1686370 – The oscap security scanner loops with version V2R2 of the DISA RHEL7 STIG benchmark if a homedir is //

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1686370 - The oscap security scanner loops with version V2R2 of the DISA RHEL7 STIG benchmark if a homedir is //

Summary: The oscap security scanner loops with version V2R2 of the DISA RHEL7 STIG ben...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	openscap
Sub Component:
Version:	---
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	8.0
Assignee:	Jan Černý
QA Contact:	Matus Marhefka
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-03-07 11:02 UTC by Welterlen Benoit
Modified:	2023-10-06 18:10 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-11-04 02:29:43 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
minimalized reproducer oval (6.92 KB, application/xml) 2019-04-05 10:44 UTC, Marek Haicman	no flags	Details
minimalized reproducer oval (4.50 KB, application/xml) 2019-04-05 11:05 UTC, Marek Haicman	no flags	Details
minimalized reproducer oval (4.60 KB, application/xml) 2019-04-05 11:06 UTC, Marek Haicman	no flags	Details
demo OVAL (1.19 KB, application/zip) 2019-04-05 13:35 UTC, Jan Černý	no flags	Details
Show Obsolete (2) View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2020:4623	0	None	None	None	2020-11-04 02:29:57 UTC

Description Welterlen Benoit 2019-03-07 11:02:06 UTC

Description of problem:

The oscap scanner gets into an infinite loop if there are home directories in /etc/passwd that are simply "/". 
The oscap scanner can go into an infinite loop when the scan looks for a “//” directory.  

Version-Release number of selected component (if applicable):
- RHEL 7.6
- openscap-scanner-1.2.17-2.el7.x86_64
- U_Red_Hat_Enterprise_Linux_7_V2R2_STIG_SCAP_1-2_Benchmark.xml

How reproducible:
Easy

Steps to Reproduce:
1. Download U_Red_Hat_Enterprise_Linux_7_V2R2_STIG_SCAP_1-2_Benchmark.xml from https://cyber.trackr.live/scap/xccdf_mil.disa.stig_benchmark_RHEL_7_STIG/002.002/2/
2. Set home directory as / in /etc/password for a user (to avoid the issue when there is nothing)
3. run 
oscap oval eval --id "oval:mil.disa.stig.rhel7:def:86639" --results scan-oval-results.xml U_Red_Hat_Enterprise_Linux_7_V2R2_STIG_SCAP_1-2_Benchmark.xml


Actual results:
Loop on all files:
# grep user6  /etc/passwd
user6:x:1006:1006:://:/bin/bash
[root@rhel76 ~]#  oscap oval eval --id "oval:mil.disa.stig.rhel7:def:86639" --results scan-oval-results.xml U_Red_Hat_Enterprise_Linux_7_V2R2_STIG_SCAP_1-2_Benchmark.xml
W: oscap:       Obtrusive data from probe!
W: oscap:       Obtrusive data from probe!
W: probe_file: Filesystem tree cycle detected at '///proc/self/task/5366/root'.
W: probe_file: Filesystem tree cycle detected at '///proc/self/task/5367/root'.
W: probe_file: Filesystem tree cycle detected at '///proc/self/task/5368/root'.
W: probe_file: Filesystem tree cycle detected at '///proc/self/task/5369/root'.
W: probe_file: Filesystem tree cycle detected at '///proc/self/task/5370/root'.
W: probe_file: Filesystem tree cycle detected at '///proc/self/root'.
W: probe_file: Filesystem tree cycle detected at '///proc/1/task/1/cwd'.
W: probe_file: Filesystem tree cycle detected at '///proc/1/task/1/root'.
W: probe_file: Filesystem tree cycle detected at '///proc/1/cwd'.
W: probe_file: Filesystem tree cycle detected at '///proc/1/root'.
W: probe_file: Filesystem tree cycle detected at '///proc/2/task/2/cwd'.
W: probe_file: Filesystem tree cycle detected at '///proc/2/task/2/root'.
...

Expected results:
# grep user6  /etc/passwd
user6:x:1006:1006::/home/user6:/bin/bash
[root@rhel76 ~]#  oscap oval eval --id "oval:mil.disa.stig.rhel7:def:86639" --results scan-oval-results.xml U_Red_Hat_Enterprise_Linux_7_V2R2_STIG_SCAP_1-2_Benchmark.xml
W: oscap:       Obtrusive data from probe!
W: oscap:       Obtrusive data from probe!
Definition oval:mil.disa.stig.rhel7:def:86639: false
Evaluation done.

