[Open-scap] OVAL sysctl_test: possible bug

Jan Cerny jcerny at redhat.com
Thu Oct 22 06:51:10 UTC 2015 

Hello Dragos,

Thank you very much for reporting this issue.

The error looks very suspicious and I'm very interested in it.
However I can't reproduce it on my system. Isn't there something
wrong with your /tmp?

I will try to investigate it more, but we test info module in our 
upstream test suite and it's passing.


Regards

Jan Černý
Security Technologies | Red Hat, Inc.

----- Original Message -----
> From: "Dragos Prisaca" <dragos.prisaca at g2-inc.com>
> To: "Jan Cerny" <jcerny at redhat.com>
> Cc: "Zbynek Moravec" <zmoravec at redhat.com>
> Sent: Wednesday, 21 October, 2015 3:57:58 PM
> Subject: RE: [Open-scap] OVAL sysctl_test: possible bug
> 
> Hello Jan,
> 
> I am running OpenSCAP built from maint-1.0 branch ("OpenSCAP command line
> tool (oscap) 1.2.6") and having issues with the "info" module:
> 
> 	[root at localhost scap-security-guide-0.1.26-oval-5.10]# oscap info
> ssg-rhel6-ds.xml
> 	Document type: Source Data Stream
> 	Imported: 2015-10-20T10:51:14
> 
> 	Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel6-xccdf-1.2.xml
> 	Generated: (null)
> 	Version: 1.2
> 	Checklists:
> 	        Ref-Id: scap_org.open-scap_cref_ssg-rhel6-xccdf-1.2.xml
> 	OpenSCAP Error: Unable to open file: '/tmp/oscap.InUnic/xccdf.xml'
> [oscap_source.c:220]
> 	Failed to import XCCDF content from '/tmp/oscap.InUnic/xccdf.xml'.
> [benchmark.c:73]
> 
> Is this a known issue or is something wrong with my local copy?
> 
> Respectfully,
> _Dragos.
> 
> 
> -----Original Message-----
> From: Dragos Prisaca [mailto:dragos.prisaca at g2-inc.com]
> Sent: Tuesday, October 20, 2015 12:37 PM
> To: 'Jan Cerny'
> Cc: 'Zbynek Moravec'
> Subject: RE: [Open-scap] OVAL sysctl_test: possible bug
> 
> Thank you Jan!
> I was able to install the latest version from the branch and everything
> seems to work as expected. I'll let you know if I find anything else.
> 
> Thanks,
> _Dragos.
> 
> 
> 
> -----Original Message-----
> From: Jan Cerny [mailto:jcerny at redhat.com]
> Sent: Friday, October 16, 2015 5:36 AM
> To: Dragos Prisaca
> Cc: open-scap-list at redhat.com; Zbynek Moravec
> Subject: Re: [Open-scap] OVAL sysctl_test: possible bug
> 
> Hello Dragos,
> 
> Thank you very much for your report.
> This was a known issue. See https://fedorahosted.org/openscap/ticket/439
> It has been already fixed upstream.
> See pull request https://github.com/OpenSCAP/openscap/pull/119
> The fix has been included in OpenSCAP 1.2.6 release.
> More details can be provided by Zbyněk Moravec, who has implemented it
> (adding him to CC).
> 
> Best regards
> 
> 
> Jan Černý
> Security Technologies | Red Hat, Inc.
> 
> ----- Original Message -----
> > From: "Dragos Prisaca" <dragos.prisaca at g2-inc.com>
> > To: "Jan Cerny" <jcerny at redhat.com>
> > Sent: Friday, October 16, 2015 4:07:19 AM
> > Subject: RE: [Open-scap] OVAL sysctl_test: possible bug
> >
> > Hello Jan,
> >
> > I think I found another issue with the @role attribute of
> > xccdf:refine-rule or xccdf:Rule. According to the Table 9: "<xccdf:Rule>
> > Element Properties"
> > of the XCCDF 1.2 specification, if the @role is set to  "unchecked"
> > the results for the rule shall be "notchecked".
> > Can you please verify and confirm?
> >
> > Thanks,
> > _Dragos.
> >
> >
> >
> > -----Original Message-----
> > From: Jan Cerny [mailto:jcerny at redhat.com]
> > Sent: Saturday, October 10, 2015 4:05 AM
> > To: Dragos Prisaca
> > Cc: open-scap-list at redhat.com
