[Open-scap] OpenSCAP hangs

Yao, Wenjie wenjie.yao at hp.com
Fri Dec 20 03:06:19 UTC 2013 

Thanks you all for your valuable inputs!

I'm trying to build it now with SCE enabled, but getting a number of errors for undefined references to pcre, such as "undefined reference to pcre_fullinfo". I do have pcre 8.34 installed. 

Anyone has a quick answer?

Thanks,
Wenjie

-----Original Message-----
From: open-scap-list-bounces at redhat.com [mailto:open-scap-list-bounces at redhat.com] On Behalf Of open-scap-list-request at redhat.com
Sent: Thursday, December 19, 2013 9:00 AM
To: open-scap-list at redhat.com
Subject: Open-scap-list Digest, Vol 57, Issue 11

Send Open-scap-list mailing list submissions to
	open-scap-list at redhat.com

To subscribe or unsubscribe via the World Wide Web, visit
	https://www.redhat.com/mailman/listinfo/open-scap-list
or, via email, send a message with subject or body 'help' to
	open-scap-list-request at redhat.com

You can reach the person managing the list at
	open-scap-list-owner at redhat.com

When replying, please edit your Subject line so it is more specific than "Re: Contents of Open-scap-list digest..."


Today's Topics:

   1. OpenSCAP hangs (Yao, Wenjie)
   2. Re: OpenSCAP hangs (Simon Lukasik)
   3. Re: OpenSCAP hangs (Gary Gapinski)
   4. Re: OpenSCAP hangs (Steve Grubb)


----------------------------------------------------------------------

Message: 1
Date: Thu, 19 Dec 2013 01:02:10 +0000
From: "Yao, Wenjie" <wenjie.yao at hp.com>
To: "open-scap-list at redhat.com" <open-scap-list at redhat.com>
Subject: [Open-scap] OpenSCAP hangs
Message-ID:
	<73F97EC79685ED428F392A7C046211F70CDFD4AF at G9W0763.americas.hpqcorp.net>
	
Content-Type: text/plain; charset="us-ascii"

Hi,

I'm evaluating OpenSCAP for a project and did a test scan using SSG benchmarks for Linux 6. I run the following command:
oscap xccdf eval --profile stig-rhel6-server --results ssg-results.xml --report ssg-results.html /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
The scan hangs at evaluating the rule, world_writable_files_system_ownership.

I have the following questions and would appreciate your insight:

1)      Why does the scan hang instead of reporting an error and continuing with the rest of the rules?

2)      Does OpenSCAP support timeout so that the scan can abort the measurement of a rule after a certain time limit (specified by user) has reached.

3)      When scanning of a rule is stuck or fails (with error), can OpenScap spawn another process to continue the rest of the scan?

Thanks,
Wenjie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.redhat.com/archives/open-scap-list/attachments/20131219/ccfd6806/attachment.html>

------------------------------

Message: 2
Date: Thu, 19 Dec 2013 10:08:40 +0100
From: Simon Lukasik <slukasik at redhat.com>
To: "Yao, Wenjie" <wenjie.yao at hp.com>,	"open-scap-list at redhat.com"
	<open-scap-list at redhat.com>
Subject: Re: [Open-scap] OpenSCAP hangs
Message-ID: <52B2B798.4080509 at redhat.com>
Content-Type: text/plain; charset=windows-1252

On 12/19/2013 02:02 AM, Yao, Wenjie wrote:
> Hi,
> 
> I?m evaluating OpenSCAP for a project and did a test scan using SSG 
> benchmarks for Linux 6. I run the following command:
> 
> *oscap xccdf eval --profile stig-rhel6-server --results 
> ssg-results.xml --report ssg-results.html
> /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml*
> 
> The scan hangs at evaluating the rule, 
> world_writable_files_system_ownership.
> 
>  

Hello Yao,

> 
> I have the following questions and would appreciate your insight:
> 
> 1)      Why does the scan hang

You will find out when you strace the processes of oscap.

>                                instead of reporting an error and 
> continuing with the rest of the rules?
> 
> 2)      Does OpenSCAP support timeout so that the scan can abort the
> measurement of a rule after a certain time limit (specified by user) 
> has reached.

