1959570 – Error when scanning DISA-STIG OpenSCAP profile on RHEL 8.2, SSG 0.1.50 or 0.1.48

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1959570 - Error when scanning DISA-STIG OpenSCAP profile on RHEL 8.2, SSG 0.1.50 or 0.1.48

Summary: Error when scanning DISA-STIG OpenSCAP profile on RHEL 8.2, SSG 0.1.50 or 0.1.48

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	openscap
Sub Component:
Version:	8.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	beta
Target Release:	---
Assignee:	Jan Černý
QA Contact:	Matus Marhefka
Docs Contact:	Jan Fiala
URL:
Whiteboard:
Depends On:
Blocks:	1998045 1998046
TreeView+	depends on / blocked

Reported:	2021-05-11 19:32 UTC by Andrew Kofink
Modified:	2021-11-09 21:58 UTC (History)
CC List:	4 users (show)
Fixed In Version:	openscap-1.3.5-6.el8
Doc Type:	Bug Fix
Doc Text:	.OpenSCAP no longer fails during evaluation of the STIG profile and other SCAP content Previously, initialization of the cryptography library in OpenSCAP was not performed properly in OpenSCAP, specifically in the `filehash58` probe. As a consequence, a segmentation fault occurred while evaluating SCAP content containing the `filehash58_test` Open Vulnerability Assessment Language (OVAL) test. This affected in particular the evaluation of the STIG profile for Red Hat Enterprise Linux 8. The evaluation failed unexpectedly and results were not generated. The process of initializing libraries has been fixed in the new version of the `openscap` package. As a result, OpenSCAP no longer fails during the evaluation of the STIG profile for RHEL 8 and other SCAP content that contains the `filehash58_test` OVAL test.
Clone Of:
Clones:	1998045 1998046 2020044 (view as bug list)
Environment:
Last Closed:	2021-11-09 18:04:06 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)
insights-client --compliance run on RHEL 8.2 with STIG profile (172.35 KB, text/plain) 2021-05-11 19:32 UTC, Andrew Kofink	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2021:4192	0	None	None	None	2021-11-09 18:04:16 UTC

Description Andrew Kofink 2021-05-11 19:32:30 UTC

Created attachment 1782130 [details]
insights-client --compliance run on RHEL 8.2 with STIG profile

Reporting on behalf of John Spinks (jspinks)

Description of problem:
Running an OpenSCAP XCCDF scan against DISA-STIG on RHEL 8.2 fails.

Version-Release number of selected component (if applicable):
RHEL 8.2
scap-security-guide-0.1.48-7.el8
scap-security-guide-0.1.50-16.el8_3 (From @rhel-8-appstream-rhui-rpms)
openscap 1.3.3-6.el8_3
openscap-scanner  1.3.3-6.el8_3

How reproducible:
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --results /var/tmp/oscap_results-xccdf_org.ssgproject.content_profile_stig.xml /usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml

Steps to Reproduce:
1. RHEL 8.2 with scap-security-g 0.1.50 or 0.1.48
2. oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --results /var/tmp/oscap_results-xccdf_org.ssgproject.content_profile_stig.xml /usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml

Actual results:
The scan errors while running and exits.

Expected results:
The scan exits without erroring, and the results file is populated with the scan results.

Additional info:
This was found while using Red Hat Insights Compliance to scan.

Comment 1 Andrew Kofink 2021-05-12 03:16:34 UTC

I am able to reliably reproduce this with the following:

RHEL 8.2
openscap-1.3.3-6.el8_3.x86_64
openscap-scanner-1.3.3-6.el8_3.x86_64
scap-security-guide-0.1.48-7.el8.noarch OR scap-security-guide-0.1.50-16.el8_3.noarch

Comment 2 Evgeny Kolesnikov 2021-05-12 07:37:45 UTC

Just to highlight the problem

OpenSCAP Error: Probe at sd=11 (filehash58) reported an error: Initialization failed [/builddir/build/BUILD/openscap-1.3.3/src/OVAL/oval_probe_ext.c:384]
Unable to receive a message from probe [/builddir/build/BUILD/openscap-1.3.3/src/OVAL/oval_probe_ext.c:572]
Invalid oval result type: -1. [/builddir/build/BUILD/openscap-1.3.3/src/OVAL/results/oval_resultTest.c:181]

Comment 3 Jan Černý 2021-05-12 07:58:04 UTC

I confirm I can reproduce it.

Using the debugger I have found that the segfault happens because crapi_init failed because gcry_check_version(GCRYPT_VERSION) failed.

During the investigation please check https://www.gnupg.org/documentation/manuals/gcrypt/Multi_002dThreading.html#Multi_002dThreading which says: The function gcry_check_version must be called before any other function in the library. To achieve this in multi-threaded programs, you must synchronize the memory with respect to other threads that also want to use Libgcrypt. For this, it is sufficient to call gcry_check_version before creating the other threads using Libgcrypt1.

Comment 4 Jan Černý 2021-07-15 12:33:09 UTC

A pull request has been submitted to upstream https://github.com/OpenSCAP/openscap/pull/1779

Comment 5 Jan Černý 2021-07-22 07:35:21 UTC

https://github.com/OpenSCAP/openscap/pull/1779 has been merged to upstream.

Comment 6 Jan Černý 2021-07-28 11:31:40 UTC

We will have a small test in upstream: https://github.com/OpenSCAP/openscap/pull/1788

Comment 17 Jan Fiala 2021-10-01 10:04:38 UTC

Rewrote the doc text, please check if it's accurate. Thanks for the great draft!

Comment 21 errata-xmlrpc 2021-11-09 18:04:06 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (openscap bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2021:4192

Note You need to log in before you can comment on or make changes to this bug.