Bug 1992229
| Summary: | OpenSCAP scan fails with error "invalid byte sequence in UTF-8" | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Jessica Hanley <jhanley> |
| Component: | SCAP Plugin | Assignee: | Oleh Fedorenko <ofedoren> |
| Status: | CLOSED ERRATA | QA Contact: | Peter Ondrejka <pondrejk> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.9.0 | CC: | ahumbe, akapse, hyu, jordi.m.rubalcaba, jpasqual, jrichards2, mhulan, pmendezh, ramsingh, rdesouza, zhunting |
| Target Milestone: | 6.15.0 | Keywords: | Triaged |
| Target Release: | Unused | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | rubygem-foreman_scap_client-0.5.2 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2024-04-23 17:26:25 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Created redmine issue https://projects.theforeman.org/issues/33914 from this bug This also happens on RHEL7, if the error output of the oscap command contains an invalid byte sequence Worked with 3rd workaround in RHEL 8.5.
Filename: /usr/share/gems/gems/foreman_scap_client-0.5.0/lib/foreman_scap_client/base_client.rb
#puts error_str.split("\n").select { |item| item.start_with?('WARNING:') || item.start_with?('Downloading') }.join("\n")
Thanks,
Based on what I have tested... Install the foreman_scap_client package on your hosts. # yum install rubygem-foreman_scap_client --assumeyes The above package creates/restores file: /usr/share/gems/gems/foreman_scap_client-0.5.1/lib/foreman_scap_client/base_client.rb comment line 84, to ensure oscap scans continue to work because if you reinstall package rubygem-foreman_scap_client, the comment in line 84 will be removed. I have not tested in RHEL 8, but On RHEL 7 and RHEL 9 systems it is line: **84** in file /usr/share/gems/gems/foreman_scap_client-0.5.1/lib/foreman_scap_client/base_client.rb To gather scans from the Satellite web UI: Step 1: Navigate to Hosts> Select Action>drop_down> Run All Ansible roles. Step 2: Navigate to Hosts> Select desired host> Schedule a job>drop_down> Run OpenScap Scan. Wait until job completes. Step 3: Navigate to Hosts> Compliance>Reports. Likewise, execute the command below from the hosts and the report will be uploaded to the Satellite Web UI. The number '1' is the Scap Scan Policy number created in Satellite. # /usr/bin/foreman_scap_client 1 Upstream bug assigned to ofedoren Upstream bug assigned to ofedoren Verified on Satellite 6.15 sn 8 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: Satellite Client Async Security Update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2024:2011 |
Description of problem: When the customer runs an OpenSCAP scan against their RHEL 8 hosts, the scan fails. Version-Release number of selected component (if applicable): Satellite server: satellite-6.9.2-1.el7sat.noarch redhat-release-server-7.9-6.el7_9.x86_64 Example Host: redhat-release-8.4-0.6.el8.x86_64 rubygem-foreman_scap_client-0.4.7-1.el8sat.noarch How reproducible: 100% Steps to Reproduce: 1. 2. 3. Actual results: When the customer runs an OpenSCAP command against some of their servers, they get these errors: 1: DEBUG: running: oscap xccdf eval --profile PROFILE_NAME --results-arf /tmp/d20210714-16213-1fn07xw/results.xml /var/lib/openscap/content/b7772a4001f865517e30762c406dee80fdab2100ecc010f4408519a979665f6e.xml 2: Traceback (most recent call last): 3: 8: from /usr/bin/foreman_scap_client:23:in `<main>' 4: 7: from /usr/bin/foreman_scap_client:23:in `load' 5: 6: from /usr/share/gems/gems/foreman_scap_client-0.4.7/bin/foreman_scap_client:10:in `<top (required)>' 6: 5: from /usr/share/gems/gems/foreman_scap_client-0.4.7/lib/foreman_scap_client/client.rb:22:in `run' 7: 4: from /usr/share/ruby/tmpdir.rb:93:in `mktmpdir' 8: 3: from /usr/share/gems/gems/foreman_scap_client-0.4.7/lib/foreman_scap_client/client.rb:24:in `block in run' 9: 2: from /usr/share/gems/gems/foreman_scap_client-0.4.7/lib/foreman_scap_client/client.rb:53:in `scan' 10: 1: from /usr/share/gems/gems/foreman_scap_client-0.4.7/lib/foreman_scap_client/client.rb:60:in `run_scan' 11: /usr/share/gems/gems/foreman_scap_client-0.4.7/lib/foreman_scap_client/client.rb:60:in `split': invalid byte sequence in UTF-8 (ArgumentError) 12: 13: Exit status: 1 Expected results: The scan should succeed on RHEL 8 hosts. Additional info: The error seems to arise from line 60 in this file (two are listed here because the problem was found in two different versions): file version in the testing environment: /usr/share/gems/gems/foreman_scap_client-0.4.6/lib/foreman_scap_client/client.rb file version in the customer environment: /usr/share/gems/gems/foreman_scap_client-0.4.7/lib/foreman_scap_client/client.rb This is line 60, which appears to be identical in both versions of that file: puts error_str.split("\n").select { |item| item.start_with?('WARNING:') || item.start_with?('Downloading') }.join("\n") We were able to resolve this issue in three different ways during testing: puts line.scrub('').split("\n").select { |item| item.start_with?('WARNING:') || item.start_with?('Downloading') }.join("\n") puts error_str #.split("\n").select { |item| item.start_with?('WARNING:') || item.start_with?('Downloading') }.join("\n") #puts error_str.split("\n").select { |item| item.start_with?('WARNING:') || item.start_with?('Downloading') }.join("\n") Our customer tried the first fix, and it worked for them on multiple hosts: puts line.scrub('').split("\n").select { |item| item.start_with?('WARNING:') || item.start_with?('Downloading') }.join("\n") I believe that this line fails because it's trying to process files in (subdirectories of) /var/lib/foreman-proxy/openscap/ that contain UTF characters (or perhaps invalid UTF characters).