Bug 1556988
Summary: | rpminfo, rpmverify and rpmverifyfile probes do not fully support offline mode | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Matus Marhefka <mmarhefk> | ||||
Component: | openscap | Assignee: | Martin Preisler <mpreisle> | ||||
Status: | CLOSED ERRATA | QA Contact: | Matus Marhefka <mmarhefk> | ||||
Severity: | medium | Docs Contact: | Mirek Jahoda <mjahoda> | ||||
Priority: | high | ||||||
Version: | 7.5 | CC: | jcerny, matyc, mhaicman, mpreisle, mthacker, openscap-maint, toneata | ||||
Target Milestone: | rc | Keywords: | Reopened, ZStream | ||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: |
*OpenSCAP* RPM verification rules no longer work incorrectly with VM and container file systems
Previously, the `rpminfo`, `rpmverify`, and `rpmverifyfile` probes did not fully support offline mode. As a consequence, *OpenSCAP* RPM verification rules did not work correctly when scanning virtual machine (VM) and container file systems in offline mode. With this update, support for offline mode has been fixed, and results of scanning VM and container file systems in offline mode no longer contain false negatives.
|
Story Points: | --- | ||||
Clone Of: | |||||||
: | 1569150 (view as bug list) | Environment: | |||||
Last Closed: | 2018-10-30 11:44:40 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1569150 | ||||||
Attachments: |
|
Description
Matus Marhefka
2018-03-15 17:00:08 UTC
The original description is only a consequence of the issue. Each of the probes rpminfo, rpmverify and rpmverifyfile use their own chroot mode and utilize the rpm file iterator library. When a probe does initialization it calls rpmfiNew() function which should set chroot directory for file iterations. Unfortunately this is not supported in the rpm file iterator library itself. This means that all the file iterations are performed on the host system instead of the chroot-ed directory. The consequence is that scanning in offline mode does not work for all the rules which utilize these probes for checking RPM package files in chroot-ed directories. Therefore, all the "RPM.*verify" rules are not working correctly when scanning VM or container filesystems and report incorrect results. Version-Release number of selected component (if applicable): openscap-docker-7.5.0-3 openscap-1.2.16-6.el7 Confirmed rules which are affected by this: * Verify and Correct File Permissions with RPM (xccdf_org.ssgproject.content_rule_rpm_verify_permissions) * Verify and Correct Ownership with RPM (xccdf_org.ssgproject.content_rule_rpm_verify_ownership) * Verify File Hashes with RPM (xccdf_org.ssgproject.content_rule_rpm_verify_hashes) We need to revert the following commit: https://github.com/OpenSCAP/openscap/commit/f540c055e9bda6b6168746df2017ee7e2b871323 Upstream fix posted: https://github.com/OpenSCAP/openscap/pull/1002 Because the fix is extensive for the purposes of the zstream fix we will revert back to using chroot for textfilecontent probe. Therefore only the first commit of the posted upstream fix will be used. (In reply to Martin Preisler from comment #9) > Upstream fix posted: https://github.com/OpenSCAP/openscap/pull/1002 > > Because the fix is extensive for the purposes of the zstream fix we will > revert back to using chroot for textfilecontent probe. Therefore only the > first commit of the posted upstream fix will be used. I got confused and this is a related fix but not a fix to this BZ. This BZ still needs an upstream fix posted. Created attachment 1423654 [details]
patch to use chroot for rpm probes
Since the upstream code is a bit different I have created a slightly different patch for upstream to make sure this is fixed in future upstream versions of the project. See https://github.com/OpenSCAP/openscap/pull/1013 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3302 |