2024-04-18 15:59:11 |
Eduardo Barretto |
bug |
|
|
added bug |
2024-04-18 15:59:27 |
Eduardo Barretto |
nominated for series |
|
Ubuntu Focal |
|
2024-04-18 15:59:27 |
Eduardo Barretto |
bug task added |
|
openscap (Ubuntu Focal) |
|
2024-04-18 15:59:27 |
Eduardo Barretto |
nominated for series |
|
Ubuntu Jammy |
|
2024-04-18 15:59:27 |
Eduardo Barretto |
bug task added |
|
openscap (Ubuntu Jammy) |
|
2024-04-18 16:05:03 |
Eduardo Barretto |
attachment added |
|
oval file for ubuntu 20.04 https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/2062389/+attachment/5767555/+files/ssg-ubuntu2004-oval.xml |
|
2024-04-18 16:05:31 |
Eduardo Barretto |
attachment added |
|
oval file for ubuntu 22.04 https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/2062389/+attachment/5767556/+files/ssg-ubuntu2204-oval.xml |
|
2024-04-18 16:05:50 |
Eduardo Barretto |
attachment added |
|
openscap_1.2.16-2ubuntu3.4.debdiff https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/2062389/+attachment/5767557/+files/openscap_1.2.16-2ubuntu3.4.debdiff |
|
2024-04-18 16:06:07 |
Eduardo Barretto |
attachment added |
|
openscap_1.2.17-0.1ubuntu7.22.04.2.debdiff https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/2062389/+attachment/5767558/+files/openscap_1.2.17-0.1ubuntu7.22.04.2.debdiff |
|
2024-04-18 16:06:38 |
Eduardo Barretto |
attachment added |
|
openscap_1.2.17-0.1ubuntu7.22.04.2.debdiff https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/2062389/+attachment/5767559/+files/openscap_1.2.17-0.1ubuntu7.22.04.2.debdiff |
|
2024-04-18 16:09:38 |
Eduardo Barretto |
bug |
|
|
added subscriber Ubuntu Sponsors |
2024-04-18 16:11:35 |
Eduardo Barretto |
description |
[ Impact ]
* This issue causes a crash in openscap when there's a circular dependency in systemd services, and currently affects both Ubuntu 20.04 and 22.04.
* This indirectly is affecting the usage of USG (Ubuntu Security Guide) for CIS auditing in systems with ceph-mds. See LP: #2060345.
* This issue was reported to upstream here: https://bugzilla.redhat.com/show_bug.cgi?id=1478285 and later fixed in openscap upstream git repo https://github.com/OpenSCAP/openscap/pull/1474. This SRU is a backport of the mentioned pull request.
[ Test Plan ]
* There are a few ways to reproduce this issue, as you can see some notes on LP: #2060345.
But for simplicity, the easiest way to reproduce this issue is to run the following commands.
Without the patch on Ubuntu 20.04:
```
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2004-oval.xml
W: oscap: Can't receive message: 103, Software caused connection abort.
W: oscap: Can't receive message: 103, Software caused connection abort.
OpenSCAP Error: Probe with PID=1522 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178]
Probe with PID=1522 has core dumped. [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182]
Item corresponding to object 'oval:ssg-object_multi_user_target_for_rsyslog_enabled:obj:1' from test 'oval:ssg-test_multi_user_wants_rsyslog:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:913]
Probe with PID=1531 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178]
Probe with PID=1531 has core dumped. [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182]
Item corresponding to object 'oval:ssg-object_multi_user_target_for_rsyslog_socket_enabled:obj:1' from test 'oval:ssg-test_multi_user_wants_rsyslog_socket:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:913]
```
With the patch on Ubuntu 20.04:
```
$ sudo apt install libopenscap8=1.2.16-2ubuntu3.4
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2004-oval.xml
Definition oval:ssg-service_rsyslog_enabled:def:1: true
Evaluation done.
```
Without the patch on Ubuntu 22.04:
```
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2204-oval.xml
W: oscap: Can't receive message: 103, Software caused connection abort.
W: oscap: Can't receive message: 103, Software caused connection abort.
