Project

General

Profile

Actions
Copy link

action #152059

open

[security][opensuse][leap] test fails in oscap_remediating_online

Added by mlin7442 5 months ago. Updated 5 days ago.

Status:
Feedback
Priority:
Normal
Assignee:
amanzini
Category:
Bugs in existing tests
Target version:
-
Start date:
2023-12-05
Due date:
% Done:

0%

Estimated time:
8.00 h
Difficulty:
Tags:
fail

Description

Observation

Comparing https://openqa.opensuse.org/tests/3773155 and https://openqa.opensuse.org/tests/3781148, oscap tests are enabled now, but it seem to not be verified on Leap, is there a mistake enabled the whole oscap testsuites on Leap? if it's intentional to be enabled then we need to make test worked on Leap.

What I'm aware is the older test has SECURITY_TEST:oscap sets, the newer ones doesn't.

openQA test in scenario opensuse-15.6-DVD-x86_64-openscap@64bit fails in
oscap_remediating_online

Test suite description

Maintainer: QE Security

Reproducible

Fails since (at least) Build 565.1

Expected result

Last good: 563.2 (or more recent)

Further details

Always latest result in this scenario: latest

Actions
Copy link
 #1

Updated by maritawerner 5 months ago

  • Subject changed from test fails in oscap_remediating_online to [security] test fails in oscap_remediating_online
Actions
Copy link
 #2

Updated by pstivanin 5 months ago

  • Status changed from New to In Progress
  • Assignee set to pstivanin

Hello,
actually, the openscap test not doing anything was a mistake on our side. It's now executing the right modules, but they don't seem to work on Leap. We'll look into it.

Actions
Copy link
 #3

Updated by pstivanin 5 months ago

  • Status changed from In Progress to Workable
  • Assignee deleted (pstivanin)
Actions
Copy link
 #4

Updated by pstivanin 5 months ago

  • Subject changed from [security] test fails in oscap_remediating_online to [security][opensuse][leap] test fails in oscap_remediating_online
Actions
Copy link
 #5

Updated by openqa_review 4 months ago

This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: openscap
https://openqa.opensuse.org/tests/3810073#step/oscap_remediating_online/1

To prevent further reminder comments one of the following options should be followed:

  1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
  2. The openQA job group is moved to "Released" or "EOL" (End-of-Life)
  3. The bugref in the openQA scenario is removed or replaced, e.g. label:wontfix:boo1234

Expect the next reminder at the earliest in 28 days if nothing changes in this ticket.

Actions
Copy link
 #6

Updated by openqa_review 3 months ago

This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: openscap
https://openqa.opensuse.org/tests/3883681#step/oscap_remediating_online/1

To prevent further reminder comments one of the following options should be followed:

  1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
  2. The openQA job group is moved to "Released" or "EOL" (End-of-Life)
  3. The bugref in the openQA scenario is removed or replaced, e.g. label:wontfix:boo1234

Expect the next reminder at the earliest in 56 days if nothing changes in this ticket.

Actions
Copy link
 #7

Updated by tjyrinki_suse about 2 months ago

  • Estimated time set to 8.00 h
Actions
Copy link
 #8

Updated by amanzini 5 days ago · Edited

  • Assignee set to amanzini

manual running remediation I get "notapplicable":

localhost:~ # oscap xccdf eval --remediate --profile standard --results scan-xccdf-remediate-results.xml xccdf.xml 
--- Starting Evaluation ---

Title   Direct root Logins Not Allowed
Rule    no_direct_root_logins
Result  notapplicable

Title   sysctl kernel.sysrq must be 0
Rule    rule_misc_sysrq
Result  notapplicable


--- Starting Remediation ---

looks like a missing CPE profile for openSUSE Leap 15.6 ?

# oscap --version
OpenSCAP command line tool (oscap) 1.3.6
Copyright 2009--2021 Red Hat Inc., Durham, North Carolina.

==== Supported specifications ====
SCAP Version: 1.3
XCCDF Version: 1.2
OVAL Version: 5.11.1
CPE Version: 2.3
CVSS Version: 2.0
CVE Version: 2.0
Asset Identification Version: 1.1
Asset Reporting Format Version: 1.1
CVRF Version: 1.1

==== Capabilities added by auto-loaded plugins ====
No plugins have been auto-loaded...