Additional info:

Comment 2 Marek Haicman 2019-04-05 10:43:31 UTC

I have tried to narrow the problem and I believe I have reproduced it on limited set. What troublesome OVAL is doing is to check existence of directories provided by variable. When variable contains only one entry, it works correctly. If it contains more than one value, it starts traversing whole subdirectory tree, instead of acknowledging just the existence. I am going to upload reduced OVAL which reproduces this situation, when two users are available on the system:

useradd -M -u 1234 -d /root/ test1                                              
useradd -M -u 1235 -d / test2

See comment on line 50 of the fail_oval.xml

Comment 3 Marek Haicman 2019-04-05 10:44:28 UTC

Created attachment 1552369 [details]
minimalized reproducer oval

Comment 4 Marek Haicman 2019-04-05 11:05:03 UTC

Created attachment 1552405 [details]
minimalized reproducer oval

Comment 5 Marek Haicman 2019-04-05 11:06:49 UTC

Created attachment 1552406 [details]
minimalized reproducer oval

Comment 6 Jan Černý 2019-04-05 13:34:41 UTC

I have investigated this bug more and I have found multiple problems.

I think the OVAL definition oval:mil.disa.stig.rhel7:def:86639 is logically incorrect. One of the tests in this definition, the OVAL test oval:mil.disa.stig.rhel7:tst:8663900 check existence of items described by OVAL object oval:mil.disa.stig.rhel7:obj:8663900. This OVAL object checks the file path specified in variable oval:mil.disa.stig.rhel7:var:8663901. The variable can contain multiple different values, specifying directory paths. The OVAL object sets attributes var_check="all" and operation="equals". Their meaning is that to match the object definition every examined item needs to be equal to all values of the referenced variable at the same time. In this case it isn't possible to satisfy this condition because the referenced variable contains multiple different directory paths - the home directories of users. The check means that there should exist a single directory that has the same path as all the home directories of all the users. That's obviously wrong check. See definition of var_check attribute in https://oval.mitre.org/language/version5.11/ovaldefinition/documentation/oval-definitions-schema.html that contains a nice explanation of this behavior. We need to write a different check that would be logically correct.

I have created a simple demonstration OVAL that demonstrates the behavior of OpenSCAP in this situation. See the attachment demo.zip. In the OVAL definition there is only a single file_object that references a constant_variable using var_check="all" and operation="equals" as in this bugzilla. The constant variable contains 2 different directory paths. When OpenSCAP evaluates the test it first takes the first directory path from the constant_variable values and recursively browses all its subdirectories. Then it takes the scond directory path from the constant_variable values and recursively browses all its subdirectories. That behavior is wrong, because there is no need for recursive descend because as soon as you verify the directory exists you don't care about its subdirectories. Notice that this happens only if there are 2 or more values in the constant_variable. If one of the values is a big directory tree it causes problems. If one of the values "/" then the whole filesystem is browsed and all the subdirectories at all the levels are collected. This takes very long and the amount of all the data is big and at some point it exceeds the limits and cause the probe to crash.

In my opinion, OpenSCAP doesn't have any special problem with double slash "//" as a file path on inside a file path. It can understand it as a single slash "/" and correctly use it as "/". However, in this case, due to bug described in the previous paragraph, it leads to scanning the whole filesystem and to crash.

Comment 7 Jan Černý 2019-04-05 13:35:33 UTC

Created attachment 1552518 [details]
demo OVAL

Comment 11 Marek Haicman 2019-09-05 19:11:52 UTC

This issue was not selected to be included in Red Hat Enterprise Linux 7.8 because it is manifesting in scenario using broken content (see Comment 6 for details). Internal analysis identified fix as moderately risky. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available. We are deferring this issue to Red Hat Enterprise Linux 8, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open.

Comment 20 Jan Černý 2020-05-27 14:24:37 UTC

Upstream test case: https://github.com/OpenSCAP/openscap/pull/1534

Comment 23 Matěj Týč 2020-06-25 14:08:46 UTC

https://github.com/OpenSCAP/openscap/pull/1534

Comment 45 errata-xmlrpc 2020-11-04 02:29:43 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (openscap bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4623

Note You need to log in before you can comment on or make changes to this bug.