> > Subject: Re: [Open-scap] OVAL sysctl_test: possible bug
> >
> > Hello Dragos,
> >
> > A fix for this issue was merged to OpenSCAP upstream maint-1.0 branch.
> > See this pull request: https://github.com/OpenSCAP/openscap/pull/177
> > The fix will be part of next OpenSCAP release.
> >
> > If you have any other problem, feel free to write us!
> >
> > Best regards
> >
> > Jan Černý
> > Security Technologies | Red Hat, Inc.
> >
> > ----- Original Message -----
> > > From: "Dragos Prisaca" <dragos.prisaca at g2-inc.com>
> > > To: "Jan Cerny" <jcerny at redhat.com>
> > > Cc: open-scap-list at redhat.com
> > > Sent: Wednesday, October 7, 2015 4:33:55 PM
> > > Subject: RE: [Open-scap] OVAL sysctl_test: possible bug
> > >
> > > Thank you Jan for looking into this issue!
> > > Please let me know when you have a fix for it.
> > >
> > > Thanks,
> > > _Dragos.
> > >
> > > -----Original Message-----
> > > From: Jan Cerny [mailto:jcerny at redhat.com]
> > > Sent: Wednesday, October 07, 2015 10:23 AM
> > > To: Dragos Prisaca
> > > Cc: open-scap-list at redhat.com
> > > Subject: Re: [Open-scap] OVAL sysctl_test: possible bug
> > >
> > > Hello Dragos,
> > >
> > > Thank you very much for reporting this issue.
> > >
> > > It seems like a bug in OpenSCAP. I have reproduced it on my Fedora 22.
> > > While OpenSCAP is evaluating the sysctl_test, it tries to read from
> > > files:
> > > /proc/sys/net/ipv4/route/flush
> > > /proc/sys/net/ipv6/route/flush
> > > /proc/sys/vm/compact_memory
> > > These files are write-only, it is not possible to read from them.
> > > The "sysctl" utility skips write-only files.
> > > I think that OpenSCAP should do the same thing.
> > >
> > > I have found another similar issue with sysctl_test when reading
> > > from files /proc/sys/net/ipv6/conf/*/stable-secret. But these files
> > > are new since Linux 4.1, so it wouldn't affect RHEL 5 or 6.
> > >
> > > I am going to investigate those issues more and fix them if possible.
> > >
> > > Regards
> > >
> > > Jan Černý
> > > Security Technologies | Red Hat, Inc.
> > >
> > > ----- Original Message -----
> > > > From: "Dragos Prisaca" <dragos.prisaca at g2-inc.com>
> > > > To: open-scap-list at redhat.com
> > > > Sent: Monday, October 5, 2015 5:17:28 PM
> > > > Subject: [Open-scap] OVAL sysctl_test: possible bug
> > > >
> > > >
> > > >
> > > > Hello,
> > > >
> > > >
> > > >
> > > > We are preparing to release a new version of the SCAP validation
> > > > test content for RHEL and I am having issues running the OVAL
> > > > sysctl_test it on RHEL 5 and 6 systems. Majority of the items for
> > > > the obj:1 are collected fine, but for some reason, one of the
> > > > items has the flag attribute equal to ”error”:
> > > > “<unix-sys:sysctl_item id="130667227" status="error"/>”
> > > >
> > > > The content seems to runs fine with other SCAP tools. Please find
> > > > attached the source content and let me know if you have any questions.
> > > >
> > > > Your support is greatly appreciated!
> > > >
> > > >
> > > >
> > > > Respectfully,
> > > >
> > > > _Dragos.
> > > >
> > > >
> > > >
> > > > ---
> > > >
> > > > Dragos Prisaca
> > > >
> > > > NVLAP Technical Expert
> > > >
> > > > NIST SCAP Validation Program | http://scap.nist.gov/validation
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > Open-scap-list mailing list
> > > > Open-scap-list at redhat.com
> > > > https://www.redhat.com/mailman/listinfo/open-scap-list
> > >
> >
>

More information about the Open-scap-list mailing list