openscap icon indicating copy to clipboard operation
openscap copied to clipboard

Published 20 hours ago verified publisher icon OpenSCAP

oscap 1.2.16 ubuntu 20.04 and 18.04 error validate service enable and run auditd, rsyslog, cron and systemd-timesyncd

Open rudy500 opened this issue 3 years ago • 4 comments

Description of Problem: reviewing the execution of the review process with XCCDF our recently installed Ubuntu 20.04 and 18.04 servers we identified that the probe_systemdunitproperty validation process fails when trying to validate if the time, audit and rsyslog services.

The services are installed and in a running state, the recommendations were applied as expressed in the manual and in the recommendations (creation of the shell file). We review the file ssg-ubuntu2004-ds-1.2.xml and ssg-ubuntu2004-ds.xml, we identify and repair some errors in the description of the services, however the problem persists, when reviewing the output xml files we identify that the probe_systemdunitproperty process does not is able to retrieve the values for runlevel in these services being that they are in active mode

OpenSCAP Version: 12.16

Operating System & Version: ubuntu 20.04 and ubuntu 18.04

Steps to Reproduce:

  1. oscap xccdf eval --datastream-id scap_org.open-scap_datastream_from_xccdf_ssg-ubuntu2004-xccdf-1.2.xml --xccdf-id scap_org.open-scap_cref_ssg-ubuntu2004-xccdf-1.2.xml --profile xccdf_org.ssgproject.content_profile_standard --oval-results --results /tmp/xccdf-results.xml --results-arf /tmp/arf.xml --report /tmp/report.html /usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml
  2. review rule xccdf_org.ssgproject.content_rule_service_timesyncd_enabled
  3. review oval:ssg-service_ntpd_enabled

Actual Results:

failed and error

Expected Results:

pass and passed

Additional Information / Debugging Steps:

rudy500 avatar Apr 16 '21 00:04 rudy500

Seems to be related to #1533.

evgenyz avatar Apr 19 '21 09:04 evgenyz

Seems to be related to #1533.

I'm not sure, tho. Devel logs and the result file could help the investigation.

evgenyz avatar Apr 19 '21 09:04 evgenyz

I'm experiencing this same issue. The check that looks for whether services like auditd or sshd are running always result in an error, and thus any additional checks that depend on that check result in an error as well.

This is on an Ubuntu 18.04.5 LTS system running with FIPS mode enabled.

Linux test-ubuntu 4.15.0-1068-fips #77-Ubuntu SMP Tue Aug 3 13:40:10 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

oscap command:

oscap xccdf eval --verbose DEVEL --profile xccdf_mil.disa.stig_profile_MAC-1_Public --results /tmp/openscap-disa-results.xml --report /tmp/openscap-disa-results.html --skip-valid /tmp/definitions/UBUNTU_18-04_V2R3_STIG_SCAP_1-2_Benchmark.xml
'oscap --version' output 
OpenSCAP command line tool (oscap) 1.2.15
Copyright 2009--2017 Red Hat Inc., Durham, North Carolina.

==== Supported specifications ====
XCCDF Version: 1.2
OVAL Version: 5.11.1
CPE Version: 2.3
CVSS Version: 2.0
CVE Version: 2.0
Asset Identification Version: 1.1
Asset Reporting Format Version: 1.1

==== Capabilities added by auto-loaded plugins ====
SCE Version: 1.0 (from libopenscap_sce.so.8)

==== Paths ====
Schema files: /usr/share/openscap/schemas
Default CPE files: /usr/share/openscap/cpe
Probes: /usr/lib/x86_64-linux-gnu/openscap

==== Inbuilt CPE names ====
Red Hat Enterprise Linux - cpe:/o:redhat:enterprise_linux
Red Hat Enterprise Linux 5 - cpe:/o:redhat:enterprise_linux:5
Red Hat Enterprise Linux 6 - cpe:/o:redhat:enterprise_linux:6
Red Hat Enterprise Linux 7 - cpe:/o:redhat:enterprise_linux:7
Oracle Linux 5 - cpe:/o:oracle:linux:5
Oracle Linux 6 - cpe:/o:oracle:linux:6
Oracle Linux 7 - cpe:/o:oracle:linux:7
Community Enterprise Operating System 5 - cpe:/o:centos:centos:5
Community Enterprise Operating System 6 - cpe:/o:centos:centos:6
Community Enterprise Operating System 7 - cpe:/o:centos:centos:7
Scientific Linux 5 - cpe:/o:scientificlinux:scientificlinux:5
Scientific Linux 6 - cpe:/o:scientificlinux:scientificlinux:6
Scientific Linux 7 - cpe:/o:scientificlinux:scientificlinux:7
Fedora 16 - cpe:/o:fedoraproject:fedora:16
Fedora 17 - cpe:/o:fedoraproject:fedora:17
Fedora 18 - cpe:/o:fedoraproject:fedora:18
Fedora 19 - cpe:/o:fedoraproject:fedora:19
Fedora 20 - cpe:/o:fedoraproject:fedora:20
Fedora 21 - cpe:/o:fedoraproject:fedora:21
Fedora 22 - cpe:/o:fedoraproject:fedora:22
Fedora 23 - cpe:/o:fedoraproject:fedora:23
Fedora 24 - cpe:/o:fedoraproject:fedora:24
Fedora 25 - cpe:/o:fedoraproject:fedora:25
Fedora 26 - cpe:/o:fedoraproject:fedora:26
Fedora 27 - cpe:/o:fedoraproject:fedora:27
Fedora 28 - cpe:/o:fedoraproject:fedora:28
SUSE Linux Enterprise all versions - cpe:/o:suse:sle
SUSE Linux Enterprise Server 10 - cpe:/o:suse:sles:10
SUSE Linux Enterprise Desktop 10 - cpe:/o:suse:sled:10
SUSE Linux Enterprise Server 11 - cpe:/o:suse:linux_enterprise_server:11
SUSE Linux Enterprise Desktop 11 - cpe:/o:suse:linux_enterprise_desktop:11
SUSE Linux Enterprise Server 12 - cpe:/o:suse:sles:12
SUSE Linux Enterprise Desktop 12 - cpe:/o:suse:sled:12
openSUSE 11.4 - cpe:/o:opensuse:opensuse:11.4
openSUSE 13.1 - cpe:/o:opensuse:opensuse:13.1
openSUSE 13.2 - cpe:/o:opensuse:opensuse:13.2
openSUSE 42.1 - cpe:/o:novell:leap:42.1
openSUSE 42.2 - cpe:/o:novell:leap:42.2
openSUSE All Versions - cpe:/o:opensuse:opensuse
Red Hat Enterprise Linux Optional Productivity Applications - cpe:/a:redhat:rhel_productivity
Red Hat Enterprise Linux Optional Productivity Applications 5 - cpe:/a:redhat:rhel_productivity:5
Wind River Linux all versions - cpe:/o:windriver:wrlinux
Wind River Linux 8 - cpe:/o:windriver:wrlinux:8

==== Supported OVAL objects and associated OpenSCAP probes ====
OVAL family   OVAL object                  OpenSCAP probe
----------    ----------                   ----------
(null)        system_info                  probe_system_info
independent   family                       probe_family
independent   filehash                     probe_filehash
independent   environmentvariable          probe_environmentvariable
independent   textfilecontent54            probe_textfilecontent54
independent   textfilecontent              probe_textfilecontent
independent   variable                     probe_variable
independent   xmlfilecontent               probe_xmlfilecontent
independent   environmentvariable58        probe_environmentvariable58
independent   filehash58                   probe_filehash58
linux         dpkginfo                     probe_dpkginfo
linux         inetlisteningservers         probe_inetlisteningservers
linux         partition                    probe_partition
linux         iflisteners                  probe_iflisteners
linux         selinuxboolean               probe_selinuxboolean
linux         selinuxsecuritycontext       probe_selinuxsecuritycontext
linux         systemdunitproperty          probe_systemdunitproperty
linux         systemdunitdependency        probe_systemdunitdependency
unix          file                         probe_file
unix          interface                    probe_interface
unix          password                     probe_password
unix          process                      probe_process
unix          runlevel                     probe_runlevel
unix          shadow                       probe_shadow
unix          uname                        probe_uname
unix          xinetd                       probe_xinetd
unix          sysctl                       probe_sysctl
unix          process58                    probe_process58
unix          fileextendedattribute        probe_fileextendedattribute
unix          routingtable                 probe_routingtable
unix          symlink                      probe_symlink

