1598166 – RFC: OpenSCAP scanning network filesystems

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1598166 - RFC: OpenSCAP scanning network filesystems

Summary: RFC: OpenSCAP scanning network filesystems

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	openscap
Sub Component:
Version:	7.4
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Jan Černý
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-07-04 13:58 UTC by Paulo Andrade
Modified:	2019-08-23 06:59 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-08-23 06:35:57 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	4193501	0	None	None	None	2019-08-23 06:59:11 UTC

Description Paulo Andrade 2018-07-04 13:58:19 UTC

Uncertain what to tell the customer. So asking for help.
Bug report private due to risk of customer identification.
Quoting customer:

"""
What problem/issue/behavior are you having trouble with?  What do you expect to see?

We are running OpenSCAP on GPFS clients and have noticed that the probe_file process is scanning GPFS filesystems.  I performed an strace on the long running probe_file and saw /fs/scratch, a GPFS filesystem, being scanned.

[pid 72852] lstat("/fs/scratch/an0081/ts_app_0018_an0081_s1101/RUN001/processor47/4/includeFiles/pInternal", {st_mode=S_IFREG|0666, st_size=25, ...}) = 0
[pid 72852] getxattr("/fs/scratch/an0081/ts_app_0018_an0081_s1101/RUN001/processor47/4/includeFiles/pInternal", "system.posix_acl_access", NULL, 0) = -1 ENODATA (No data available)
[pid 72852] getxattr("/fs/scratch/an0081/ts_app_0018_an0081_s1101/RUN001/processor47/4/includeFiles/pInternal", "system.posix_acl_default", NULL, 0) = -1 ENODATA (No data available)

Where are you experiencing the behavior?  What environment?

I am experiencing this behavior on all GPFS clients that use OpenSCAP.  We run OpenSCAP which sends reports to Foreman but the OpenSCAP we run and policies we run come from RedHat packages.

When does the behavior occur? Frequently?  Repeatedly?   At certain times?

Every time.

What information can you provide around timeframes and the business impact?

There is no customer facing issues but we'd like to scan some of our public facing systems that have GPFS mounted.
"""

Customer has installed openscap-1.2.14-3.el7_4.x86_64, and while this bug was
opened, customer was asked for the possibility of testing the lastest
rhel7 packages.

Comment 2 Paulo Andrade 2018-07-06 12:14:51 UTC

  Customer tested with latest openscap packages for RHEL 7 and got the same behaviour.

  Is there some way to prevent openscap from scanning GPFS filesystems?

Comment 4 Jan Černý 2018-07-09 06:41:58 UTC

I'm afraid OpenSCAP has no command-line option that turns off scanning remote filesystems.

OpenSCAP only interprets the content in SCAP files that are given as input.
These files contain rules that OpenSCAP evaluates. Some of these rules define operations on the root ('/') filesystem. Therefore, to prevent OpenSCAP from scanning GPFS filesystem, we would need to edit all the rules that would possibly scan the problematic path.

First option is to add <behaviors recurse_file_system="local"> child element to related <file_object> elements.
As of OVAL specification, the value of 'local' limits the search scope to local file systems.
See https://oval.mitre.org/language/version5.11/ovaldefinition/documentation/unix-definitions-schema.html#FileBehaviors
From a quick look to the source code, I think this solution might not work with the GPFS filesystem. That needs to be verified.

Second option is to add a <filter> element to related <file_object> elements.
This filter would exclude certain file paths that will have to be explicitly specified in the SCAP content.

Third option is to implement a command-line option to exclude remote filesystems in future versions of OpenSCAP. However, this solution can be seen as a violation of OVAL specification, since all the behavior must be specified in only SCAP content.


Which SCAP content do you use? Do you use scap-security-guide (located in /usr/share/xml/scap/ssg/content) ?

Comment 6 Paulo Andrade 2018-07-09 17:21:23 UTC

User reply:

"""
That first option sounds like the best option.  I'd prefer not to have to deal with new command line arguments.

The file we use is /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml and /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml.  We use a tailoring file to disable some checks from those 2 files.
"""

  What can be done to test and/or verify the 'First option' would work?

Comment 7 Jan Černý 2018-08-14 12:07:15 UTC

From a detailed inspection of the OpenSCAP probe source code the first option will not work, because the filesystem you mentioned is not included in filesystems that are affected by this option. Changing this would break behavior in other cases.

I think the best option is to add a <filter> element to related <file_object> elements. This filter would exclude certain file paths that will have to be explicitly specified in the SCAP content. The filter element provides a reference to an existing OVAL State and includes an optional action attribute. The action attribute is used to specify whether items that match the referenced OVAL State will be included in the resulting set or excluded from the resulting set. 

Using filter in this rule probably won't be accepted into the upstream repository of SCAP Security Guide or RPM package because it is too specific for one use-case. That means it will be needed to patch your datastream files by a local patch.

Comment 9 Jan Černý 2018-09-20 08:09:47 UTC

Hi,

This modification cannot be made in a tailoring file. Tailoring file customizes XCCDF files, but the type of change you request has to be done on the level of OVAL checks.

I think you have to find all file_object elements that contain path or filepath element that contain a regular expression which could possibly match the path to your external filesystems. Those elements could be possibly identified by an XPath Query.

Once you will know affected file_object elements, you will need to add a “filter” child element to them. For example:
<ns4:filter action="exclude">oval:ssg-state_external_filesystems:ste:1</ns4:filter>
This element is a reference to OVAL state.

An OVAL state should be created as a child element of ‘states’ element, probably something like

<ns4:file_state id="oval:ssg-state_external_filesystems:ste:1" version="1">
   <ns4:path operation="pattern match">^/fs/scratch/.*</ns4:path>
</ns4:file_state>

This state will be there only once.

Comment 11 Marek Haicman 2019-08-23 06:35:57 UTC

I'm closing this BZ as WONTFIX, based on Comment 7 and Comment 9

If you have any more questions, don't hesitate to reach out to us!

Comment 12 Marek Haicman 2019-08-23 06:59:12 UTC

Adding article providing workaround about this issue.

Note You need to log in before you can comment on or make changes to this bug.