OpenSCAP Error: Probe with PID=1421 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178]
Probe with PID=1421 has core dumped. [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182]
Item corresponding to object 'oval:ssg-object_multi_user_target_for_rsyslog_enabled:obj:1' from test 'oval:ssg-test_multi_user_wants_rsyslog:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:982]
Probe with PID=1431 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178]
Probe with PID=1431 has core dumped. [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182]
Item corresponding to object 'oval:ssg-object_multi_user_target_for_rsyslog_socket_enabled:obj:1' from test 'oval:ssg-test_multi_user_wants_rsyslog_socket:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:982]
```
With the patch on Ubuntu 22.04:
```
$ sudo apt install libopenscap8=1.2.17-0.1ubuntu7.22.04.2
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2204-oval.xml
Definition oval:ssg-service_rsyslog_enabled:def:1: true
Evaluation done.
```
* The other tests we will do is to run full usg fix and audit and report if the output is as expected.
[ Where problems could occur ]
* This fix was never backported to version 1.2 in upstream git repo, but was applied to openscap 1.2 in
RHEL-based distros, it is unclear if the backport ever created another issue with the
systemdunitdependency probe. If that is the case we expect to see some other tests in usg failing,
for example.
[ Other Info ]
* This issue affects both Ubuntu 20.04 and 22.04. |
[ Impact ]
* This issue causes a crash in openscap when there's a circular dependency in systemd services, and currently affects both Ubuntu 20.04 and 22.04.
* This indirectly is affecting the usage of USG (Ubuntu Security Guide) for CIS auditing in systems with ceph-mds. See LP: #2060345.
* This issue was reported to upstream here: https://bugzilla.redhat.com/show_bug.cgi?id=1478285 and later fixed in openscap upstream git repo https://github.com/OpenSCAP/openscap/pull/1474. This SRU is a backport of the mentioned pull request.
[ Test Plan ]
* There are a few ways to reproduce this issue, as you can see some notes on LP: #2060345.
But for simplicity, the easiest way to reproduce this issue is to run the following commands.
Without the patch on Ubuntu 20.04:
```
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2004-oval.xml
Definition oval:ssg-service_rsyslog_enabled:def:1: true
Evaluation done.
$ sudo apt install ceph-mds
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2004-oval.xml
W: oscap: Can't receive message: 103, Software caused connection abort.
W: oscap: Can't receive message: 103, Software caused connection abort.
OpenSCAP Error: Probe with PID=1522 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178]
Probe with PID=1522 has core dumped. [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182]
Item corresponding to object 'oval:ssg-object_multi_user_target_for_rsyslog_enabled:obj:1' from test 'oval:ssg-test_multi_user_wants_rsyslog:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:913]
Probe with PID=1531 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178]
Probe with PID=1531 has core dumped. [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182]
Item corresponding to object 'oval:ssg-object_multi_user_target_for_rsyslog_socket_enabled:obj:1' from test 'oval:ssg-test_multi_user_wants_rsyslog_socket:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:913]
```
With the patch on Ubuntu 20.04:
```
$ sudo apt install libopenscap8=1.2.16-2ubuntu3.4
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2004-oval.xml
Definition oval:ssg-service_rsyslog_enabled:def:1: true
Evaluation done.
```
Without the patch on Ubuntu 22.04:
```
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2204-oval.xml
Definition oval:ssg-service_rsyslog_enabled:def:1: true
Evaluation done.
$ sudo apt install ceph-mds
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2204-oval.xml
W: oscap: Can't receive message: 103, Software caused connection abort.
W: oscap: Can't receive message: 103, Software caused connection abort.
OpenSCAP Error: Probe with PID=1421 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178]
Probe with PID=1421 has core dumped. [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182]
Item corresponding to object 'oval:ssg-object_multi_user_target_for_rsyslog_enabled:obj:1' from test 'oval:ssg-test_multi_user_wants_rsyslog:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:982]
Probe with PID=1431 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178]
Probe with PID=1431 has core dumped. [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182]
Item corresponding to object 'oval:ssg-object_multi_user_target_for_rsyslog_socket_enabled:obj:1' from test 'oval:ssg-test_multi_user_wants_rsyslog_socket:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:982]
```
With the patch on Ubuntu 22.04:
```
$ sudo apt install libopenscap8=1.2.17-0.1ubuntu7.22.04.2
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2204-oval.xml
Definition oval:ssg-service_rsyslog_enabled:def:1: true
Evaluation done.
```
* The other tests we will do is to run full usg fix and audit and report if the output is as expected.
[ Where problems could occur ]
* This fix was never backported to version 1.2 in upstream git repo, but was applied to openscap 1.2 in
RHEL-based distros, it is unclear if the backport ever created another issue with the
systemdunitdependency probe. If that is the case we expect to see some other tests in usg failing,
for example.
[ Other Info ]
* This issue affects both Ubuntu 20.04 and 22.04. |
|
2024-04-18 16:14:02 |
Eduardo Barretto |
description |
[ Impact ]
* This issue causes a crash in openscap when there's a circular dependency in systemd services, and currently affects both Ubuntu 20.04 and 22.04.
* This indirectly is affecting the usage of USG (Ubuntu Security Guide) for CIS auditing in systems with ceph-mds. See LP: #2060345.
* This issue was reported to upstream here: https://bugzilla.redhat.com/show_bug.cgi?id=1478285 and later fixed in openscap upstream git repo https://github.com/OpenSCAP/openscap/pull/1474. This SRU is a backport of the mentioned pull request.
[ Test Plan ]
* There are a few ways to reproduce this issue, as you can see some notes on LP: #2060345.
But for simplicity, the easiest way to reproduce this issue is to run the following commands.
Without the patch on Ubuntu 20.04:
```
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2004-oval.xml
Definition oval:ssg-service_rsyslog_enabled:def:1: true
Evaluation done.
$ sudo apt install ceph-mds
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2004-oval.xml
W: oscap: Can't receive message: 103, Software caused connection abort.
W: oscap: Can't receive message: 103, Software caused connection abort.
OpenSCAP Error: Probe with PID=1522 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178]
Probe with PID=1522 has core dumped. [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182]
Item corresponding to object 'oval:ssg-object_multi_user_target_for_rsyslog_enabled:obj:1' from test 'oval:ssg-test_multi_user_wants_rsyslog:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:913]
Probe with PID=1531 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178]
Probe with PID=1531 has core dumped. [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182]
Item corresponding to object 'oval:ssg-object_multi_user_target_for_rsyslog_socket_enabled:obj:1' from test 'oval:ssg-test_multi_user_wants_rsyslog_socket:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:913]
```
With the patch on Ubuntu 20.04:
```
$ sudo apt install libopenscap8=1.2.16-2ubuntu3.4
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2004-oval.xml
Definition oval:ssg-service_rsyslog_enabled:def:1: true
Evaluation done.
```
Without the patch on Ubuntu 22.04:
```
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2204-oval.xml
Definition oval:ssg-service_rsyslog_enabled:def:1: true
Evaluation done.
$ sudo apt install ceph-mds
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2204-oval.xml
W: oscap: Can't receive message: 103, Software caused connection abort.
W: oscap: Can't receive message: 103, Software caused connection abort.
OpenSCAP Error: Probe with PID=1421 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178]
Probe with PID=1421 has core dumped. [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182]
Item corresponding to object 'oval:ssg-object_multi_user_target_for_rsyslog_enabled:obj:1' from test 'oval:ssg-test_multi_user_wants_rsyslog:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:982]
Probe with PID=1431 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178]
Probe with PID=1431 has core dumped. [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182]
Item corresponding to object 'oval:ssg-object_multi_user_target_for_rsyslog_socket_enabled:obj:1' from test 'oval:ssg-test_multi_user_wants_rsyslog_socket:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:982]
```
With the patch on Ubuntu 22.04:
```
$ sudo apt install libopenscap8=1.2.17-0.1ubuntu7.22.04.2
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2204-oval.xml
Definition oval:ssg-service_rsyslog_enabled:def:1: true
Evaluation done.
```
* The other tests we will do is to run full usg fix and audit and report if the output is as expected.
[ Where problems could occur ]
* This fix was never backported to version 1.2 in upstream git repo, but was applied to openscap 1.2 in
RHEL-based distros, it is unclear if the backport ever created another issue with the
systemdunitdependency probe. If that is the case we expect to see some other tests in usg failing,
for example.
[ Other Info ]
* This issue affects both Ubuntu 20.04 and 22.04. |
[ Impact ]
* This issue causes a crash in openscap when there's a circular dependency in systemd services, and currently affects both Ubuntu 20.04 and 22.04.
* This indirectly is affecting the usage of USG (Ubuntu Security Guide) for CIS auditing in systems with ceph-mds. See LP: #2060345.
* This issue was reported to upstream here: https://bugzilla.redhat.com/show_bug.cgi?id=1478285 and later fixed in openscap upstream git repo https://github.com/OpenSCAP/openscap/pull/1474. This SRU is a backport of the mentioned pull request.
[ Test Plan ]
* There are a few ways to reproduce this issue, as you can see some notes on LP: #2060345.
But for simplicity, the easiest way to reproduce this issue is to run the following commands.
On Ubuntu 20.04:
```
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2004-oval.xml
Definition oval:ssg-service_rsyslog_enabled:def:1: true
Evaluation done.
$ sudo apt install ceph-mds
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2004-oval.xml
W: oscap: Can't receive message: 103, Software caused connection abort.
W: oscap: Can't receive message: 103, Software caused connection abort.
OpenSCAP Error: Probe with PID=1522 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178]
Probe with PID=1522 has core dumped. [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182]
Item corresponding to object 'oval:ssg-object_multi_user_target_for_rsyslog_enabled:obj:1' from test 'oval:ssg-test_multi_user_wants_rsyslog:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:913]
Probe with PID=1531 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178]
Probe with PID=1531 has core dumped. [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182]
Item corresponding to object 'oval:ssg-object_multi_user_target_for_rsyslog_socket_enabled:obj:1' from test 'oval:ssg-test_multi_user_wants_rsyslog_socket:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:913]
$ sudo apt install libopenscap8=1.2.16-2ubuntu3.4
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2004-oval.xml
Definition oval:ssg-service_rsyslog_enabled:def:1: true
Evaluation done.
```
On Ubuntu 22.04:
```
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2204-oval.xml
Definition oval:ssg-service_rsyslog_enabled:def:1: true
Evaluation done.
$ sudo apt install ceph-mds
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2204-oval.xml
W: oscap: Can't receive message: 103, Software caused connection abort.
W: oscap: Can't receive message: 103, Software caused connection abort.
OpenSCAP Error: Probe with PID=1421 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178]
Probe with PID=1421 has core dumped. [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182]
Item corresponding to object 'oval:ssg-object_multi_user_target_for_rsyslog_enabled:obj:1' from test 'oval:ssg-test_multi_user_wants_rsyslog:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:982]
Probe with PID=1431 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178]
Probe with PID=1431 has core dumped. [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182]
Item corresponding to object 'oval:ssg-object_multi_user_target_for_rsyslog_socket_enabled:obj:1' from test 'oval:ssg-test_multi_user_wants_rsyslog_socket:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:982]
$ sudo apt install libopenscap8=1.2.17-0.1ubuntu7.22.04.2
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2204-oval.xml
Definition oval:ssg-service_rsyslog_enabled:def:1: true
Evaluation done.
```
* The other tests we will do is to run full usg fix and audit and report if the output is as expected.
[ Where problems could occur ]
* This fix was never backported to version 1.2 in upstream git repo, but was applied to openscap 1.2 in
RHEL-based distros, it is unclear if the backport ever created another issue with the
systemdunitdependency probe. If that is the case we expect to see some other tests in usg failing,
for example.
[ Other Info ]
* This issue affects both Ubuntu 20.04 and 22.04.
* Another way to mitigate this issue would be altering systemd services to not have a circular dependency. This can get tricky and might require a lot of change. |
|
2024-04-18 16:26:26 |
Eduardo Barretto |
attachment added |
|
openscap_1.2.16-2ubuntu3.4.debdiff https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/2062389/+attachment/5767571/+files/openscap_1.2.16-2ubuntu3.4.debdiff |
|
2024-04-18 16:26:39 |
Eduardo Barretto |
attachment added |
|
openscap_1.2.17-0.1ubuntu7.22.04.2.debdiff https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/2062389/+attachment/5767572/+files/openscap_1.2.17-0.1ubuntu7.22.04.2.debdiff |
|
2024-04-19 00:32:47 |
Nobuto Murata |
bug |
|
|
added subscriber Nobuto Murata |
2024-04-26 07:37:18 |
Eduardo Barretto |
nominated for series |
|
Ubuntu Noble |
|
2024-04-26 07:37:18 |
Eduardo Barretto |
bug task added |
|
openscap (Ubuntu Noble) |
|
2024-04-26 07:37:18 |
Eduardo Barretto |
nominated for series |
|
Ubuntu Mantic |
|
2024-04-26 07:37:18 |
Eduardo Barretto |
bug task added |
|
openscap (Ubuntu Mantic) |
|
2024-04-26 07:37:26 |
Eduardo Barretto |
openscap (Ubuntu Mantic): status |
New |
Fix Released |
|
2024-04-26 07:37:30 |
Eduardo Barretto |
openscap (Ubuntu Noble): status |
New |
Fix Released |
|
2024-04-26 07:38:22 |
Eduardo Barretto |
description |
[ Impact ]
* This issue causes a crash in openscap when there's a circular dependency in systemd services, and currently affects both Ubuntu 20.04 and 22.04.
* This indirectly is affecting the usage of USG (Ubuntu Security Guide) for CIS auditing in systems with ceph-mds. See LP: #2060345.
* This issue was reported to upstream here: https://bugzilla.redhat.com/show_bug.cgi?id=1478285 and later fixed in openscap upstream git repo https://github.com/OpenSCAP/openscap/pull/1474. This SRU is a backport of the mentioned pull request.
[ Test Plan ]
* There are a few ways to reproduce this issue, as you can see some notes on LP: #2060345.
But for simplicity, the easiest way to reproduce this issue is to run the following commands.
On Ubuntu 20.04:
```
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2004-oval.xml
Definition oval:ssg-service_rsyslog_enabled:def:1: true
Evaluation done.
$ sudo apt install ceph-mds
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2004-oval.xml
W: oscap: Can't receive message: 103, Software caused connection abort.
W: oscap: Can't receive message: 103, Software caused connection abort.
OpenSCAP Error: Probe with PID=1522 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178]
Probe with PID=1522 has core dumped. [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182]
Item corresponding to object 'oval:ssg-object_multi_user_target_for_rsyslog_enabled:obj:1' from test 'oval:ssg-test_multi_user_wants_rsyslog:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:913]
Probe with PID=1531 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178]
Probe with PID=1531 has core dumped. [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182]
Item corresponding to object 'oval:ssg-object_multi_user_target_for_rsyslog_socket_enabled:obj:1' from test 'oval:ssg-test_multi_user_wants_rsyslog_socket:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:913]
$ sudo apt install libopenscap8=1.2.16-2ubuntu3.4
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2004-oval.xml
Definition oval:ssg-service_rsyslog_enabled:def:1: true
Evaluation done.
```
On Ubuntu 22.04:
```
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2204-oval.xml
Definition oval:ssg-service_rsyslog_enabled:def:1: true
Evaluation done.
$ sudo apt install ceph-mds
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2204-oval.xml
W: oscap: Can't receive message: 103, Software caused connection abort.
W: oscap: Can't receive message: 103, Software caused connection abort.
OpenSCAP Error: Probe with PID=1421 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178]
Probe with PID=1421 has core dumped. [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182]
Item corresponding to object 'oval:ssg-object_multi_user_target_for_rsyslog_enabled:obj:1' from test 'oval:ssg-test_multi_user_wants_rsyslog:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:982]
Probe with PID=1431 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178]
Probe with PID=1431 has core dumped. [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182]
Item corresponding to object 'oval:ssg-object_multi_user_target_for_rsyslog_socket_enabled:obj:1' from test 'oval:ssg-test_multi_user_wants_rsyslog_socket:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:982]
$ sudo apt install libopenscap8=1.2.17-0.1ubuntu7.22.04.2
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2204-oval.xml
Definition oval:ssg-service_rsyslog_enabled:def:1: true
Evaluation done.
```
* The other tests we will do is to run full usg fix and audit and report if the output is as expected.
[ Where problems could occur ]
* This fix was never backported to version 1.2 in upstream git repo, but was applied to openscap 1.2 in
RHEL-based distros, it is unclear if the backport ever created another issue with the
systemdunitdependency probe. If that is the case we expect to see some other tests in usg failing,
for example.
[ Other Info ]
* This issue affects both Ubuntu 20.04 and 22.04.
* Another way to mitigate this issue would be altering systemd services to not have a circular dependency. This can get tricky and might require a lot of change. |
[ Impact ]
* This issue causes a crash in openscap when there's a circular dependency in systemd services, and currently affects both Ubuntu 20.04 and 22.04. openscap on Ubuntu 23.10 and 24.04 already contain this fix.
* This indirectly is affecting the usage of USG (Ubuntu Security Guide) for CIS auditing in systems with ceph-mds. See LP: #2060345.
* This issue was reported to upstream here: https://bugzilla.redhat.com/show_bug.cgi?id=1478285 and later fixed in openscap upstream git repo https://github.com/OpenSCAP/openscap/pull/1474. This SRU is a backport of the mentioned pull request.
[ Test Plan ]
* There are a few ways to reproduce this issue, as you can see some notes on LP: #2060345.
But for simplicity, the easiest way to reproduce this issue is to run the following commands.
On Ubuntu 20.04:
```
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2004-oval.xml
Definition oval:ssg-service_rsyslog_enabled:def:1: true
Evaluation done.
$ sudo apt install ceph-mds
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2004-oval.xml
W: oscap: Can't receive message: 103, Software caused connection abort.
W: oscap: Can't receive message: 103, Software caused connection abort.
OpenSCAP Error: Probe with PID=1522 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178]
Probe with PID=1522 has core dumped. [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182]
Item corresponding to object 'oval:ssg-object_multi_user_target_for_rsyslog_enabled:obj:1' from test 'oval:ssg-test_multi_user_wants_rsyslog:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:913]
Probe with PID=1531 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178]
Probe with PID=1531 has core dumped. [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182]
Item corresponding to object 'oval:ssg-object_multi_user_target_for_rsyslog_socket_enabled:obj:1' from test 'oval:ssg-test_multi_user_wants_rsyslog_socket:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:913]
$ sudo apt install libopenscap8=1.2.16-2ubuntu3.4
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2004-oval.xml
Definition oval:ssg-service_rsyslog_enabled:def:1: true
Evaluation done.
```
On Ubuntu 22.04:
```
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2204-oval.xml
Definition oval:ssg-service_rsyslog_enabled:def:1: true
Evaluation done.
$ sudo apt install ceph-mds
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2204-oval.xml
W: oscap: Can't receive message: 103, Software caused connection abort.
W: oscap: Can't receive message: 103, Software caused connection abort.
OpenSCAP Error: Probe with PID=1421 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178]
Probe with PID=1421 has core dumped. [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182]
Item corresponding to object 'oval:ssg-object_multi_user_target_for_rsyslog_enabled:obj:1' from test 'oval:ssg-test_multi_user_wants_rsyslog:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:982]
Probe with PID=1431 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178]
Probe with PID=1431 has core dumped. [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182]
Item corresponding to object 'oval:ssg-object_multi_user_target_for_rsyslog_socket_enabled:obj:1' from test 'oval:ssg-test_multi_user_wants_rsyslog_socket:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:982]
$ sudo apt install libopenscap8=1.2.17-0.1ubuntu7.22.04.2
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2204-oval.xml
Definition oval:ssg-service_rsyslog_enabled:def:1: true
Evaluation done.
```
* The other tests we will do is to run full usg fix and audit and report if the output is as expected.
[ Where problems could occur ]
* This fix was never backported to version 1.2 in upstream git repo, but was applied to openscap 1.2 in
RHEL-based distros, it is unclear if the backport ever created another issue with the
systemdunitdependency probe. If that is the case we expect to see some other tests in usg failing,
for example.
[ Other Info ]
* This issue affects both Ubuntu 20.04 and 22.04.
* Another way to mitigate this issue would be altering systemd services to not have a circular dependency. This can get tricky and might require a lot of change. |
|
2024-04-26 12:01:19 |
Marc Deslauriers |
openscap (Ubuntu Focal): status |
New |
In Progress |
|
2024-04-26 12:01:21 |
Marc Deslauriers |
openscap (Ubuntu Jammy): status |
New |
In Progress |
|
2024-04-26 12:01:56 |
Marc Deslauriers |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2024-05-02 16:22:21 |
Andreas Hasenack |
openscap (Ubuntu Jammy): status |
In Progress |
Fix Committed |
|
2024-05-02 16:22:24 |
Andreas Hasenack |
bug |
|
|
added subscriber SRU Verification |
2024-05-02 16:22:27 |
Andreas Hasenack |
tags |
|
verification-needed verification-needed-jammy |
|
2024-05-02 16:22:49 |
Andreas Hasenack |
removed subscriber Ubuntu Sponsors |
|
|
|
2024-05-02 16:23:00 |
Andreas Hasenack |
openscap (Ubuntu Focal): status |
In Progress |
Fix Committed |
|
2024-05-02 16:23:07 |
Andreas Hasenack |
tags |
verification-needed verification-needed-jammy |
verification-needed verification-needed-focal verification-needed-jammy |
|
2024-05-08 09:59:43 |
Eduardo Barretto |
tags |
verification-needed verification-needed-focal verification-needed-jammy |
verification-done-jammy verification-needed verification-needed-focal |
|
2024-05-08 10:41:32 |
Eduardo Barretto |
tags |
verification-done-jammy verification-needed verification-needed-focal |
verification-done-focal verification-done-jammy verification-needed |
|