The following is the check for whether the auditd service is running with verbosity set to DEVEL:

Verbose DEVEL output 

I: oscap: Evaluating XCCDF group 'xccdf_mil.disa.stig_group_V-219225'. [oscap(10125):oscap(7f0253266c80):xccdf_policy.c:1117:xccdf_policy_item_evaluate]
I: oscap: Evaluating XCCDF rule 'xccdf_mil.disa.stig_rule_SV-219225r610963_rule'. [oscap(10125):oscap(7f0253266c80):xccdf_policy.c:1111:xccdf_policy_item_evaluate]
Title   The Ubuntu operating system must produce audit records and reports containing information to establish when, where, what type, the source, and the outcome for all DoD-defined auditable events and actions in near real time.
Rule    xccdf_mil.disa.stig_rule_SV-219225r610963_rule
Ident   SV-109781
Ident   V-100677
Ident   CCI-000131
Ident   CCI-000132
Ident   CCI-000133
Ident   CCI-000134
Ident   CCI-000135
Ident   CCI-000154
Ident   CCI-000158
Ident   CCI-000169
Ident   CCI-000172
Ident   CCI-001814
Ident   CCI-001875
Ident   CCI-001876
Ident   CCI-001877
Ident   CCI-001878
Ident   CCI-001879
Ident   CCI-001880
Ident   CCI-001914
Ident   CCI-002884
I: oscap: Evaluating definition 'oval:mil.disa.stig.ubuntu1804:def:1': Ubuntu 18.04 LTS is installed. [oscap(10125):oscap(7f0253266c80):oval_resultDefinition.c:152:oval_result_definition_eval]
I: oscap: Definition 'oval:mil.disa.stig.ubuntu1804:def:1' evaluated as true. [oscap(10125):oscap(7f0253266c80):oval_resultDefinition.c:163:oval_result_definition_eval]
I: oscap: Evaluating definition 'oval:mil.disa.stig.ubuntu1804:def:95': UBTU-18-010250 - The Ubuntu operating system must produce audit records and reports containing information to establish when, where, what type, the source, and the outcome for all DoD-defined auditable events and actions in near real time.. [oscap(10125):oscap(7f0253266c80):oval_resultDefinition.c:152:oval_result_definition_eval]
I: oscap: Definition 'oval:mil.disa.stig.ubuntu1804:def:95' evaluated as error. [oscap(10125):oscap(7f0253266c80):oval_resultDefinition.c:163:oval_result_definition_eval]
Result  error

All other checks that depend on the oval:mil.disa.stig.ubuntu1804:def:95 check result in an error as well. For example:

