We currently have RedHat 7.5 systems and are running oscap ver. 1.2.16.
We have AUTOFS remote shares that are getting scanned by the oscap tool. I see that you have option to disable the remote scanning but that doesn't work. We have several hundred systems that try to scan the network shares at the same time which is not a good thing and the oscap runs never complete. It actually turns into a mini DOS attack. I've tried altering the profiles but that doesn't make sense because we need the system to scan the local file systems. This is what we have in our definitions: <behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local" /> The above line doesn't work. It will still scan our NetApp NFS mounted shares. I looked through the code at [ https://github.com/OpenSCAP/openscap/blob/900295ef58d121b15533fcd8736d3950417134b0/src/OVAL/probes/fsdev.c ] and found this area for LINUX systems.. "" is_local_fs(struct mntent *ment) { // todo: would it be usefull to provide the choice during build-time? #if 1 char *s; s = ment->mnt_fsname; /* If the fsname begins with "//", it is probably CIFS. */ if (s[0] == '/' && s[1] == '/') return 0; /* If there's a ':' in the fsname and it occurs before any * '/', then this is probably NFS and the file system is * considered "remote". */ s = strpbrk(s, "/:"); if (s && *s == ':') return 0; return 1; #else "" It seems like you are looking for a string to determine if it's a remote file system. Can you guys simply use the system call "getmntent" system call and pull the information from the following. { char *mnt_type } The mntent structure is defined in <mntent.h> as follows: struct mntent { char *mnt_fsname; /* name of mounted filesystem */ char *mnt_dir; /* filesystem path prefix */ char *mnt_type; /* mount type (see mntent.h) */ char *mnt_opts; /* mount options (see mntent.h) */ int mnt_freq; /* dump frequency in days */ int mnt_passno; /* pass number on parallel fsck */ }; I'm assuming that the mnt_type above would say nfs, cifs, etc.... NOTE: I would keep the block of code you already have above since it works for some systems. I would simply add another search using the system call for those systems that the string search doesn't catch. If you have anything else I could try to prevent the oscap tool from scanning the NFS mounted shares "I'm all ears". Thanks, Clarence
_______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
