action #152059
open[security][opensuse][leap] test fails in oscap_remediating_online
Added by mlin7442 about 1 year ago. Updated 6 months ago.
0%
Description
Observation¶
Comparing https://openqa.opensuse.org/tests/3773155 and https://openqa.opensuse.org/tests/3781148, oscap tests are enabled now, but it seem to not be verified on Leap, is there a mistake enabled the whole oscap testsuites on Leap? if it's intentional to be enabled then we need to make test worked on Leap.
What I'm aware is the older test has SECURITY_TEST:oscap sets, the newer ones doesn't.
openQA test in scenario opensuse-15.6-DVD-x86_64-openscap@64bit fails in
oscap_remediating_online
Test suite description¶
Maintainer: QE Security
Reproducible¶
Fails since (at least) Build 565.1
Expected result¶
Last good: 563.2 (or more recent)
Further details¶
Always latest result in this scenario: latest
Updated by maritawerner about 1 year ago
- Subject changed from test fails in oscap_remediating_online to [security] test fails in oscap_remediating_online
Updated by pstivanin about 1 year ago
- Status changed from New to In Progress
- Assignee set to pstivanin
Hello,
actually, the openscap test not doing anything was a mistake on our side. It's now executing the right modules, but they don't seem to work on Leap. We'll look into it.
Updated by pstivanin about 1 year ago
- Status changed from In Progress to Workable
- Assignee deleted (
pstivanin)
Updated by pstivanin about 1 year ago
- Subject changed from [security] test fails in oscap_remediating_online to [security][opensuse][leap] test fails in oscap_remediating_online
Updated by openqa_review about 1 year ago
This is an autogenerated message for openQA integration by the openqa_review script:
This bug is still referenced in a failing openQA test: openscap
https://openqa.opensuse.org/tests/3810073#step/oscap_remediating_online/1
To prevent further reminder comments one of the following options should be followed:
- The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
- The openQA job group is moved to "Released" or "EOL" (End-of-Life)
- The bugref in the openQA scenario is removed or replaced, e.g.
label:wontfix:boo1234
Expect the next reminder at the earliest in 28 days if nothing changes in this ticket.
Updated by openqa_review 11 months ago
This is an autogenerated message for openQA integration by the openqa_review script:
This bug is still referenced in a failing openQA test: openscap
https://openqa.opensuse.org/tests/3883681#step/oscap_remediating_online/1
To prevent further reminder comments one of the following options should be followed:
- The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
- The openQA job group is moved to "Released" or "EOL" (End-of-Life)
- The bugref in the openQA scenario is removed or replaced, e.g.
label:wontfix:boo1234
Expect the next reminder at the earliest in 56 days if nothing changes in this ticket.
Updated by amanzini 8 months ago · Edited
- Assignee set to amanzini
manual running remediation I get "notapplicable":
localhost:~ # oscap xccdf eval --remediate --profile standard --results scan-xccdf-remediate-results.xml xccdf.xml
--- Starting Evaluation ---
Title Direct root Logins Not Allowed
Rule no_direct_root_logins
Result notapplicable
Title sysctl kernel.sysrq must be 0
Rule rule_misc_sysrq
Result notapplicable
--- Starting Remediation ---
looks like a missing CPE profile for openSUSE Leap 15.6 ?
# oscap --version
OpenSCAP command line tool (oscap) 1.3.6
Copyright 2009--2021 Red Hat Inc., Durham, North Carolina.
==== Supported specifications ====
SCAP Version: 1.3
XCCDF Version: 1.2
OVAL Version: 5.11.1
CPE Version: 2.3
CVSS Version: 2.0
CVE Version: 2.0
Asset Identification Version: 1.1
Asset Reporting Format Version: 1.1
CVRF Version: 1.1
==== Capabilities added by auto-loaded plugins ====
No plugins have been auto-loaded...