Verbose DEVEL output 

I: oscap: Evaluating XCCDF group 'xccdf_mil.disa.stig_group_V-219238'. [oscap(10125):oscap(7f0253266c80):xccdf_policy.c:1117:xccdf_policy_item_evaluate]
I: oscap: Evaluating XCCDF rule 'xccdf_mil.disa.stig_rule_SV-219238r610963_rule'. [oscap(10125):oscap(7f0253266c80):xccdf_policy.c:1111:xccdf_policy_item_evaluate]
Title   The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the su command.
Rule    xccdf_mil.disa.stig_rule_SV-219238r610963_rule
Ident   SV-109807
Ident   V-100703
Ident   CCI-000172
I: oscap: Evaluating definition 'oval:mil.disa.stig.ubuntu1804:def:1': Ubuntu 18.04 LTS is installed. [oscap(10125):oscap(7f0253266c80):oval_resultDefinition.c:152:oval_result_definition_eval]
I: oscap: Definition 'oval:mil.disa.stig.ubuntu1804:def:1' evaluated as true. [oscap(10125):oscap(7f0253266c80):oval_resultDefinition.c:163:oval_result_definition_eval]
I: oscap: Evaluating definition 'oval:mil.disa.stig.ubuntu1804:def:182': UBTU-18-010315 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the su command.. [oscap(10125):oscap(7f0253266c80):oval_resultDefinition.c:152:oval_result_definition_eval]
I: oscap:   Criteria are extended by definition 'oval:mil.disa.stig.ubuntu1804:def:95'. [oscap(10125):oscap(7f0253266c80):oval_resultCriteriaNode.c:363:_oval_result_criteria_node_result]
I: oscap:   Evaluating definition 'oval:mil.disa.stig.ubuntu1804:def:95': UBTU-18-010250 - The Ubuntu operating system must produce audit records and reports containing information to establish when, where, what type, the source, and the outcome for all DoD-defined auditable events and actions in near real time.. [oscap(10125):oscap(7f0253266c80):oval_resultDefinition.c:152:oval_result_definition_eval]
I: oscap:   Definition 'oval:mil.disa.stig.ubuntu1804:def:95' evaluated as error. [oscap(10125):oscap(7f0253266c80):oval_resultDefinition.c:163:oval_result_definition_eval]
I: oscap:   Evaluating textfilecontent54 test 'oval:mil.disa.stig.ubuntu1804:tst:18200': Audit invocations of /bin/su. [oscap(10125):oscap(7f0253266c80):oval_resultTest.c:1054:oval_result_test_eval]
I: oscap:     Querying textfilecontent54 object 'oval:mil.disa.stig.ubuntu1804:obj:18200', flags: 0. [oscap(10125):oscap(7f0253266c80):oval_probe.c:246:oval_probe_query_object]
I: oscap:     Creating new syschar for textfilecontent54_object 'oval:mil.disa.stig.ubuntu1804:obj:18200'. [oscap(10125):oscap(7f0253266c80):oval_probe.c:269:oval_probe_query_object]
D: oscap:     Sending message. [oscap(10125):oscap(7f0253266c80):oval_probe_ext.c:493:oval_probe_comm]
D: oscap:     MSG -> SEXP [oscap(10125):oscap(7f0253266c80):seap-packet.c:261:SEAP_packet_msg2sexp]
D: oscap: ("seap.msg" ":id" 8 (("textfilecontent54_object" ":id" "oval:mil.disa.stig.ubuntu1804:obj:18200" ":oval_version" "5.10" ) (("filepath" ":operation" 5 ":var_check" 1 ) "/etc/audit/audit.rules" ) (("pattern" ":operation" 11 ":var_check" 1 ) "^\s*-a\s+(always,exit|exit,always)\s+-F\s+path=/bin/su\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|unset|-1)\s+((-k\s+|-F\s+key=)\S+\s*)?$" ) (("instance" ":operation" 7 ":var_check" 1 ) 1 ) ) ) [oscap(10125):oscap(7f0253266c80):seap-packet.c:262:SEAP_packet_msg2sexp]
D: oscap:     packet size: 2089 [oscap(10125):oscap(7f0253266c80):seap-packet.c:263:SEAP_packet_msg2sexp]
D: oscap:     total I/O vectors = 1 [oscap(10125):oscap(7f0253266c80):strbuf.c:294:strbuf_write]
D: oscap:     iot (1) < IOV_MAX (1024) [oscap(10125):oscap(7f0253266c80):strbuf.c:305:strbuf_write]
D: oscap:     ioc = 1 [oscap(10125):oscap(7f0253266c80):strbuf.c:321:strbuf_write]
D: oscap:     total bytes written: 494D: probe_textfilecontent54:  [oscap(10125):oscap(7f0253266c80):strbuf.c:338:strbuf_write]
return from selectD: oscap:     Waiting for reply. [probe_textfilecontent54(10228):input_handler(7f13c1195700):seap-packet.c:637:SEAP_packet_recv] [oscap(10125):oscap(7f0253266c80):oval_probe_ext.c:552:oval_probe_comm]