This is not supported yet. The hard thing is to come-up with some reasonable default limit time.

> 
> 3)      When scanning of a rule is stuck or fails (with error), can
> OpenScap spawn another process to continue the rest of the scan?
> 

Another option would be to have everything parallelized from start. Some of the operations are cpu-bounded, others are disk-bounded or memory-bounded.

Best regards,

--
Simon Lukasik
Security Technologies



------------------------------

Message: 3
Date: Thu, 19 Dec 2013 07:31:29 -0500
From: Gary Gapinski <gapinski at nasa.gov>
To: "Yao, Wenjie" <wenjie.yao at hp.com>, "open-scap-list at redhat.com"
	<open-scap-list at redhat.com>
Subject: Re: [Open-scap] OpenSCAP hangs
Message-ID: <52B2E721.8050409 at nasa.gov>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed

Hello, Wenjie:

On 12/18/2013 08:02 PM, Yao, Wenjie wrote:
>
> I have the following questions and would appreciate your insight:
>
> 1)Why does the scan hang instead of reporting an error and continuing 
> with the rest of the rules?
>

The rule references an OVAL definition which uses a test that scans all 
local file systems for regular files that are world-writeable. This can 
be quite expensive when occupied local storage is large.

Such tests have been problematic for years; more so as large storage 
becomes common.

The XCCDF <Rule> can be removed from consideration by commenting out the 
related <select> elements in any <Profile>, or setting their "selected" 
attribute to "false". A variation on this is to clone a <Profile> and 
de-select such <Rule>s.

There are several other expensive <Rule>s in the vicinity of that one.

> 2)Does OpenSCAP support timeout so that the scan can abort the 
> measurement of a rule after a certain time limit (specified by user) 
> has reached.
>

As Simon points out, no, but it is a good idea. As neither XCCDF nor 
OVAL has any provision for specifying such a limit, it could be imposed 
arbitrarily by an application (either per-check, per-evaluation, or both).

As there is no XCCDF construct specifically for this, an XML 
processing-instruction could perhaps be used.

> 3)When scanning of a rule is stuck or fails (with error), can OpenScap 
> spawn another process to continue the rest of the scan?
>

Little discussion of parallelization of SCAP checks has occurred on 
SCAP-related mailing lists. Neither XCCDF nor OVAL specifically promotes 
or prohibits such. However, SCAP content creators have likely assumed 
that checks occur sequentially. In theory, though perhaps not in 
practice, all checks can be considered to occur simultaneously. This 
levies a requirement that checks do not individually or collectively 
have side effects (have no implied partial ordering and are idempotent).

Regards,

Gary



------------------------------

Message: 4
Date: Thu, 19 Dec 2013 08:38:29 -0500
From: Steve Grubb <sgrubb at redhat.com>
To: open-scap-list at redhat.com
Cc: "Yao, Wenjie" <wenjie.yao at hp.com>
Subject: Re: [Open-scap] OpenSCAP hangs
Message-ID: <1916289.q5AYanBq8y at x2>
Content-Type: text/plain; charset="us-ascii"

On Thursday, December 19, 2013 07:31:29 AM Gary Gapinski wrote:
> Hello, Wenjie:
> 
> On 12/18/2013 08:02 PM, Yao, Wenjie wrote:
> > I have the following questions and would appreciate your insight:
> > 
> > 1)Why does the scan hang instead of reporting an error and continuing
> > with the rest of the rules?
> 
> The rule references an OVAL definition which uses a test that scans all
> local file systems for regular files that are world-writeable. This can
> be quite expensive when occupied local storage is large.
> 
> Such tests have been problematic for years; more so as large storage
> becomes common.

And there is also another possibility. What if the directory contains a 
symlink loop? We already know that /proc has these. And if the content is not 
written carefully such that it causes traversal of a symlink loop, this will 
happen. The OVAL specification was not based off of the find command which 
specifies a 1 time traversal and errors out when encountering a loop. So, this 
is something to think about when writing content that starts a / looking for a 
certain kind of file.

-Steve



------------------------------

_______________________________________________
Open-scap-list mailing list
Open-scap-list at redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

End of Open-scap-list Digest, Vol 57, Issue 11
**********************************************

More information about the Open-scap-list mailing list