openscap icon indicating copy to clipboard operation
openscap copied to clipboard
verified publisher icon OpenSCAP

Minimum Memory Requirement Check

Open sonstar2 opened this issue 1 year ago • 1 comments

  • Is this an issue with SCAP Workbench?
    • If so, report it here: https://github.com/OpenSCAP/scap-workbench/issues
  • Is this an issue with SCAP Security Guide (i.e., related to the content of scans, not the scanner proper)?
    • If so, report it here: https://github.com/OpenSCAP/scap-security-guide/issues
  • Is this an issue during the OS installation process?
    • If so, report it here: https://github.com/OpenSCAP/oscap-anaconda-addon/issues

Thanks!

Description of Problem:

system hangs after oom kills oscap. Should oscap check the available ram size and stops executing if the minimum memory requirement doesn't meet?

Sep 13 01:37:51 ip-10-0-1-132 kernel: oom-kill:constraint=CONSTRAINT_NONE,nodemask=(null),cpuset=/,mems_allowed=0,global_oom,task_memcg=/user.slice/user-1000.slice/session-1.scope,task=oscap,pid=15531,uid=0 Sep 13 01:37:51 ip-10-0-1-132 kernel: Out of memory: Killed process 15531 (oscap) total-vm:1914356kB, anon-rss:455456kB, file-rss:0kB, shmem-rss:0kB, UID:0 pgtables:1276kB oom_score_adj:0 Sep 13 01:37:51 ip-10-0-1-132 systemd[1]: session-1.scope: A process of this unit has been killed by the OOM killer. Sep 13 01:38:17 ip-10-0-1-132 oscap[15903]: Evaluation started. Content: /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml, Profile: xccdf_org.ssgproject.content_profile_e8. Sep 13 01:38:53 ip-10-0-1-132 systemd-logind[640]: New session 3 of user ec2-user. Sep 13 01:38:53 ip-10-0-1-132 systemd[1]: Started Session 3 of User ec2-user. Sep 13 01:38:53 ip-10-0-1-132 systemd[1]: Starting Hostname Service... Sep 13 01:38:53 ip-10-0-1-132 systemd[1]: Started Hostname Service. Sep 13 01:38:55 ip-10-0-1-132 su[15957]: (to root) root on pts/1

Sep 13 01:39:25 ip-10-0-1-132 systemd[1]: systemd-hostnamed.service: Deactivated successfully. Sep 13 01:39:29 ip-10-0-1-132 oscap[15903]: Evaluation finished. Return code: 2, Base score 56.775208.

OpenSCAP Version:

$ oscap -V OpenSCAP command line tool (oscap) 1.3.10

Operating System & Version:

$ cat /etc/redhat-release Red Hat Enterprise Linux release 9.4 (Plow)

Steps to Reproduce:

  1. Deploy a vm with 1G memory
  2. Run 'oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_e8 --report ./result.html /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml'
  3. Check the systemlog

Actual Results:

System hangs after printing out the following output

Title Write Audit Logs to the Disk Rule xccdf_org.ssgproject.content_rule_auditd_write_logs Ident CCE-83705-4 Result pass

Expected Results:

oscap should check the minimum resource requirements before executing rather than causing a serious issue on the system

Additional Information / Debugging Steps:

sonstar2 avatar Sep 13 '24 02:09 sonstar2

Should oscap check the available ram size and stops executing if the minimum memory requirement doesn't meet?

honestly... oscap needs to be re-architected to stream to disk more often.. we're trying to run a scan on a kubernetes host and oscap is happily consuming over 20GB memory.. and that's even after splitting the job into batches... any filesystem with a lot of files seems to cause massive memory usage.

daniel-widrick avatar Sep 06 '25 17:09 daniel-widrick