Tuesday, September 20, 2022

Openscap on Fedora 36 segfaults

Fun With OpenScap!

# cat /etc/redhat-release 

Fedora release 36 (Thirty Six)

# lshw

    description: Desktop Computer

    product: Raspberry Pi 3 Model B

# uname -a

Linux hostname 5.17.5-300.fc36.armv7hl #1 SMP Thu Apr 28 16:43:41 UTC 2022 armv7l armv7l armv7l GNU/Linux

Look at the XML!

 # oscap info /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml

Document type: Source Data Stream

Imported: 2022-08-02T00:37:49


Stream: scap_org.open-scap_datastream_from_xccdf_ssg-fedora-xccdf-1.2.xml

Generated: (null)

Version: 1.3

Checklists:

Ref-Id: scap_org.open-scap_cref_ssg-fedora-xccdf-1.2.xml

Status: draft

Generated: 2022-08-02

Resolved: trueode57 

Profiles:

Title: OSPP - Protection Profile for General Purpose Operating Systems

Id: xccdf_org.ssgproject.content_profile_ospp

Title: PCI-DSS v3.2.1 Control Baseline for Fedora

Id: xccdf_org.ssgproject.content_profile_pci-dss

Title: Standard System Security Profile for Fedora

Id: xccdf_org.ssgproject.content_profile_standard

Referenced check files:

ssg-fedora-oval.xml

system: http://oval.mitre.org/XMLSchema/oval-definitions-5

ssg-fedora-ocil.xml

system: http://scap.nist.gov/schema/ocil/2

Checks:

Ref-Id: scap_org.open-scap_cref_ssg-fedora-oval.xml

Ref-Id: scap_org.open-scap_cref_ssg-fedora-ocil.xml

Ref-Id: scap_org.open-scap_cref_ssg-fedora-cpe-oval.xml

Dictionaries:

Ref-Id: scap_org.open-scap_cref_ssg-fedora-cpe-dictionary.xml

Run the Scan!
#  oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard --report report.html /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
Segmentation fault (core dumped)


try again
#  oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard --report report.html /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
OpenSCAP Error: Failed to create new OVAL agent session for: 'ssg-fedora-oval.xml'. [/builddir/build/BUILD/openscap-1.3.6/src/XCCDF/xccdf_session.c:1177]
look at the logs during the scan

debug logs
oscap[2479]: Evaluation started. Content: /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml, Profile: xccdf_org.ssgproject.content_profile_standard. 

systemd-coredump[2486]: Resource limits disable core dumping for process 2484 (oscap)
systemd-coredump[2486]: Process 2484 (oscap) of user 0 dumped core

# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33


:)
Posted by at No comments:
Labels: ,
Subscribe to: Comments (Atom)