** Also affects: openscap (Ubuntu Noble) Importance: Undecided Status: New
** Also affects: openscap (Ubuntu Mantic) Importance: Undecided Status: New ** Changed in: openscap (Ubuntu Mantic) Status: New => Fix Released ** Changed in: openscap (Ubuntu Noble) Status: New => Fix Released ** Description changed: [ Impact ] * This issue causes a crash in openscap when there's a circular dependency in systemd services, and currently affects both Ubuntu 20.04 - and 22.04. + and 22.04. openscap on Ubuntu 23.10 and 24.04 already contain this fix. * This indirectly is affecting the usage of USG (Ubuntu Security Guide) for CIS auditing in systems with ceph-mds. See LP: #2060345. * This issue was reported to upstream here: https://bugzilla.redhat.com/show_bug.cgi?id=1478285 and later fixed in openscap upstream git repo https://github.com/OpenSCAP/openscap/pull/1474. This SRU is a backport of the mentioned pull request. [ Test Plan ] * There are a few ways to reproduce this issue, as you can see some notes on LP: #2060345. But for simplicity, the easiest way to reproduce this issue is to run the following commands. On Ubuntu 20.04: ``` $ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2004-oval.xml Definition oval:ssg-service_rsyslog_enabled:def:1: true Evaluation done. $ sudo apt install ceph-mds $ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2004-oval.xml W: oscap: Can't receive message: 103, Software caused connection abort. W: oscap: Can't receive message: 103, Software caused connection abort. OpenSCAP Error: Probe with PID=1522 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178] Probe with PID=1522 has core dumped. [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182] Item corresponding to object 'oval:ssg-object_multi_user_target_for_rsyslog_enabled:obj:1' from test 'oval:ssg-test_multi_user_wants_rsyslog:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:913] Probe with PID=1531 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178] Probe with PID=1531 has core dumped. [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182] Item corresponding to object 'oval:ssg-object_multi_user_target_for_rsyslog_socket_enabled:obj:1' from test 'oval:ssg-test_multi_user_wants_rsyslog_socket:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:913] $ sudo apt install libopenscap8=1.2.16-2ubuntu3.4 $ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2004-oval.xml Definition oval:ssg-service_rsyslog_enabled:def:1: true Evaluation done. ``` On Ubuntu 22.04: ``` $ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2204-oval.xml Definition oval:ssg-service_rsyslog_enabled:def:1: true Evaluation done. $ sudo apt install ceph-mds $ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2204-oval.xml W: oscap: Can't receive message: 103, Software caused connection abort. W: oscap: Can't receive message: 103, Software caused connection abort. OpenSCAP Error: Probe with PID=1421 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178] Probe with PID=1421 has core dumped. [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182] Item corresponding to object 'oval:ssg-object_multi_user_target_for_rsyslog_enabled:obj:1' from test 'oval:ssg-test_multi_user_wants_rsyslog:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:982] Probe with PID=1431 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:178] Probe with PID=1431 has core dumped. [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:182] Item corresponding to object 'oval:ssg-object_multi_user_target_for_rsyslog_socket_enabled:obj:1' from test 'oval:ssg-test_multi_user_wants_rsyslog_socket:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:982] $ sudo apt install libopenscap8=1.2.17-0.1ubuntu7.22.04.2 $ oscap oval eval --id "oval:ssg-service_rsyslog_enabled:def:1" ssg-ubuntu2204-oval.xml Definition oval:ssg-service_rsyslog_enabled:def:1: true Evaluation done. ``` * The other tests we will do is to run full usg fix and audit and report if the output is as expected. [ Where problems could occur ] * This fix was never backported to version 1.2 in upstream git repo, but was applied to openscap 1.2 in RHEL-based distros, it is unclear if the backport ever created another issue with the systemdunitdependency probe. If that is the case we expect to see some other tests in usg failing, for example. [ Other Info ] * This issue affects both Ubuntu 20.04 and 22.04. - * Another way to mitigate this issue would be altering systemd services to not have a circular dependency. This can get tricky and might require a lot of change. + * Another way to mitigate this issue would be altering systemd services to not have a circular dependency. This can get tricky and might require a lot of change. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2062389 Title: [SRU] Fix segfault in systemdunitdependency probe To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/2062389/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs