Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

oscap 1.3.9 coredumps while processing the latest Ubuntu 24.04 compliance control file #2188

Open
bhattisatish opened this issue Dec 13, 2024 · 6 comments
Open

oscap 1.3.9 coredumps while processing the latest Ubuntu 24.04 compliance control file #2188

bhattisatish opened this issue Dec 13, 2024 · 6 comments
Assignees
@evgenyz
Labels
portability

Comments

@bhattisatish
Copy link

Description of Problem:

While running the latest Ubuntu 24.04 XCCDF file, the oscap command fails with a core dump.
The last message seen is:

oscap: ./src/XCCDF_POLICY/xccdf_policy.c:627: xccdf_policy_is_item_selected: Assertion `false' failed.
Aborted (core dumped)

OpenSCAP Version:

OpenSCAP command line tool (oscap) 1.3.9

Operating System & Version:

Distributor ID: Ubuntu
Description: Ubuntu 24.04.1 LTS
Release: 24.04
Codename: noble

Steps to Reproduce:

  1. git clone https://github.com/complianceascode/content.git
  2. cd content/ and ./build_product ubuntu2404 and cd ..
  3. Run either of the following commands:
    • oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_level1_workstation --results arf1.xml --report report1.html content/build/ssg-ubuntu2404-ds.xml
    • oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_level2_workstation --results arf2.xml --report report2.html content/build/ssg-ubuntu2404-ds.xml

Actual Results:

The last successful message was:

Title   Enable PAM
Rule    xccdf_org.ssgproject.content_rule_sshd_enable_pam

Result  pass

And the error message seen is:

oscap: ./src/XCCDF_POLICY/xccdf_policy.c:627: xccdf_policy_is_item_selected: Assertion `false' failed.
Aborted (core dumped)

Expected Results:

A successful run with arf1.xml with the results and report1.html with the final evaluation report.

Additional Information / Debugging Steps:

Coredump file is available for download, if it i's of any help.
@evgenyz
Copy link
Contributor

evgenyz commented Dec 13, 2024
edited
Loading

Hey, @bhattisatish. It might help to have verbose logs: oscap --verbose=DEVEL xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_level1_workstation --results arf1.xml --report report1.html content/build/ssg-ubuntu2404-ds.xml.

@bhattisatish
Copy link
Author

After running in DEVEL mode, the log has the following:

I: oscap: Test 'oval:ssg-test_UsePAM_present_sshd_enable_pam:tst:1' requires that at least one object defined by 'oval:ssg-obj_collection_obj_sshd_enable_pam:obj:1' exists on the system. [oscap(2114978):oscap(7a519b71fbc0):oval_resultTest.c:906:_oval_result_test_evaluate_items]
I: oscap: 0 objects defined by 'oval:ssg-obj_collection_obj_sshd_enable_pam:obj:1' exist on the system. [oscap(2114978):oscap(7a519b71fbc0):oval_resultTest.c:918:_oval_result_test_evaluate_items]
I: oscap: Test 'oval:ssg-test_UsePAM_present_sshd_enable_pam:tst:1' does not contain any state to compare object with. [oscap(2114978):oscap(7a519b71fbc0):oval_resultTest.c:920:_oval_result_test_evaluate_items]
I: oscap: No item matching object 'oval:ssg-obj_collection_obj_sshd_enable_pam:obj:1' was found on the system. (flag=does not exist) [oscap(2114978):oscap(7a519b71fbc0):oval_resultTest.c:954:_oval_result_test_evaluate_items]
I: oscap: Test 'oval:ssg-test_UsePAM_present_sshd_enable_pam:tst:1' evaluated as false. [oscap(2114978):oscap(7a519b71fbc0):oval_resultTest.c:1164:oval_result_test_eval]
I: oscap: Definition 'oval:ssg-sshd_enable_pam:def:1' evaluated as true. [oscap(2114978):oscap(7a519b71fbc0):oval_resultDefinition.c:170:oval_result_definition_eval]
oscap: ./src/XCCDF_POLICY/xccdf_policy.c:627: xccdf_policy_is_item_selected: Assertion `false' failed.
^C

The complete log file is attached.
eval.log.gz

@bhattisatish bhattisatish mentioned this issue Dec 13, 2024
Closed
@evgenyz
Copy link
Contributor

evgenyz commented Dec 13, 2024
edited
Loading

Can you please also attach the data stream you've built. There is something fishy in it.

@bhattisatish
Copy link
Author

@evgenyz I am not very comfortable with the content files and how all they work. Not sure what files are useful and which are not needed. Sharing the whole build directory.

The entry point is the content/build/ssg-ubuntu2404-ds.xml which is importing content/build/ssg-ubuntu2404-*.xml.
There are similar files in content/build/ubuntu2404/ I see a lot's of references to these in the main entry file.

Hope these are useful.

You can also generate them by just following the steps to reproduce described above.

content-build.tar.gz

@Mab879
Copy link
Member

Mab879 commented Dec 16, 2024

I'm able to reproduce on the shipping version in Ubuntu 24.04. But can't reproduce on latest main or maint-1.3.

@evgenyz
Copy link
Contributor

evgenyz commented Dec 16, 2024

I'm able to reproduce on the shipping version in Ubuntu 24.04. But can't reproduce on latest main or maint-1.3.

Thank you @Mab879! I'm not closing it for now, I just might be able to track down exact reason. @bhattisatish Meanwhile, please contact Ubuntu maintainers.

@evgenyz evgenyz self-assigned this Dec 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@evgenyz evgenyz

Labels
portability
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bhattisatish @Mab879 @evgenyz