D: probe_textfilecontent54: total bytes written: 669 [probe_textfilecontent54(10228):probe_worker(7f13c0994700):strbuf.c:338:strbuf_write]
D: probe_textfilecontent54: Received packet [probe_textfilecontent54(10228):input_handler(7f13c1195700):seap-packet.c:902:SEAP_packet_recv]
D: probe_textfilecontent54: ("seap.msg" ":id" 8 (("textfilecontent54_object" ":id" "oval:mil.disa.stig.ubuntu1804:obj:18200" ":oval_version" "5.10" ) (("filepath" ":operation" 5 ":var_check" 1 ) "/etc/audit/audit.rules" ) (("pattern" ":operation" 11 ":var_check" 1 ) "^\s*-a\s+(always,exit|exit,always)\s+-F\s+path=/bin/su\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|unset|-1)\s+((-k\s+|-F\s+key=)\S+\s*)?$" ) (("instance" ":operation" 7 ":var_check" 1 ) 1 ) ) ) [probe_textfilecontent54(10228):input_handler(7f13c1195700):seap-packet.c:903:SEAP_packet_recv]
D: probe_textfilecontent54: packet size: 1761 [probe_textfilecontent54(10228):input_handler(7f13c1195700):seap-packet.c:904:SEAP_packet_recv]
D: probe_textfilecontent54: offline_mode=00000000D: probe_textfilecontent54: name=reply-id, value=0x7f13b4007e50 [probe_textfilecontent54(10228):input_handler(7f13c1195700):input_handler.c:116:probe_input_handler]
[probe_textfilecontent54(10228):probe_worker(7f13c0994700):seap-message.c:76:SEAP_msg_free]
D: probe_textfilecontent54: offline_mode_supported=00000001 [probe_textfilecontent54(10228):input_handler(7f13c1195700):input_handler.c:117:probe_input_handler]
D: probe_textfilecontent54: handling SEAP message ID 8 [probe_textfilecontent54(10228):probe_worker(7f13b3fff700):worker.c:53:probe_worker_runfn]
I: probe_textfilecontent54: Opening file '/etc/audit/audit.rules'. [probe_textfilecontent54(10228):probe_worker(7f13b3fff700):oval_fts.c:820:oval_fts_open]
I: probe_textfilecontent54: Extracting item from the cache queue: cnt=1, beg=16 [probe_textfilecontent54(10228):icache_worker(7f13c2197700):icache.c:198:probe_icache_worker]
D: probe_textfilecontent54: Signaling `notfull' [probe_textfilecontent54(10228):icache_worker(7f13c2197700):icache.c:217:probe_icache_worker]
D: probe_textfilecontent54: Handling cache request [probe_textfilecontent54(10228):icache_worker(7f13c2197700):icache.c:248:probe_icache_worker]
D: probe_textfilecontent54: pair address: 139722837552704 [probe_textfilecontent54(10228):icache_worker(7f13c2197700):icache.c:253:probe_icache_worker]
D: probe_textfilecontent54: item address: 139722601038576 [probe_textfilecontent54(10228):icache_worker(7f13c2197700):icache.c:254:probe_icache_worker]
D: probe_textfilecontent54: NOP [probe_textfilecontent54(10228):probe_worker(7f13b3fff700):icache.c:404:probe_icache_nop]
D: probe_textfilecontent54: item ID=10262076251846193130 [probe_textfilecontent54(10228):icache_worker(7f13c2197700):icache.c:256:probe_icache_worker]
I: probe_textfilecontent54: cache MISS [probe_textfilecontent54(10228):icache_worker(7f13c2197700):icache.c:262:probe_icache_worker]
D: probe_textfilecontent54: Signaling `notempty' [probe_textfilecontent54(10228):probe_worker(7f13b3fff700):icache.c:429:probe_icache_nop]
