** Also affects: openscap (Ubuntu Noble)
Importance: Undecided
Status: New
** Also affects: openscap (Ubuntu Mantic)
Importance: Undecided
Status: New
** Changed in: openscap (Ubuntu Mantic)
Status: New => Fix Released
** Changed in: openscap (Ubuntu Noble)
Status: New => Fix Released
** Description changed:
[ Impact ]
* This issue causes a crash in openscap when there's a circular
dependency in systemd services, and currently affects both Ubuntu 20.04
- and 22.04.
+ and 22.04. openscap on Ubuntu 23.10 and 24.04 already contain this fix.
* This indirectly is affecting the usage of USG (Ubuntu Security Guide)
for CIS auditing in systems with ceph-mds. See LP: #2060345.
* This issue was reported to upstream here:
https://bugzilla.redhat.com/show_bug.cgi?id=1478285 and later fixed in
openscap upstream git repo
https://github.com/OpenSCAP/openscap/pull/1474. This SRU is a backport
of the mentioned pull request.
[ Test Plan ]
* There are a few ways to reproduce this issue, as you can see some notes on
LP: #2060345.
But for simplicity, the easiest way to reproduce this issue is to run the
following commands.
On Ubuntu 20.04:
```
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1"
ssg-ubuntu2004-oval.xml
Definition oval:ssg-service_rsyslog_enabled:def:1: true
Evaluation done.
$ sudo apt install ceph-mds
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1"
ssg-ubuntu2004-oval.xml
W: oscap: Can't receive message: 103, Software caused connection abort.
W: oscap: Can't receive message: 103, Software caused connection abort.
OpenSCAP Error: Probe with PID=1522 has been killed with signal 11
[../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178]
Probe with PID=1522 has core dumped.
[../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182]
Item corresponding to object
'oval:ssg-object_multi_user_target_for_rsyslog_enabled:obj:1' from test
'oval:ssg-test_multi_user_wants_rsyslog:tst:1' has an unknown flag. This may
indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:913]
Probe with PID=1531 has been killed with signal 11
[../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178]
Probe with PID=1531 has core dumped.
[../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182]
Item corresponding to object
'oval:ssg-object_multi_user_target_for_rsyslog_socket_enabled:obj:1' from test
'oval:ssg-test_multi_user_wants_rsyslog_socket:tst:1' has an unknown flag. This
may indicate a bug in OpenSCAP.
[../../../../src/OVAL/results/oval_resultTest.c:913]
$ sudo apt install libopenscap8=1.2.16-2ubuntu3.4
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1"
ssg-ubuntu2004-oval.xml
Definition oval:ssg-service_rsyslog_enabled:def:1: true
Evaluation done.
```
On Ubuntu 22.04:
```
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1"
ssg-ubuntu2204-oval.xml
Definition oval:ssg-service_rsyslog_enabled:def:1: true
Evaluation done.
$ sudo apt install ceph-mds
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1"
ssg-ubuntu2204-oval.xml
W: oscap: Can't receive message: 103, Software caused connection abort.
W: oscap: Can't receive message: 103, Software caused connection abort.
OpenSCAP Error: Probe with PID=1421 has been killed with signal 11
[../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178]
Probe with PID=1421 has core dumped.
[../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182]
Item corresponding to object
'oval:ssg-object_multi_user_target_for_rsyslog_enabled:obj:1' from test
'oval:ssg-test_multi_user_wants_rsyslog:tst:1' has an unknown flag. This may
indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:982]
Probe with PID=1431 has been killed with signal 11
[../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178]
Probe with PID=1431 has core dumped.
[../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182]
Item corresponding to object
'oval:ssg-object_multi_user_target_for_rsyslog_socket_enabled:obj:1' from test
'oval:ssg-test_multi_user_wants_rsyslog_socket:tst:1' has an unknown flag. This
may indicate a bug in OpenSCAP.
[../../../../src/OVAL/results/oval_resultTest.c:982]
$ sudo apt install libopenscap8=1.2.17-0.1ubuntu7.22.04.2
$ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1"
ssg-ubuntu2204-oval.xml
Definition oval:ssg-service_rsyslog_enabled:def:1: true
Evaluation done.
```
* The other tests we will do is to run full usg fix and audit and
report if the output is as expected.
[ Where problems could occur ]
* This fix was never backported to version 1.2 in upstream git repo, but was
applied to openscap 1.2 in
RHEL-based distros, it is unclear if the backport ever created another
issue with the
systemdunitdependency probe. If that is the case we expect to see some
other tests in usg failing,
for example.
[ Other Info ]
* This issue affects both Ubuntu 20.04 and 22.04.
- * Another way to mitigate this issue would be altering systemd services to
not have a circular dependency. This can get tricky and might require a lot of
change.
+ * Another way to mitigate this issue would be altering systemd services to
not have a circular dependency. This can get tricky and might require a lot of
change.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2062389
Title:
[SRU] Fix segfault in systemdunitdependency probe
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/2062389/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
