Ubuntu Security Guide

oscap fails to evaluate rule "The Chronyd service is enabled" (xccdf_org.ssgproject.content_rule_service_chronyd_enabled)

Bug #2060364 reported by Przemyslaw Hausman on 2024-04-06

This bug report is a duplicate of: Bug #2060345: oscap crashes during audit on the system with ceph-mds package installed. Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Ubuntu Security Guide	New	Undecided	Unassigned

Bug Description

oscap fails to evaluate rule "The Chronyd service is enabled" (xccdf_org.ssgproject.content_rule_service_chronyd_enabled)

Ubuntu 22.04.4 LTS
usg version: 22.04.6

Evaluating rule "The Chronyd service is enabled" (xccdf_org.ssgproject.content_rule_service_chronyd_enabled) fails with result "unknown" and the following log entries in /var/lib/usg/usg-log-<date>.log:

```
I: oscap: Evaluating XCCDF rule 'xccdf_org.ssgproject.content_rule_service_chronyd_enabled'.
I: oscap: Evaluating definition 'oval:ssg-installed_OS_is_ubuntu2204:def:1': Ubuntu 22.04 LTS.
I: oscap: Definition 'oval:ssg-installed_OS_is_ubuntu2204:def:1' evaluated as true.
I: oscap: Evaluating definition 'oval:ssg-installed_env_is_a_machine:def:1': Check if the scan target is a machine.
I: oscap: Definition 'oval:ssg-installed_env_is_a_machine:def:1' evaluated as true.
I: oscap: Evaluating definition 'oval:ssg-package_chrony:def:1': Package chrony is installed.
I: oscap: Evaluating dpkginfo test 'oval:ssg-inventory_test_package_chrony_installed:tst:1': package chrony is installed.
I: oscap: Querying dpkginfo object 'oval:ssg-obj_inventory_test_package_chrony_installed:obj:1', flags: 0.
I: oscap: Creating new syschar for dpkginfo_object 'oval:ssg-obj_inventory_test_package_chrony_installed:obj:1'.
I: probe_dpkginfo: chrony: element found version 0:4.2-2ubuntu2
I: probe_dpkginfo: Extracting item from the cache queue: cnt=2, beg=15
I: probe_dpkginfo: cache MISS
I: probe_dpkginfo: Extracting item from the cache queue: cnt=1, beg=16
I: oscap: Test 'oval:ssg-inventory_test_package_chrony_installed:tst:1' requires that every object defined by 'oval:ssg-obj_inventory_test_package_chrony_installed:obj:1' exists on the system.
I: oscap: 1 objects defined by 'oval:ssg-obj_inventory_test_package_chrony_installed:obj:1' exist on the system.
I: oscap: Test 'oval:ssg-inventory_test_package_chrony_installed:tst:1' does not contain any state to compare object with.
I: oscap: All items matching object 'oval:ssg-obj_inventory_test_package_chrony_installed:obj:1' were collected. (flag=complete)
I: oscap: Test 'oval:ssg-inventory_test_package_chrony_installed:tst:1' evaluated as true.
I: oscap: Definition 'oval:ssg-package_chrony:def:1' evaluated as true.
I: oscap: Evaluating definition 'oval:ssg-service_chronyd_enabled:def:1': The Chronyd service is enabled.
I: oscap: Evaluating dpkginfo test 'oval:ssg-test_service_chrony_package_chrony_installed:tst:1': package chrony is installed.
I: oscap: Querying dpkginfo object 'oval:ssg-obj_test_service_chrony_package_chrony_installed:obj:1', flags: 0.
I: oscap: Creating new syschar for dpkginfo_object 'oval:ssg-obj_test_service_chrony_package_chrony_installed:obj:1'.
I: probe_dpkginfo: chrony: element found version 0:4.2-2ubuntu2
I: probe_dpkginfo: Extracting item from the cache queue: cnt=2, beg=2
I: probe_dpkginfo: cache MISS
I: probe_dpkginfo: Extracting item from the cache queue: cnt=1, beg=3
I: oscap: Test 'oval:ssg-test_service_chrony_package_chrony_installed:tst:1' requires that every object defined by 'oval:ssg-obj_test_service_chrony_package_chrony_installed:obj:1' exists on the system.
I: oscap: 1 objects defined by 'oval:ssg-obj_test_service_chrony_package_chrony_installed:obj:1' exist on the system.
I: oscap: Test 'oval:ssg-test_service_chrony_package_chrony_installed:tst:1' does not contain any state to compare object with.