D: probe_textfilecontent54: Waiting for icache worker to handle the NOP [probe_textfilecontent54(10228):probe_worker(7f13b3fff700):icache.c:439:probe_icache_nop]
I: probe_textfilecontent54: Extracting item from the cache queue: cnt=1, beg=17 [probe_textfilecontent54(10228):icache_worker(7f13c2197700):icache.c:198:probe_icache_worker]
D: probe_textfilecontent54: Signaling `notfull' [probe_textfilecontent54(10228):icache_worker(7f13c2197700):icache.c:217:probe_icache_worker]
D: probe_textfilecontent54: Handling NOP [probe_textfilecontent54(10228):icache_worker(7f13c2197700):icache.c:239:probe_icache_worker]
D: probe_textfilecontent54: Sync [probe_textfilecontent54(10228):probe_worker(7f13b3fff700):icache.c:447:probe_icache_nop]
D: probe_textfilecontent54: old flag: 0, new flag: 2. [probe_textfilecontent54(10228):probe_worker(7f13b3fff700):probe-api.c:688:probe_cobj_set_flag]
D: probe_textfilecontent54: handler result = 0x7f13b4000b40, return code = 0 [probe_textfilecontent54(10228):probe_worker(7f13b3fff700):worker.c:58:probe_worker_runfn]
D: probe_textfilecontent54: probe thread deleted [probe_textfilecontent54(10228):probe_worker(7f13b3fff700):worker.c:77:probe_worker_runfn]
D: probe_textfilecontent54: Sorting blocks & building iterator array [probe_textfilecontent54(10228):probe_worker(7f13b3fff700):sexp-manip.c:1402:SEXP_list_sort]
D: probe_textfilecontent54: Iterator count = 1 [probe_textfilecontent54(10228):probe_worker(7f13b3fff700):sexp-manip.c:1429:SEXP_list_sort]
D: probe_textfilecontent54: cnt = 0 [probe_textfilecontent54(10228):probe_worker(7f13b3fff700):seap-message.c:138:SEAP_msgattr_exists]
D: probe_textfilecontent54: no-reply not set: sending full reply [probe_textfilecontent54(10228):probe_worker(7f13b3fff700):seap.c:480:SEAP_reply]
D: probe_textfilecontent54: MSG -> SEXP [probe_textfilecontent54(10228):probe_worker(7f13b3fff700):seap-packet.c:261:SEAP_packet_msg2sexp]
D: probe_textfilecontent54: ("seap.msg" ":id" 8 ":reply-id" 8 (2 () ((("textfilecontent_item" ":id" "1102289" ) ("filepath" "/etc/audit/audit.rules" ) ("path" "/etc/audit" ) ("filename" "audit.rules" ) ("pattern" "^\s*-a\s+(always,exit|exit,always)\s+-F\s+path=/bin/su\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|unset|-1)\s+((-k\s+|-F\s+key=)\S+\s*)?$" ) ("instance" 1 ) ("line" "^\s*-a\s+(always,exit|exit,always)\s+-F\s+path=/bin/su\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|unset|-1)\s+((-k\s+|-F\s+key=)\S+\s*)?$" ) ("text" "-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change" ) ("subexpression" "always,exit" ) ("subexpression" "-F perm=x " ) ("subexpression" "x" ) ("subexpression" "4294967295" ) ("subexpression" "-k privileged-priv_change" ) ("subexpression" "-k " ) ) ) () ) ) [probe_textfilecontent54(10228):probe_worker(7f13b3fff700):seap-packet.c:262:SEAP_packet_msg2sexp]
D: probe_textfilecontent54: packet size: 2850 [probe_textfilecontent54(10228):probe_worker(7f13b3fff700):seap-packet.c:263:SEAP_packet_msg2sexp]
D: probe_textfilecontent54: total I/O vectors = 1 [probe_textfilecontent54(10228):probe_worker(7f13b3fff700):strbuf.c:294:strbuf_write]
