OpenSCAP
Some remediations fail to run in oscap-im
Some remediations fail to complete and terminate prematurely when oscap is run as a part of oscap-im command.
For example, remediation for accounts_passwords_pam_faillock_dir fails with:
/tmp/oscap.sApNOh/fix-XXOud2ao: line 124: semanage: command not found
/tmp/oscap.sApNOh/fix-XXOud2ao: line 125: restorecon: command not found
The problem is that the semanage and restorecon exist on the system, but the $PATH variable during the remediation doesn't contain /usr/sbin where these commands are installed. The $PATH isn't inherited from parent shell of oscap-im but from elsewhere.
This issue is root cause of CaC/content issue https://github.com/ComplianceAsCode/content/issues/13552.
This issue most likely started to manifest after https://github.com/OpenSCAP/openscap/pull/2233 where we changed oscap to inherit the parent environment in remediations instead of hardcoded environment. The hardcoded environment contained a definition of $PATH that contained /usr/sbin.
Steps to reproduce:
- Build a hardened bootable container image based on RHEL 10.1 using the STIG profile.
- Start the image as a container or deploy a VM from it.
- Get the HTML report from the remediation that happened during the podman build
- Observe remediation output for rule
accounts_passwords_pam_faillock_dir.
Affected version:
openscap-1.4.2-1.el10_0.x86_64
Suggestion for a fix:
--- a/utils/oscap-im
+++ b/utils/oscap-im
@@ -17,6 +17,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
import argparse
+import os
import subprocess
import sys
import tempfile
@@ -125,7 +126,7 @@ def scan_and_remediate(args):
add_common_args(args, oscap_cmd)
add_eval_args(args, oscap_cmd)
oscap_cmd.append(args.data_stream)
- env = {"OSCAP_PREFERRED_ENGINE": "SCE", "OSCAP_BOOTC_BUILD": "YES"}
+ env = {**os.environ, "OSCAP_PREFERRED_ENGINE": "SCE", "OSCAP_BOOTC_BUILD": "YES"}
try:
subprocess.run(oscap_cmd, env=env, check=True)
except subprocess.CalledProcessError as e:
This fix works for me.
