oscap crashes during audit on the system with ceph-mds package installed
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu Security Guide |
Invalid
|
Undecided
|
Unassigned | ||
openscap (Ubuntu) |
In Progress
|
Undecided
|
Eduardo Barretto | ||
Focal |
In Progress
|
Undecided
|
Eduardo Barretto | ||
Jammy |
In Progress
|
Undecided
|
Eduardo Barretto |
Bug Description
Ubuntu 22.04.4 LTS
usg version: 22.04.6
On the system with ceph-mds package installed, running `usg audit ...` produces report with several rules having "unknown" result. Looking at the logfile produced by `usg audit`, I can see that oscap fails as follows:
```
I: oscap: Evaluating systemdunitdepe
I: oscap: Querying systemdunitdepe
I: oscap: Creating new syschar for systemdunitdepe
I: oscap: Starting probe on URI 'pipe:/
I: oscap: FAIL: recv failed: dsc=0x5640da79d670, errno=4, Interrupted system call.
I: oscap: FAIL: ctx=0x5640db712780, sd=9, errno=4, Interrupted system call.
W: oscap: Can't receive message: 4, Interrupted system call.
E: oscap: Can't close sd: 10, No child processes.
E: oscap: Recv: retry limit (0) reached.
I: oscap: Test 'oval:ssg-
```
At the same time, crash file is created in /var/crash/
Rules resulting in "unknown" state:
- Enable systemd-journald Service (xccdf_
- Enable rsyslog Service (xccdf_
- Verify nftables Service is Enabled (xccdf_
- Enable cron Service (xccdf_
Potentially related to:
- https:/
- https:/
Steps to reproduce:
1. Bootstrap localhost Juju controller
```
juju bootstrap localhost
```
2. Create two LXD machines for testing
```
# Create reference ubuntu LXD machine
juju deploy ubuntu --series jammy
# Create ceph-mon LXD machine
juju deploy ceph-mon --series jammy --channel quincy/stable
```
3. Push CIS tailoring file to both `ubuntu` and `ceph-mon` machines
```
lxc file push cis_level1_
lxc file push cis_level1_
```
4. Apply CIS hardening on both `ubuntu` and `ceph-mon` machines.
```
# Attach UPro to a machine under test
sudo pro attach <ubuntu-pro-token>
# Enable CIS
sudo pro enable usg
# Install USG
sudo apt-get update --yes && sudo apt-get install --yes usg
# Apply CIS hardening
sudo usg fix --debug --tailoring-file cis_level1_
# Reboot machine after applying the hardening
sudo reboot
# Audit
sudo usg audit --debug --tailoring-file cis_level1_
# Review audit results, check files in /var/lib/usg:
# - remediation-
# - usg-report-
# - usg-log-<date>.log
# Finally detach Ubuntu Pro if you're not using it anymore
sudo pro detach
```
As a result of this reproducer, the audit on `ceph-mon` machine ends up with rules mentioned above in "unknown" state, while for `ubuntu` machine, audit is successful.
I have compared packages installed on `ubuntu` and `ceph-mon` machines and, by elimination, I identified that ceph-mds package is causing the problem.
Analysing the CoreDump from the .crash file shows that the problem occurs when ceph-mds.target is being analysed. See frame 14 below:
```
#0 0x00007fd7e07e31a8 in _dbus_validate_
#1 0x00007fd7e07e39bd in ?? () from /lib/x86_
#2 0x00007fd7e07e3770 in ?? () from /lib/x86_
#3 0x00007fd7e07e3a59 in ?? () from /lib/x86_
#4 0x00007fd7e07e3c30 in ?? () from /lib/x86_
#5 0x00007fd7e07e3da4 in _dbus_validate_
#6 0x00007fd7e07faf05 in ?? () from /lib/x86_
#7 0x00007fd7e07e7157 in _dbus_message_
#8 0x00007fd7e07ef820 in ?? () from /lib/x86_
#9 0x00007fd7e07ef95d in ?? () from /lib/x86_
#10 0x00007fd7e07f17b1 in ?? () from /lib/x86_
#11 0x00007fd7e07f1c9d in ?? () from /lib/x86_
#12 0x00007fd7e07d65ed in ?? () from /lib/x86_
#13 0x00007fd7e07eadcc in dbus_pending_
#14 0x00005628b3497d08 in get_property_
property=
#15 0x00005628b349823a in get_all_
include_
#16 0x00005628b34981a5 in get_all_
include_
...
```
I have attached tailoring file (xml), audit report (html), audit log and crash file. All in a zip file.
no longer affects: | openscap |
Changed in usg: | |
status: | New → Invalid |
no longer affects: | openscap (Ubuntu) |
Changed in openscap (Ubuntu): | |
status: | New → Confirmed |
Changed in openscap (Ubuntu Focal): | |
status: | New → In Progress |
Changed in openscap (Ubuntu Jammy): | |
status: | New → In Progress |
Changed in openscap (Ubuntu Focal): | |
assignee: | nobody → Eduardo Barretto (ebarretto) |
Changed in openscap (Ubuntu Jammy): | |
assignee: | nobody → Eduardo Barretto (ebarretto) |
Changed in openscap (Ubuntu): | |
status: | Confirmed → In Progress |
assignee: | nobody → Eduardo Barretto (ebarretto) |
summary: |
- oscap crashes during audit on the system with ceph-mds package installed + [SRU] oscap crashes during audit on the system with ceph-mds package + installed |
summary: |
- [SRU] oscap crashes during audit on the system with ceph-mds package - installed + oscap crashes during audit on the system with ceph-mds package installed |
Hi Przemyslaw,
As you mentioned, this is not an issue on the normal Ubuntu machine. Therefore it is something about the `ceph-mom` machine. I would recommend contacting whomever produces it to understand what is the difference.
This certainly seems outside the expected target of usg/CIS, which is based for default Server/Desktop images of Ubuntu and that specific machine we have no visibility on what it is.