D: probe_textfilecontent54: iot (1) < IOV_MAX (1024) [probe_textfilecontent54(10228):probe_worker(7f13b3fff700):strbuf.c:305:strbuf_write]
D: probe_textfilecontent54: ioc = 1 [probe_textfilecontent54(10228):probe_worker(7f13b3fff700):strbuf.c:321:strbuf_write]
D: oscap:     return from select [oscap(10125):oscap(7f0253266c80):seap-packet.c:637:SEAP_packet_recv]
D: oscap:     Received packet [oscap(10125):oscap(7f0253266c80):seap-packet.c:902:SEAP_packet_recv]
D: oscap: ("seap.msg" ":id" 8 ":reply-id" 8 (2 () ((("textfilecontent_item" ":id" "1102289" ) ("filepath" "/etc/audit/audit.rules" ) ("path" "/etc/audit" ) ("filename" "audit.rules" ) ("pattern" "^\s*-a\s+(always,exit|exit,always)\s+-F\s+path=/bin/su\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|unset|-1)\s+((-k\s+|-F\s+key=)\S+\s*)?$" ) ("instance" 1 ) ("line" "^\s*-a\s+(always,exit|exit,always)\s+-F\s+path=/bin/su\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|unset|-1)\s+((-k\s+|-F\s+key=)\S+\s*)?$" ) ("text" "-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change" ) ("subexpression" "always,exit" ) ("subexpression" "-F perm=x " ) ("subexpression" "x" ) ("subexpression" "4294967295" ) ("subexpression" "-k privileged-priv_change" ) ("subexpression" "-k " ) ) ) () ) ) [oscap(10125):oscap(7f0253266c80):seap-packet.c:903:SEAP_packet_recv]
D: oscap:     packet size: 2830 [oscap(10125):oscap(7f0253266c80):seap-packet.c:904:SEAP_packet_recv]
D: oscap:     Message received. [oscap(10125):oscap(7f0253266c80):oval_probe_ext.c:586:oval_probe_comm]
D: oscap:     name=(null), value=0x555db3d9da40 [oscap(10125):oscap(7f0253266c80):seap-message.c:76:SEAP_msg_free]
D: oscap:     Syschar entry type: 7007 'textfilecontent' => decoded OK [oscap(10125):oscap(7f0253266c80):oval_sexp.c:953:oval_sexp_to_sysitem]
I: oscap:     Test 'oval:mil.disa.stig.ubuntu1804:tst:18200' requires that every object defined by 'oval:mil.disa.stig.ubuntu1804:obj:18200' exists on the system. [oscap(10125):oscap(7f0253266c80):oval_resultTest.c:813:_oval_result_test_evaluate_items]
I: oscap:     1 objects defined by 'oval:mil.disa.stig.ubuntu1804:obj:18200' exist on the system. [oscap(10125):oscap(7f0253266c80):oval_resultTest.c:831:_oval_result_test_evaluate_items]
I: oscap:     Test 'oval:mil.disa.stig.ubuntu1804:tst:18200' does not contain any state to compare object with. [oscap(10125):oscap(7f0253266c80):oval_resultTest.c:833:_oval_result_test_evaluate_items]
I: oscap:     All items matching object 'oval:mil.disa.stig.ubuntu1804:obj:18200' were collected. (flag=complete) [oscap(10125):oscap(7f0253266c80):oval_resultTest.c:876:_oval_result_test_evaluate_items]
I: oscap:   Test 'oval:mil.disa.stig.ubuntu1804:tst:18200' evaluated as true. [oscap(10125):oscap(7f0253266c80):oval_resultTest.c:1073:oval_result_test_eval]
I: oscap: Definition 'oval:mil.disa.stig.ubuntu1804:def:182' evaluated as error. [oscap(10125):oscap(7f0253266c80):oval_resultDefinition.c:163:oval_result_definition_eval]
Result  error

