1382289 – atomic scan should raise an error when it is provided invalid paths to content in /etc/oscapd/config.ini

Bug 1382289 - atomic scan should raise an error when it is provided invalid paths to content in /etc/oscapd/config.ini

Summary: atomic scan should raise an error when it is provided invalid paths to conten...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	openscap-daemon
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	7.5
Assignee:	Martin Preisler
QA Contact:	Matus Marhefka
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-10-06 09:23 UTC by Matus Marhefka
Modified:	2018-04-11 00:07 UTC (History)
CC List:	7 users (show)
Fixed In Version:	openscap-daemon-0.1.7-1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-04-11 00:06:49 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:1093	0	None	None	None	2018-04-11 00:07:14 UTC

Description Matus Marhefka 2016-10-06 09:23:27 UTC

Description of problem:
Set invalid paths to content in /etc/oscapd/config.ini (you can
generate it using `atomic install rhel7/openscap') and then run:
$ atomic scan IMAGE
IMAGE (7f8dedcd5a95758)

     IMAGE is not supported for this scan.
...
$ echo $?
0

Errors about content are even printed by the scanner container,
atomic just does not propagate them to stderr:
$ atomic --debug scan IMAGE
...
stderr:
OpenSCAP Error: Unable to open file: '/usr/share/openscap/cpe/bad-cpe.xml' [oscap_source.c:264]
...
stderr:
OpenSCAP Error: Unable to open file: '/usr/share/openscap/cpe/bad-cpe.xml' [oscap_source.c:264]
...


Version-Release number of selected component (if applicable):
atomic-1.12.5-2.el7


How reproducible:
Always


Steps to Reproduce:
1. Set invalid paths to content in /etc/oscapd/config.ini
2. run atomic scan

Actual results:
atomic scan exits with 0 exit code and prints:
"...IMAGE is not supported for this scan..."


Expected results:
atomic scan exits with error code and prints the errors.


Additional info:

Comment 1 Martin Preisler 2016-10-11 17:39:02 UTC

Since https://github.com/OpenSCAP/openscap-daemon/commit/69a8935a6896b5fc9f7272588f681316e19fdd59 openscap-daemon will refuse to start (both oscapd and oscapd-evaluate) if paths provided in config.ini are invalid.

Comment 2 Daniel Walsh 2016-10-18 17:06:59 UTC

Ok, I am reassigning to openscap package, please close when the container running this daemon is available.

Comment 3 Matus Marhefka 2017-09-22 15:59:46 UTC

I tested again on openscap-daemon-0.1.7-1 with invalid paths in /etc/oscapd/config.ini:

# atomic scan --scan_type standards_compliance test/pass
docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2017-09-22-11-15-28-248500:/scanin -v /var/lib/atomic/openscap/2017-09-22-11-15-28-248500:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro test/openscap oscapd-evaluate scan --targets chroots-in-dir:///scanin --output /scanout --no-cve-scan -j1

# echo $?
1
# atomic scan --scan_type standards_compliance test/pass --verbose
docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2017-09-22-11-15-59-891055:/scanin -v /var/lib/atomic/openscap/2017-09-22-11-15-59-891055:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro test/openscap oscapd-evaluate scan --targets chroots-in-dir:///scanin --output /scanout --no-cve-scan -j1
INFO:OpenSCAP Daemon one-off evaluator 0.1.7
INFO:Autodetected "oscap" in path "/usr/bin/oscap".
INFO:Autodetected "oscap-ssh" in path "/usr/bin/oscap-ssh".
INFO:Autodetected "oscap-vm" in path "/usr/bin/oscap-vm".
INFO:Failed to autodetect tool with name oscap-docker in prefixes /usr/bin, /usr/local/bin, /opt/openscap/bin.
INFO:Autodetected "oscap-chroot" in path "/usr/bin/oscap-chroot".
WARNING:Can't import the 'docker' package. Container scanning functionality will be disabled.
INFO:Creating tasks directory at '/var/lib/oscapd/tasks' because it didn't exist.
INFO:Creating results directory at '/var/lib/oscapd/results' because it didn't exist.
INFO:Creating results work in progress directory at '/var/lib/oscapd/work_in_progress' because it didn't exist.
ERROR:Configuration file failed sanity checking!
Traceback (most recent call last):
  File "/usr/bin/oscapd-evaluate", line 547, in main
    config.sanity_check()
  File "/usr/lib/python3.6/site-packages/openscap_daemon/config.py", line 440, in sanity_check
    sanity_check_file(self.cpe_oval_path, "CPE OVAL", "cpe-oval")
  File "/usr/lib/python3.6/site-packages/openscap_daemon/config.py", line 413, in sanity_check_file
    "doesn't exist." % (path, desc, config_file_entry)
RuntimeError: Path '/usr/share/openscap/cpe/bad-cpe-oval.xml' given for the cpe-oval file (config file entry: CPE OVAL) doesn't exist.

No error is printed without --verbose option. The error should be printed also without the --verbose option.

Comment 4 Matěj Týč 2018-01-17 12:22:00 UTC

The bug is not fixed, so I am changing the status to ASSIGNED in order to make it easier to track.

Comment 5 Matěj Týč 2018-02-01 15:05:32 UTC

The first point of not having any error message if the scanning fails can't be fixed, because Atomic hides stdout and stderr of the container, unless the --verbose option is given.

Comment 6 Matěj Týč 2018-02-05 10:12:59 UTC

https://github.com/OpenSCAP/openscap-daemon/pull/126

Comment 11 errata-xmlrpc 2018-04-11 00:06:49 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1093

Note You need to log in before you can comment on or make changes to this bug.