Bug 1270329 - no_files_unowned_by_group test produces unusable oval results file
no_files_unowned_by_group test produces unusable oval results file
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: scap-security-guide (Show other bugs)
6.7
All Linux
unspecified Severity medium
: rc
: ---
Assigned To: Jan Lieskovsky
Marek Haicman
:
: 1461967 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-09 12:11 EDT by Chuck Atkins
Modified: 2017-07-18 16:51 EDT (History)
4 users (show)

See Also:
Fixed In Version: scap-security-guide-0.1.27-2.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-05-10 17:40:29 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Chuck Atkins 2015-10-09 12:11:59 EDT
Description of problem:
When running a scan with OpenSCAP using the stig-rhel6-server-upstream policy, the resulting oval results file can contain hundreds of thousands of entries for the no_files_unowned_by_group rule.  This creates memory allocation errors during report generation.

Version-Release number of selected component (if applicable):
0.1.21-3.el6

How reproducible:
Always

Steps to Reproduce:
1. Perform a Minimal Desktop installation (this probably doesn't matter, it's just how I tested it)

2. Install scap-security-guide:
  yum install scap-security-guide

3. Run a scan with oval results and report generation:
  oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig-rhel6-server-upstream --results results.xml --report report.html --oval-results /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml


Actual results:
... Scan processes and completes...
XPath error : Memory allocation failed : growing nodeset hit limit

growing nodeset hit limit

^
runtime error: file /usr/share/openscap/xsl/xccdf-report-oval-details.xsl line 39 element key
Failed to evaluate the 'match' expression.
XPath error : Memory allocation failed : growing nodeset hit limit

growing nodeset hit limit

^
runtime error: file /usr/share/openscap/xsl/xccdf-report-oval-details.xsl line 40 element key
Failed to evaluate the 'match' expression.
XPath error : Memory allocation failed : growing nodeset hit limit

growing nodeset hit limit

^
runtime error: file /usr/share/openscap/xsl/xccdf-report-oval-details.xsl line 41 element key
Failed to evaluate the 'match' expression.
XPath error : Memory allocation failed : growing nodeset hit limit

growing nodeset hit limit

^
runtime error: file /usr/share/openscap/xsl/xccdf-report-oval-details.xsl line 42 element key
Failed to evaluate the 'match' expression.
XPath error : Memory allocation failed : growing nodeset hit limit

growing nodeset hit limit

^
runtime error: file /usr/share/openscap/xsl/xccdf-report-oval-details.xsl line 43 element key
Failed to evaluate the 'match' expression.


Expected results:
Successful report generation

Additional info:
The resulting ssg-rhel6-oval.xml.results.xml file is ~300MiB and contains over 180k "tested_item" entries for oval:ssg:tst:776, the no_files_unowned_by_group rule.  One entry for every file, with it's pas or fail status.

This has been fixed in the upstream SSG.  The same rule now uses a different tests which is just the find command and only outputs the files that failed, thus the resulting oval results file is < 2MiB and is easily processed for report generation.
Comment 2 Šimon Lukašík 2015-10-09 14:57:07 EDT
Already fixed upstream. dev_ack+
Comment 5 Marek Haicman 2016-02-22 10:50:36 EST
Verified fix on version scap-security-guide-0.1.28-2.el6
Comment 7 errata-xmlrpc 2016-05-10 17:40:29 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0846.html
Comment 8 Marek Haicman 2017-07-18 16:51:44 EDT
*** Bug 1461967 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.