==== Paths ====
Schema files: /usr/share/openscap/schemas
Default CPE files: /usr/share/openscap/cpe
==== Inbuilt CPE names ====
Red Hat Enterprise Linux - cpe:/o:redhat:enterprise_linux:-
Red Hat Enterprise Linux 5 - cpe:/o:redhat:enterprise_linux:5
Red Hat Enterprise Linux 6 - cpe:/o:redhat:enterprise_linux:6
Red Hat Enterprise Linux 7 - cpe:/o:redhat:enterprise_linux:7
Red Hat Enterprise Linux 8 - cpe:/o:redhat:enterprise_linux:8
Community Enterprise Operating System 5 - cpe:/o:centos:centos:5
Community Enterprise Operating System 6 - cpe:/o:centos:centos:6
Community Enterprise Operating System 7 - cpe:/o:centos:centos:7
Community Enterprise Operating System 8 - cpe:/o:centos:centos:8
Fedora 32 - cpe:/o:fedoraproject:fedora:32
Fedora 33 - cpe:/o:fedoraproject:fedora:33
Fedora 34 - cpe:/o:fedoraproject:fedora:34
Fedora 35 - cpe:/o:fedoraproject:fedora:35
openSUSE Leap 15.1 - cpe:/o:opensuse:leap:15.1
openSUSE Leap 15.2 - cpe:/o:opensuse:leap:15.2
openSUSE Leap 15.3 - cpe:/o:opensuse:leap:15.3
openSUSE Leap 15.4 - cpe:/o:opensuse:leap:15.4
openSUSE Leap 15.5 - cpe:/o:opensuse:leap:15.5
openSUSE Tumbleweed - cpe:/o:opensuse:tumbleweed
SUSE Linux Enterprise Server 12 - cpe:/o:suse:sles:12
SUSE Linux Enterprise Desktop 12 - cpe:/o:suse:sled:12
SUSE Linux Enterprise Server 15 - cpe:/o:suse:sles:15
SUSE Linux Enterprise Desktop 15 - cpe:/o:suse:sled:15
==== Supported OVAL objects and associated OpenSCAP probes ====
OVAL family OVAL object OpenSCAP probe
---------- ---------- ----------
independent environmentvariable probe_environmentvariable
independent environmentvariable58 probe_environmentvariable58
independent family probe_family
independent filehash probe_filehash (MD5, SHA-1)
independent filehash58 probe_filehash58 (MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512)
independent system_info probe_system_info
independent textfilecontent probe_textfilecontent
independent textfilecontent54 probe_textfilecontent54
independent variable probe_variable
independent xmlfilecontent probe_xmlfilecontent
linux iflisteners probe_iflisteners
linux inetlisteningservers probe_inetlisteningservers
linux partition probe_partition
linux rpminfo probe_rpminfo
linux rpmverify probe_rpmverify
linux rpmverifyfile probe_rpmverifyfile
linux rpmverifypackage probe_rpmverifypackage
linux selinuxboolean probe_selinuxboolean
linux selinuxsecuritycontext probe_selinuxsecuritycontext
linux systemdunitdependency probe_systemdunitdependency
linux systemdunitproperty probe_systemdunitproperty
unix dnscache probe_dnscache
unix file probe_file
unix fileextendedattribute probe_fileextendedattribute
unix interface probe_interface
unix password probe_password
unix process probe_process
unix process58 probe_process58
unix routingtable probe_routingtable
unix runlevel probe_runlevel
unix shadow probe_shadow
unix symlink probe_symlink
unix sysctl probe_sysctl
unix uname probe_uname
unix xinetd probe_xinetd
Updated by amanzini 8 months ago
on a Leap 15.5 I get:
# oscap xccdf eval --remediate --profile standard --results remediate_results.xml xccdf.xml
--- Starting Evaluation ---
Title Direct root Logins Not Allowed
Rule no_direct_root_logins
Result fail
Title sysctl kernel.sysrq must be 0
Rule rule_misc_sysrq
Result fail
--- Starting Remediation ---
Title Direct root Logins Not Allowed
Rule no_direct_root_logins
Result fixed
Title sysctl kernel.sysrq must be 0
Rule rule_misc_sysrq
Result fixed
Updated by amanzini 8 months ago · Edited
- Status changed from Workable to Feedback
so, most likely NIST isn't going to provide CPE for our beta/RC products, only for released one. Options are
- to create and maintain a custom definition file
- to unschedule openscap from opensuse development
- to tweak the test adding "beta" or RC detection
Updated by openqa_review 7 months ago
This is an autogenerated message for openQA integration by the openqa_review script:
This bug is still referenced in a failing openQA test: openscap
https://openqa.opensuse.org/tests/4208296#step/oscap_remediating_online/1
To prevent further reminder comments one of the following options should be followed:
- The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
- The openQA job group is moved to "Released" or "EOL" (End-of-Life)
- The bugref in the openQA scenario is removed or replaced, e.g.
label:wontfix:boo1234
Expect the next reminder at the earliest in 40 days if nothing changes in this ticket.
Updated by openqa_review 6 months ago
This is an autogenerated message for openQA integration by the openqa_review script:
This bug is still referenced in a failing openQA test: openscap
https://openqa.opensuse.org/tests/4286696#step/oscap_remediating_online/1
To prevent further reminder comments one of the following options should be followed:
- The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
- The openQA job group is moved to "Released" or "EOL" (End-of-Life)
- The bugref in the openQA scenario is removed or replaced, e.g.
label:wontfix:boo1234
Expect the next reminder at the earliest in 80 days if nothing changes in this ticket.