Openscap on Fedora 36 segfaults

Fun With OpenScap!

# cat /etc/redhat-release 

Fedora release 36 (Thirty Six)

# lshw

    description: Desktop Computer

    product: Raspberry Pi 3 Model B

# uname -a

Linux hostname 5.17.5-300.fc36.armv7hl #1 SMP Thu Apr 28 16:43:41 UTC 2022 armv7l armv7l armv7l GNU/Linux

Look at the XML!

 # oscap info /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml

Document type: Source Data Stream

Imported: 2022-08-02T00:37:49

Stream: scap_org.open-scap_datastream_from_xccdf_ssg-fedora-xccdf-1.2.xml

Generated: (null)

Version: 1.3

Checklists:

Ref-Id: scap_org.open-scap_cref_ssg-fedora-xccdf-1.2.xml

Status: draft

Generated: 2022-08-02

Resolved: trueode57 

Profiles:

Title: OSPP - Protection Profile for General Purpose Operating Systems

Id: xccdf_org.ssgproject.content_profile_ospp

Title: PCI-DSS v3.2.1 Control Baseline for Fedora

Id: xccdf_org.ssgproject.content_profile_pci-dss

Title: Standard System Security Profile for Fedora

Id: xccdf_org.ssgproject.content_profile_standard

Referenced check files:

ssg-fedora-oval.xml

system: http://oval.mitre.org/XMLSchema/oval-definitions-5

ssg-fedora-ocil.xml

system: http://scap.nist.gov/schema/ocil/2

Checks:

Ref-Id: scap_org.open-scap_cref_ssg-fedora-oval.xml

Ref-Id: scap_org.open-scap_cref_ssg-fedora-ocil.xml

Ref-Id: scap_org.open-scap_cref_ssg-fedora-cpe-oval.xml

Dictionaries:

Ref-Id: scap_org.open-scap_cref_ssg-fedora-cpe-dictionary.xml

Run the Scan!

#  oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard --report report.html /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml

Segmentation fault (core dumped)

try again

#  oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard --report report.html /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml

OpenSCAP Error: Failed to create new OVAL agent session for: 'ssg-fedora-oval.xml'. [/builddir/build/BUILD/openscap-1.3.6/src/XCCDF/xccdf_session.c:1177]

look at the logs during the scan

debug logs

oscap[2479]: Evaluation started. Content: /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml, Profile: xccdf_org.ssgproject.content_profile_standard. 

systemd-coredump[2486]: Resource limits disable core dumping for process 2484 (oscap)

systemd-coredump[2486]: Process 2484 (oscap) of user 0 dumped core

# sestatus 

SELinux status:                 enabled

SELinuxfs mount:                /sys/fs/selinux

SELinux root directory:         /etc/selinux

Loaded policy name:             targeted

Current mode:                   enforcing

Mode from config file:          enforcing

Policy MLS status:              enabled

Policy deny_unknown status:     allowed

Memory protection checking:     actual (secure)

Max kernel policy version:      33

:)

Security Onion Syslog-NG Console Logging

Goal1

By default so only logs into elkstack, not to a file!  We want a file too so we can tail -f file|ccze on a console and look cool like in the movies!

Goal is minimal editing of /etc/syslog-ng.conf which gets blown away after so updates, so

 make sure security onion /etc/syslog-ng.conf has

@include "/etc/syslog-ng/conf.d/*.conf"

add a /etc/syslog-ng/conf.d/cool.conf file:

destination d_remotesyslog { file("/var/log/remotesyslog"); };

log {

source(s_network);

destination(d_remotesyslog);

};

then tail -f /var/log/remotesyslog|ccze shows remote systems logs on console

sources:

https://serverfault.com/questions/825556/avoid-logging-in-var-log-syslog-only-using-etc-syslog-ng-conf-d