openscap-daemon icon indicating copy to clipboard operation
openscap-daemon copied to clipboard
verified publisher icon OpenSCAP

oscapd-evaluate should not report that evaluation was done if it wasn't done

Open jan-cerny opened this issue 8 years ago • 5 comments

I think that following output is horribly confusing, because in this case neither CVE scan nor Standard compliance scan was performed.

[root@thinkpad ~]# oscapd-evaluate scan --no-cve-scan --no-standard-compliance --output output/
INFO:OpenSCAP Daemon one-off evaluator 0.1.7
INFO:Successfully imported 'docker' and 'Atomic.mount', container scanning enabled.
INFO:Evaluated EvaluationSpec, exit_code=0.
INFO:[100.00%] Scanned target 'localhost'

The only thing that has been done was that applicable CPEs were determined, but I will not say that the "target was scanned". I see determining CPEs as a special use-case, that has to be done before scan.

I know that technically it's a scan, because it uses oscap xccdf eval under the hood, but user doesn't have to know that.

jan-cerny avatar May 02 '17 13:05 jan-cerny

It's even more confusing for me when I run oscapd-evaluate scan --no-cve-scan --output output and it says immediately:

INFO:OpenSCAP Daemon one-off evaluator 0.1.7
INFO:Successfully imported 'docker' and 'Atomic.mount', container scanning enabled.
INFO:Evaluated EvaluationSpec, exit_code=0.

and then nothing happens for tens of seconds and my CPU cooler starts to spin. It gives me an impression that it's stalled and I should kill it. But actually it's evaluating "Verify and Correct File Permissions with RPM" rule, which take some time.

If I'm patient enough, I'll get

[root@thinkpad ~]# oscapd-evaluate scan --no-cve-scan  --output output/
INFO:OpenSCAP Daemon one-off evaluator 0.1.7
INFO:Successfully imported 'docker' and 'Atomic.mount', container scanning enabled.
INFO:Evaluated EvaluationSpec, exit_code=0.
WARNING:Evaluated EvaluationSpec, exit_code=2.
INFO:[100.00%] Scanned target 'localhost'

I think that's not a good user experience.

jan-cerny avatar May 02 '17 13:05 jan-cerny

@mpreisler I'm interested in your opinion on this. I suggest handling CPEs determination in a special way so that it is not reported as a scan.

Also I think that we could show the progress while evaluating, that would be beneficial especially for profiles with many rules. Waiting for tens of seconds without any output isn't user friendly.

jan-cerny avatar Jun 08 '17 08:06 jan-cerny

Any suggestions?

jan-cerny avatar Jun 23 '17 10:06 jan-cerny

@OpenSCAP/daemon-developers ???

jan-cerny avatar Jul 17 '17 13:07 jan-cerny

@mpreisler I'm interested in your opinion on this. I suggest handling CPEs determination in a special way so that it is not reported as a scan.

Also I think that we could show the progress while evaluating, that would be beneficial especially for profiles with many rules. Waiting for tens of seconds without any output isn't user friendly.

Yeah, sure.

mpreisler avatar Sep 28 '17 16:09 mpreisler