mpb10 avatar Sep 15 '21 02:09 mpb10

Anybody manage to figure this one out? This has been open for over a year now.

anothermerge avatar Apr 21 '22 15:04 anothermerge

I'm getting the same issue with a few checks.

Bowriverstudio avatar Sep 30 '22 22:09 Bowriverstudio

I am getting a similar error with oscap 1.2.15 and ubuntu 18.04 LTS.

It fails to recognize that openssh-server is not installed and to several options that should exist in the file it gives a score of pass.

And it creates messages like the following:

I: oscap: Criteria are extended by definition 'oval:ssg-sshd_not_required_or_unset:def:1'. [oscap(17597):oscap(7fb982c2bc80):oval_resultCriteriaNode.c:363:_oval_result_criteria_node_result] I: oscap: Evaluating definition 'oval:ssg-sshd_not_required_or_unset:def:1': SSHD is not required to be installed or requirement not set. [oscap(17597):oscap(7fb982c2bc80):oval_resultDefinition.c:152:oval_result_definition_eval] I: oscap: Evaluating variable test 'oval:ssg-test_sshd_not_required:tst:1': Verify if Profile set Value sshd_required as not required. [oscap(17597):oscap(7fb982c2bc80):oval_resultTest.c:1054:oval_result_test_eval] I: oscap: Querying variable object 'oval:ssg-object_sshd_not_required:obj:1', flags: 0. [oscap(17597):oscap(7fb982c2bc80):oval_probe.c:246:oval_probe_query_object] I: oscap: Creating new syschar for variable_object 'oval:ssg-object_sshd_not_required:obj:1'. [oscap(17597):oscap(7fb982c2bc80):oval_probe.c:269:oval_probe_query_object] I: oscap: Starting probe on URI 'pipe:///usr/lib/x86_64-linux-gnu/openscap/probe_variable'. [oscap(17597):oscap(7fb982c2bc80):oval_probe_ext.c:866:oval_probe_ext_handler] I: oscap: Querying variable 'oval:ssg-sshd_required:var:1'. [oscap(17597):oscap(7fb982c2bc80):oval_variable.c:527:oval_probe_query_variable] I: oscap: Variable 'oval:ssg-sshd_required:var:1' is not local, skipping. [oscap(17597):oscap(7fb982c2bc80):oval_variable.c:530:oval_probe_query_variable] I: oscap: Variable 'oval:ssg-sshd_required:var:1' has values "0". [oscap(17597):oscap(7fb982c2bc80):oval_variable.c:512:_dump_variable_values] D: oscap: Sending message. [oscap(17597):oscap(7fb982c2bc80):oval_probe_ext.c:493:oval_probe_comm] D: oscap: MSG -> SEXP [oscap(17597):oscap(7fb982c2bc80):seap-packet.c:261:SEAP_packet_msg2sexp]

......

[oscap(17597):oscap(7fb982c2bc80):oval_resultTest.c:819:_oval_result_test_evaluate_items] I: oscap: 1 objects defined by 'oval:ssg-object_sshd_not_required:obj:1' exist on the system. [oscap(17597):oscap(7fb982c2bc80):oval_resultTest.c:831:_oval_result_test_evaluate_items] I: oscap: All items matching object 'oval:ssg-object_sshd_not_required:obj:1' were collected. (flag=complete) [oscap(17597):oscap(7fb982c2bc80):oval_resultTest.c:876:_oval_result_test_evaluate_items] I: oscap: In test 'oval:ssg-test_sshd_not_required:tst:1' all of the collected items must satisfy these states: 'oval:ssg-state_sshd_not_required:ste:1'.

At the end it gives pass to SSH variables although openssh-server doesn't exist.

Any clue?

Thanks

RS

ricamz avatar Dec 20 '22 14:12 ricamz