I: oscap: All items matching object 'oval:ssg-obj_test_service_chrony_package_chrony_installed:obj:1' were collected. (flag=complete)
I: oscap: Test 'oval:ssg-test_service_chrony_package_chrony_installed:tst:1' evaluated as true.
I: oscap: Evaluating systemdunitproperty test 'oval:ssg-test_service_running_chrony:tst:1': Test that the chrony service is running.
I: oscap: Querying systemdunitproperty object 'oval:ssg-obj_service_running_chrony:obj:1', flags: 0.
I: oscap: Creating new syschar for systemdunitproperty_object 'oval:ssg-obj_service_running_chrony:obj:1'.
I: oscap: Starting probe on URI 'pipe:///usr/lib/x86_64-linux-gnu/openscap/probe_systemdunitproperty'.
I: probe_systemdunitproperty: Extracting item from the cache queue: cnt=1, beg=0
I: probe_systemdunitproperty: cache MISS
I: probe_systemdunitproperty: Extracting item from the cache queue: cnt=1, beg=1
I: oscap: Test 'oval:ssg-test_service_running_chrony:tst:1' requires that at least one object defined by 'oval:ssg-obj_service_running_chrony:obj:1' exists on the system.
I: oscap: 1 objects defined by 'oval:ssg-obj_service_running_chrony:obj:1' exist on the system.
I: oscap: All items matching object 'oval:ssg-obj_service_running_chrony:obj:1' were collected. (flag=complete)
I: oscap: In test 'oval:ssg-test_service_running_chrony:tst:1' at least one of the collected items must satisfy these states: 'oval:ssg-state_service_running_chrony:ste:1'.
I: oscap: Entity 'value'='active' of item '117442481' matches corresponding entity in state 'oval:ssg-state_service_running_chrony:ste:1'.
I: oscap: Item '117442481' compared to state 'oval:ssg-state_service_running_chrony:ste:1' with result true.
I: oscap: Test 'oval:ssg-test_service_running_chrony:tst:1' evaluated as true.
I: oscap: Evaluating systemdunitdependency test 'oval:ssg-test_multi_user_wants_chrony:tst:1': systemd test.
I: oscap: Querying systemdunitdependency object 'oval:ssg-object_multi_user_target_for_chrony_enabled:obj:1', flags: 0.
I: oscap: Creating new syschar for systemdunitdependency_object 'oval:ssg-object_multi_user_target_for_chrony_enabled:obj:1'.
I: oscap: Starting probe on URI 'pipe:///usr/lib/x86_64-linux-gnu/openscap/probe_systemdunitdependency'.
I: oscap: FAIL: recv failed: dsc=0x55b2ef4cf220, errno=4, Interrupted system call.
I: oscap: FAIL: ctx=0x55b2f0d98290, sd=3, errno=4, Interrupted system call.
W: oscap: Can't receive message: 4, Interrupted system call.
E: oscap: Can't close sd: 10, No child processes.
E: oscap: Recv: retry limit (0) reached.
I: oscap: Test 'oval:ssg-test_multi_user_wants_chrony:tst:1' evaluated as (null).
I: oscap: Evaluating systemdunitdependency test 'oval:ssg-test_multi_user_wants_chrony_socket:tst:1': systemd test.
I: oscap: Querying systemdunitdependency object 'oval:ssg-object_multi_user_target_for_chrony_socket_enabled:obj:1', flags: 0.
I: oscap: Creating new syschar for systemdunitdependency_object 'oval:ssg-object_multi_user_target_for_chrony_socket_enabled:obj:1'.
I: oscap: FAIL: recv failed: dsc=0x55b2ef4cf220, errno=4, Interrupted system call.
I: oscap: FAIL: ctx=0x55b2f0d98290, sd=3, errno=4, Interrupted system call.
W: oscap: Can't receive message: 4, Interrupted system call.
E: oscap: Can't close sd: 10, No child processes.
E: oscap: Recv: retry limit (0) reached.
I: oscap: Test 'oval:ssg-test_multi_user_wants_chrony_socket:tst:1' evaluated as (null).
I: oscap: Definition 'oval:ssg-service_chronyd_enabled:def:1' evaluated as unknown.
```

Machine under CIS hardening runs ceph-osd juju charm.

Potentially related to:
- https://bugs.launchpad.net/usg/+bug/2060345

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #2060345 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.