Skip certain paths from scanning #2052
Conversation
|
To my taste |
|
There are already some workarounds for the demand to exclude directories from an oscap scan, as described in this article https://access.redhat.com/solutions/4193501. So there are valid cases when this behavior might be required. I believe this new option would make it much easier, compared to other workarounds, for users to consciously avoid some directories by whatever reason. Since the idea is to introduce this option without defaults, there is no change of behavior by default while the tool will still offer the option for the user. |
|
One concern with this proposal that I have is that we won't be able to "block" the selected paths completely as it's hard and laborous to track all the places across the code where a file path is opened. Also, the results of doing it this way can be different than a solution with wrapping OpenSCAP to a systemd service with paths excluded. This solution prevents probes from collecting items whose path matches the given path. OTOH the systemd service blocks the open calls which return errors. Probes and follow up logic react to these situations differently. |
That's exactly why we haven't tried to actually implement this feature in the past (it has been discussed multiple times). On the other hand, since this feature is not standardized in any way, we could do something and then improve based on the feedback. We should just have to make sure it is clear that the feature is experimental and technically violates OVAL. The systemd approach is more consistent, but less convenient. I can suggest exploring the option of doing what systemd is doing, but on the scanner side (which might not be easy as well). |
But, to be noted, the issue with users is not connected to the fact that systemd service is not convenient, but rather to the idea that skipping some paths is not acceptable, as far as I understand. This, if true, makes the whole effort a bit questionable. |
We should not expect this option will be used in all cases. The users are free to decide if they want or not to use this new option for their cases. Users who would benefit from this option currently have to use an inconvenient workaround. This option will make their experiences better. Based on the @jan-cerny concerns, I think makes a lot of sense to communicate this option as experimental. It doesn't need to be perfect now. We can improve on demand. |
jan-cerny
force-pushed
the
block_paths
branch
from
fa8af58
to
7c344f7
Compare
|
I have slightly updated this draft. Now, the paths can be specified using the environment variable I also started a test in the test suite. |
This cast and rename of the `void *arg` to `struct pfdata *pfd` isn't necessary, we can change the argument type to the actual type, because the function is called only once and therefore always with an argument of the `struct pfdata *` type.
People will be able to tell probes to skip certain paths during content evaluation. They can specify a list of paths by setting the `OSCAP_PROBE_IGNORE_PATHS` environment variable. The paths in this list should be separated by a colon.
This cast and rename of the `void *arg` to `struct pfdata *pfd` isn't necessary, we can change the argument type to the actual type, because the function is called only once and therefore always with an argument of the `struct pfdata *` type.
jan-cerny
force-pushed
the
block_paths
branch
from
a0547b5
to
1604943
Compare
Extend test_skip_paths to test the "skip selected paths" feature also in the filehash58 probe.
Extend test_skip_paths to test the "skip selected paths" feature also in the xmlfilecontent probe.
|
I have add the feature to other relevant probes. I improved the test. Also, I have rebased this PR on the top of the latest upstream maint-1.3 branch. |
|
The CI TF fail on RH will be fixed by #2067. |
|
Yes, it should work offline. I have add an offline version of the test. Then I have add a missing EOF, updated the documentation about the paths and I have moved the path_startswith function to utils module. |
There was a problem hiding this comment.
So, in addition to the oscap_path_startswith function behavior, I have a couple more concerns regarding the whole feature:
-
Windows support. We don't have to provide it, but silently doing a bad thing is not very friendly to our users. We can either implement it correctly or ignore the environment variable with a warning that it is being ignored because the feature is not implemented for Windows platform.
-
Silent magic. Imagine receiving a log with an ARF file and a question like "why all my files in /etc are ignored". User will obviously forget to mention the environment variable.
I will not insist on adding anything to this PR, but I'll be very hesitant to release this feature (and Introduce a limit of collected items #2051) without an implementation of Dump all env. variables that affects the behaviour on a DEBUG or INFO log level #2063.
|
I have add a simple unit test, updated documentation and added a Windows warning. |
|
@jan-cerny Do you have any ideas about |
|
/packit retest-failed |
This PR adds an option to skip selected paths from content evaluation. This will allow users to avoid pollution of the scan results from container guests, various mounts and other filesystems.
Related to: https://issues.redhat.com/browse/RHEL-11925, https://issues.redhat.com/browse/RHEL-4141
Users can configure the paths they want to be skipped by setting the
OSCAP_PROBE_IGNORE_PATHSenvironment variable. If multiple paths should be skipped they need to be separated by a colon.Review hints:
$OSCAP xccdf eval --profile '(all)' --rule xccdf_org.ssgproject.content_rule_selinux_state --report /tmp/report1.html /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xmlOSCAP_PROBE_IGNORE_PATHS=/etc/selinux $OSCAP xccdf eval --profile '(all)' --rule xccdf_org.ssgproject.content_rule_selinux_state --report /tmp/report2.html /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xmlfirefox /tmp/report1.html /tmp/report2.html