:]off" ) 
(("instance" ":operation" 5 ":var_check" 1 ) 1 ) ) )
-----------

Dan K.

> Rich.
>
>
>
> _______________________________________________
> Open-scap-list mailing list
> Open-scap-list at redhat.com
> https://www.redhat.com/mailman/listinfo/open-scap-list

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20130415/429adbff/attachment.htm>

More information about the Open-scap-list mailing list