Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1347334

Summary: openscap-daemon initial usability issues
Product: Red Hat Enterprise Linux 7 Reporter: Marek Haicman <mhaicman>
Component: openscap-daemonAssignee: Martin Preisler <mpreisle>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.3CC: ksrot, mpreisle
Target Milestone: rcKeywords: Extras
Target Release: 7.4   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-31 13:45:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marek Haicman 2016-06-16 14:15:50 UTC 
Description of problem:
Here are few usability issues found in the openscap-daemon component. I am placing it into one bug, as they are pretty trivial. 

Version-Release number of selected component (if applicable):
openscap-daemon-0.1.5-1.el7.noarch

Issues:


1) oscapd run as non-root results in traceback:
dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: Connection ":1.8834" is not allowed to own the service "org.OpenSCAP.daemon" due to security policies in the configuration file

====

2) oscapd-cli run as non-root results in traceback:
dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 2 matched rules; type="method_call", sender=":1.8853" (uid=25678 pid=32753 comm="/usr/bin/python /usr/bin/oscapd-cli status ") interface="org.OpenSCAP.daemon.Interface" member="GetVersion" error name="(unset)" requested_reply="0" destination=":1.8852" (uid=0 pid=32610 comm="/usr/bin/python /usr/bin/oscapd ")

====

3) oscapd-evaluate run as non-root results in traceback:
INFO:Creating tasks directory at '/var/lib/oscapd/tasks' because it didn't exist.
<snip>
OSError: [Errno 13] Permission denied: '/var/lib/oscapd/tasks'

====

4) oscapd-cli run when oscapd service is not results in traceback:
dbus.exceptions.DBusException: org.freedesktop.DBus.Error.ServiceUnknown: The name org.OpenSCAP.daemon was not provided by any .service files

====

5) oscapd-evaluate non-existent output directory results in traceback:
  File "/bin/oscapd-evaluate", line 94, in cli_scan
    assert(os.path.isdir(args.output))
AssertionError

====

6) oscapd-evaluate when vm is targetted and oscap-vm is not available, ugly tracebacks are printed:
ERROR:Failed to detect CPEs of target 'vm-domain://localhost'. Assuming no CPEs...
<snip>
RuntimeError: Target 'vm-domain://localhost' requires the oscap-vm tool which hasn't been found
ERROR:Failed to scan target 'vm-domain://localhost' for vulnerabilities.
<snip>
RuntimeError: Target 'vm-domain://localhost' requires the oscap-vm tool which hasn't been found
ERROR:Failed to scan target 'vm-domain://localhost' for standard profile compliance.
<snip>
RuntimeError: Target 'vm-domain://localhost' requires the oscap-vm tool which hasn't been found

====

7) stdout output is not verbose enough, these are results of two scans run in the same batch:
INFO:Evaluated EvaluationSpec, exit_code=0.
INFO:Evaluated EvaluationSpec, exit_code=0.
WARNING:Evaluated EvaluationSpec, exit_code=2.
INFO:[ 50.00%] Scanned target 'localhost'
INFO:Evaluated EvaluationSpec, exit_code=0.
INFO:Evaluated EvaluationSpec, exit_code=0.
INFO:Evaluated EvaluationSpec, exit_code=0.
INFO:[100.00%] Scanned target 'ssh://dahaic@localhost'

Maybe "EvaluationSpec" is typo, and should be replaced with some identifier? This seems to be not very usable. I would suggest to have target and type of scan written into the line.

====
I hope format is not too confusing :)
Comment 2 Karel Srot 2016-09-07 06:28:48 UTC 
Hi Martin,
are these fixes covered by the proposed rebase?
Comment 3 Martin Preisler 2016-09-07 17:31:25 UTC 
1) and 2) are

The rest are not fixed by the rebase.
Comment 4 Matus Marhefka 2018-10-31 13:45:18 UTC 
Point 1 and 2 are fixed, the rest is a very low priority as it is not used by atomic scan.