Bug 1270329

Summary: no_files_unowned_by_group test produces unusable oval results file
Product: Red Hat Enterprise Linux 6 Reporter: Chuck Atkins <chuck.atkins>
Component: scap-security-guideAssignee: Jan Lieskovsky <jlieskov>
Status: CLOSED ERRATA QA Contact: Marek Haicman <mhaicman>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.7CC: mhaicman, openscap-maint, rajgupta, slukasik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.27-2.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-10 21:40:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Chuck Atkins 2015-10-09 16:11:59 UTC
Description of problem:
When running a scan with OpenSCAP using the stig-rhel6-server-upstream policy, the resulting oval results file can contain hundreds of thousands of entries for the no_files_unowned_by_group rule.  This creates memory allocation errors during report generation.

Version-Release number of selected component (if applicable):
0.1.21-3.el6

How reproducible:
Always

Steps to Reproduce:
1. Perform a Minimal Desktop installation (this probably doesn't matter, it's just how I tested it)

2. Install scap-security-guide:
  yum install scap-security-guide

3. Run a scan with oval results and report generation:
  oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig-rhel6-server-upstream --results results.xml --report report.html --oval-results /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml


Actual results:
... Scan processes and completes...
XPath error : Memory allocation failed : growing nodeset hit limit

growing nodeset hit limit

^
runtime error: file /usr/share/openscap/xsl/xccdf-report-oval-details.xsl line 39 element key
Failed to evaluate the 'match' expression.
XPath error : Memory allocation failed : growing nodeset hit limit

growing nodeset hit limit

^
runtime error: file /usr/share/openscap/xsl/xccdf-report-oval-details.xsl line 40 element key
Failed to evaluate the 'match' expression.
XPath error : Memory allocation failed : growing nodeset hit limit

growing nodeset hit limit

^
runtime error: file /usr/share/openscap/xsl/xccdf-report-oval-details.xsl line 41 element key
Failed to evaluate the 'match' expression.
XPath error : Memory allocation failed : growing nodeset hit limit

growing nodeset hit limit

^
runtime error: file /usr/share/openscap/xsl/xccdf-report-oval-details.xsl line 42 element key
Failed to evaluate the 'match' expression.
XPath error : Memory allocation failed : growing nodeset hit limit

growing nodeset hit limit

^
runtime error: file /usr/share/openscap/xsl/xccdf-report-oval-details.xsl line 43 element key
Failed to evaluate the 'match' expression.


Expected results:
Successful report generation

Additional info:
The resulting ssg-rhel6-oval.xml.results.xml file is ~300MiB and contains over 180k "tested_item" entries for oval:ssg:tst:776, the no_files_unowned_by_group rule.  One entry for every file, with it's pas or fail status.

This has been fixed in the upstream SSG.  The same rule now uses a different tests which is just the find command and only outputs the files that failed, thus the resulting oval results file is < 2MiB and is easily processed for report generation.

Comment 2 Šimon Lukašík 2015-10-09 18:57:07 UTC
Already fixed upstream. dev_ack+

Comment 5 Marek Haicman 2016-02-22 15:50:36 UTC
Verified fix on version scap-security-guide-0.1.28-2.el6

Comment 7 errata-xmlrpc 2016-05-10 21:40:29 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0846.html

Comment 8 Marek Haicman 2017-07-18 20:51:44 UTC
*** Bug 1461967 has been marked as a duplicate of this bug. ***