==== Paths ====
Schema files: /usr/share/openscap/schemas
Default CPE files: /usr/share/openscap/cpe

==== Inbuilt CPE names ====
Red Hat Enterprise Linux - cpe:/o:redhat:enterprise_linux:-
Red Hat Enterprise Linux 5 - cpe:/o:redhat:enterprise_linux:5
Red Hat Enterprise Linux 6 - cpe:/o:redhat:enterprise_linux:6
Red Hat Enterprise Linux 7 - cpe:/o:redhat:enterprise_linux:7
Red Hat Enterprise Linux 8 - cpe:/o:redhat:enterprise_linux:8
Community Enterprise Operating System 5 - cpe:/o:centos:centos:5
Community Enterprise Operating System 6 - cpe:/o:centos:centos:6
Community Enterprise Operating System 7 - cpe:/o:centos:centos:7
Community Enterprise Operating System 8 - cpe:/o:centos:centos:8
Fedora 32 - cpe:/o:fedoraproject:fedora:32
Fedora 33 - cpe:/o:fedoraproject:fedora:33
Fedora 34 - cpe:/o:fedoraproject:fedora:34
Fedora 35 - cpe:/o:fedoraproject:fedora:35
openSUSE Leap 15.1 - cpe:/o:opensuse:leap:15.1
openSUSE Leap 15.2 - cpe:/o:opensuse:leap:15.2
openSUSE Leap 15.3 - cpe:/o:opensuse:leap:15.3
openSUSE Leap 15.4 - cpe:/o:opensuse:leap:15.4
openSUSE Leap 15.5 - cpe:/o:opensuse:leap:15.5
openSUSE Tumbleweed - cpe:/o:opensuse:tumbleweed
SUSE Linux Enterprise Server 12 - cpe:/o:suse:sles:12
SUSE Linux Enterprise Desktop 12 - cpe:/o:suse:sled:12
SUSE Linux Enterprise Server 15 - cpe:/o:suse:sles:15
SUSE Linux Enterprise Desktop 15 - cpe:/o:suse:sled:15

==== Supported OVAL objects and associated OpenSCAP probes ====
OVAL family   OVAL object                  OpenSCAP probe              
----------    ----------                   ----------                  
independent   environmentvariable          probe_environmentvariable
independent   environmentvariable58        probe_environmentvariable58
independent   family                       probe_family
independent   filehash                     probe_filehash (MD5, SHA-1)
independent   filehash58                   probe_filehash58 (MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512)
independent   system_info                  probe_system_info
independent   textfilecontent              probe_textfilecontent
independent   textfilecontent54            probe_textfilecontent54
independent   variable                     probe_variable
independent   xmlfilecontent               probe_xmlfilecontent
linux         iflisteners                  probe_iflisteners
linux         inetlisteningservers         probe_inetlisteningservers
linux         partition                    probe_partition
linux         rpminfo                      probe_rpminfo
linux         rpmverify                    probe_rpmverify
linux         rpmverifyfile                probe_rpmverifyfile
linux         rpmverifypackage             probe_rpmverifypackage
linux         selinuxboolean               probe_selinuxboolean
linux         selinuxsecuritycontext       probe_selinuxsecuritycontext
linux         systemdunitdependency        probe_systemdunitdependency
linux         systemdunitproperty          probe_systemdunitproperty
unix          dnscache                     probe_dnscache
unix          file                         probe_file
unix          fileextendedattribute        probe_fileextendedattribute
unix          interface                    probe_interface
unix          password                     probe_password
unix          process                      probe_process
unix          process58                    probe_process58
unix          routingtable                 probe_routingtable
unix          runlevel                     probe_runlevel
unix          shadow                       probe_shadow
unix          symlink                      probe_symlink
unix          sysctl                       probe_sysctl
unix          uname                        probe_uname
unix          xinetd                       probe_xinetd
Actions
Copy link
 #9

Updated by amanzini 5 days ago

on a Leap 15.5 I get:

# oscap xccdf eval --remediate --profile standard --results remediate_results.xml xccdf.xml 
--- Starting Evaluation ---

Title   Direct root Logins Not Allowed
Rule    no_direct_root_logins
Result  fail

Title   sysctl kernel.sysrq must be 0
Rule    rule_misc_sysrq
Result  fail


--- Starting Remediation ---

Title   Direct root Logins Not Allowed
Rule    no_direct_root_logins
Result  fixed

Title   sysctl kernel.sysrq must be 0
Rule    rule_misc_sysrq
Result  fixed
Actions
Copy link
 #10

Updated by amanzini 5 days ago · Edited

  • Status changed from Workable to Feedback

so, most likely NIST isn't going to provide CPE for our beta products, only for released one. Options are

  • to create and maintain a custom definition file
  • to unschedule openscap from opensuse development
  • to tweak the test adding "beta" detection
Actions
Copy link

Also available in: Atom PDF