Bug 1382289
| Summary: | atomic scan should raise an error when it is provided invalid paths to content in /etc/oscapd/config.ini | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Matus Marhefka <mmarhefk> |
| Component: | openscap-daemon | Assignee: | Martin Preisler <mpreisle> |
| Status: | CLOSED ERRATA | QA Contact: | Matus Marhefka <mmarhefk> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.3 | CC: | dwalsh, jcerny, lmiksik, matyc, mhaicman, mpreisle, openscap-maint |
| Target Milestone: | rc | Keywords: | Extras |
| Target Release: | 7.5 | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | openscap-daemon-0.1.7-1 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-04-11 00:06:49 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Since https://github.com/OpenSCAP/openscap-daemon/commit/69a8935a6896b5fc9f7272588f681316e19fdd59 openscap-daemon will refuse to start (both oscapd and oscapd-evaluate) if paths provided in config.ini are invalid. Ok, I am reassigning to openscap package, please close when the container running this daemon is available. I tested again on openscap-daemon-0.1.7-1 with invalid paths in /etc/oscapd/config.ini:
# atomic scan --scan_type standards_compliance test/pass
docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2017-09-22-11-15-28-248500:/scanin -v /var/lib/atomic/openscap/2017-09-22-11-15-28-248500:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro test/openscap oscapd-evaluate scan --targets chroots-in-dir:///scanin --output /scanout --no-cve-scan -j1
# echo $?
1
# atomic scan --scan_type standards_compliance test/pass --verbose
docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2017-09-22-11-15-59-891055:/scanin -v /var/lib/atomic/openscap/2017-09-22-11-15-59-891055:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro test/openscap oscapd-evaluate scan --targets chroots-in-dir:///scanin --output /scanout --no-cve-scan -j1
INFO:OpenSCAP Daemon one-off evaluator 0.1.7
INFO:Autodetected "oscap" in path "/usr/bin/oscap".
INFO:Autodetected "oscap-ssh" in path "/usr/bin/oscap-ssh".
INFO:Autodetected "oscap-vm" in path "/usr/bin/oscap-vm".
INFO:Failed to autodetect tool with name oscap-docker in prefixes /usr/bin, /usr/local/bin, /opt/openscap/bin.
INFO:Autodetected "oscap-chroot" in path "/usr/bin/oscap-chroot".
WARNING:Can't import the 'docker' package. Container scanning functionality will be disabled.
INFO:Creating tasks directory at '/var/lib/oscapd/tasks' because it didn't exist.
INFO:Creating results directory at '/var/lib/oscapd/results' because it didn't exist.
INFO:Creating results work in progress directory at '/var/lib/oscapd/work_in_progress' because it didn't exist.
ERROR:Configuration file failed sanity checking!
Traceback (most recent call last):
File "/usr/bin/oscapd-evaluate", line 547, in main
config.sanity_check()
File "/usr/lib/python3.6/site-packages/openscap_daemon/config.py", line 440, in sanity_check
sanity_check_file(self.cpe_oval_path, "CPE OVAL", "cpe-oval")
File "/usr/lib/python3.6/site-packages/openscap_daemon/config.py", line 413, in sanity_check_file
"doesn't exist." % (path, desc, config_file_entry)
RuntimeError: Path '/usr/share/openscap/cpe/bad-cpe-oval.xml' given for the cpe-oval file (config file entry: CPE OVAL) doesn't exist.
No error is printed without --verbose option. The error should be printed also without the --verbose option.
The bug is not fixed, so I am changing the status to ASSIGNED in order to make it easier to track. The first point of not having any error message if the scanning fails can't be fixed, because Atomic hides stdout and stderr of the container, unless the --verbose option is given. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:1093 |
Description of problem: Set invalid paths to content in /etc/oscapd/config.ini (you can generate it using `atomic install rhel7/openscap') and then run: $ atomic scan IMAGE IMAGE (7f8dedcd5a95758) IMAGE is not supported for this scan. ... $ echo $? 0 Errors about content are even printed by the scanner container, atomic just does not propagate them to stderr: $ atomic --debug scan IMAGE ... stderr: OpenSCAP Error: Unable to open file: '/usr/share/openscap/cpe/bad-cpe.xml' [oscap_source.c:264] ... stderr: OpenSCAP Error: Unable to open file: '/usr/share/openscap/cpe/bad-cpe.xml' [oscap_source.c:264] ... Version-Release number of selected component (if applicable): atomic-1.12.5-2.el7 How reproducible: Always Steps to Reproduce: 1. Set invalid paths to content in /etc/oscapd/config.ini 2. run atomic scan Actual results: atomic scan exits with 0 exit code and prints: "...IMAGE is not supported for this scan..." Expected results: atomic scan exits with error code and prints the errors. Additional info: