OpenSCAP
Issue when executing SCE scripts.
Hello,
I have an error when trying to run an SCE script when /tmp is mounted with the noexec flag (the check is marked as 'error' in the html report).
The relevant debug logs are here.
I: oscap: Test 'oval:ssg-inventory_test_package_apparmor_installed:tst:1' evaluated as true. [oscap(9490):oscap(7f9631132bc0):oval_resultTest.c:1164:oval_result_test_eval]
I: oscap: Definition 'oval:ssg-package_apparmor:def:1' evaluated as true. [oscap(9490):oscap(7f9631132bc0):oval_resultDefinition.c:170:oval_result_definition_eval]
I: oscap: Executing SCE check 'debian13/checks/sce/all_apparmor_profiles_enforced.sh' [oscap(9490):oscap(7f9631132bc0):sce_engine.c:373:sce_engine_eval_rule]
I: oscap: /tmp/oscap.sksXGJ/debian13/checks/sce/all_apparmor_profiles_enforced.sh isn't executable, oscap-run-sce-script will be used. [oscap(9490):oscap(7f9631132bc0):sce_engine.c:398:sce_engine_eval_rule]
Some security guides mandates that /tmp is mounted with the noexec flag. When applying this rule, I cannot execute SCE scripts anymore (they run fine without the noexec flag).
oscap seems to discover that the script is not executable. I'm not sure of what oscap-run-sce-script is supposed to do, but it seems to fail with a /tmp mounted with noexec.
additional informations
command run:
oscap --verbose DEVEL --verbose-log-file dlog xccdf eval --profile anssi_bp28_intermediary --rule xccdf_org.ssgproject.content_rule_all_apparmor_profiles_enforced ssg-debian13-ds.xml
oscap infos (oscap --version):
OpenSCAP command line tool (oscap) 1.4.2
Copyright 2009--2023 Red Hat Inc., Durham, North Carolina.
==== Supported specifications ====
SCAP Version: 1.3
XCCDF Version: 1.2
OVAL Version: 5.11.1
CPE Version: 2.3
Asset Identification Version: 1.1
Asset Reporting Format Version: 1.1
==== Capabilities added by auto-loaded plugins ====
SCE Version: 1.0 (from libopenscap_sce.so.33)
==== Paths ====
Schema files: /usr/share/openscap/schemas
Default CPE files: /usr/share/openscap/cpe
==== Inbuilt CPE names ====
==== Supported OVAL objects and associated OpenSCAP probes ====
OVAL family OVAL object OpenSCAP probe
---------- ---------- ----------
independent environmentvariable probe_environmentvariable
independent environmentvariable58 probe_environmentvariable58
independent family probe_family
independent filehash58 probe_filehash58 (SHA-224, SHA-256, SHA-384, SHA-512)
independent system_info probe_system_info
independent textfilecontent probe_textfilecontent
independent textfilecontent54 probe_textfilecontent54
independent variable probe_variable
independent xmlfilecontent probe_xmlfilecontent
independent yamlfilecontent probe_yamlfilecontent
linux dpkginfo probe_dpkginfo
linux iflisteners probe_iflisteners
linux inetlisteningservers probe_inetlisteningservers
linux partition probe_partition
linux rpminfo probe_rpminfo
linux rpmverify probe_rpmverify
linux rpmverifyfile probe_rpmverifyfile
linux rpmverifypackage probe_rpmverifypackage
linux selinuxboolean probe_selinuxboolean
linux selinuxsecuritycontext probe_selinuxsecuritycontext
linux systemdunitdependency probe_systemdunitdependency
linux systemdunitproperty probe_systemdunitproperty
linux fwupdsecattr probe_fwupdsecattr
unix dnscache probe_dnscache
unix file probe_file
unix fileextendedattribute probe_fileextendedattribute
unix interface probe_interface
unix password probe_password
unix process probe_process
unix process58 probe_process58
unix routingtable probe_routingtable
unix runlevel probe_runlevel
unix shadow probe_shadow
unix symlink probe_symlink
unix sysctl probe_sysctl
unix uname probe_uname
unix xinetd probe_xinetd
```
Hi @a-skr , try to install the openscap-utils package, it contains the script oscap-run-sce-script.
This script was introduced in https://github.com/OpenSCAP/openscap/pull/1418 to allow executing SCE scripts when the executable bit can't be set.
Thank you.
Installing openscap-utils fixes the error.
I think errors messages from openscap scanner could be improved a bit. There was no error level log when I had this issue.