full output of crashing oscap https://pastebin.canonical.com/p/DCbXrvM8NG/
** Description changed: [ Impact ] probe_file consumes all the RAM of the system (128GB) excessive resource usage running a specific rule which is related to this bug [1]. This has been fixed in OpenSCAP 1.3, while Jammy runs 1.2.17. A fix for this patch has been made [2]. [ Test Plan ] Steps to Reproduce: # create 100 users for i in $(seq 1 100); do sudo useradd -N -g users user$i; echo "user-ubu" | sudo passwd user$i; done # create 1000 text files for i in $(seq 1 100); do echo "This is test file number $i." > file$i.txt; 1000 $(id -u user$i); done # each user opens 100 files and reads it for i in $(seq 1 1000); do -u user1 file_1.txt 1000 100 & done --> this will start 100 processes having 100 threads each, which are opening 1000 files each (shared between threads) # Run oscap in a new terminal at the same time oscap xccdf eval --rule xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned --results-arf /tmp/oscap_results.xml /usr/share/xml/scap/ssg/content/ssg-ubuntu2404-ds.xml # While oscap runs, strace probe_file for some time in a new terminal timeout 10s strace -fttTvyy -o oscap_10s.strace -s 64 -p <pid of probe_file> look at logs for errors specifically lstat + A crash occurs, but the program still succeeds. + + Title Ensure All Files Are Owned by a Group + Rule xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned + FAIL: 304:pthread_timedjoin_np: 0, Success + W: oscap: Can't receive message: 103, Software caused connection abort. + E: probe_file: Invalid value of the `recurse_direction' attribute: -1 + E: probe_file: Invalid value of the `recurse_direction' attribute: -1 + E: probe_file: Invalid value of the `recurse_direction' attribute: -1 + E: probe_file: Invalid value of the `recurse_direction' attribute: -1 + E: probe_file: Invalid value of the `recurse_direction' attribute: -1 + E: probe_file: Invalid value of the `recurse_direction' attribute: -1 + E: probe_file: Invalid value of the `recurse_direction' attribute: -1 + E: probe_file: Invalid value of the `recurse_direction' attribute: -1 + E: probe_file: Invalid value of the `recurse_direction' attribute: -1 + E: probe_file: Invalid value of the `recurse_direction' attribute: -1 + E: probe_file: Invalid value of the `recurse_direction' attribute: -1 + E: probe_file: Invalid value of the `recurse_direction' attribute: -1 + E: probe_file: Invalid value of the `recurse_direction' attribute: -1 + E: probe_file: Invalid value of the `recurse_direction' attribute: -1 + E: probe_file: Invalid value of the `recurse_direction' attribute: -1 + Result error + + [ Where Problems Could Occur ] [ Other Info ] Backport from upstream. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1932833 [2] https://github.com/OpenSCAP/openscap/pull/1803 ** Description changed: [ Impact ] probe_file consumes all the RAM of the system (128GB) excessive resource usage running a specific rule which is related to this bug [1]. This has been fixed in OpenSCAP 1.3, while Jammy runs 1.2.17. A fix for this patch has been made [2]. [ Test Plan ] Steps to Reproduce: # create 100 users for i in $(seq 1 100); do sudo useradd -N -g users user$i; echo "user-ubu" | sudo passwd user$i; done # create 1000 text files for i in $(seq 1 100); do echo "This is test file number $i." > file$i.txt; 1000 $(id -u user$i); done # each user opens 100 files and reads it for i in $(seq 1 1000); do -u user1 file_1.txt 1000 100 & done --> this will start 100 processes having 100 threads each, which are opening 1000 files each (shared between threads) # Run oscap in a new terminal at the same time oscap xccdf eval --rule xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned --results-arf /tmp/oscap_results.xml /usr/share/xml/scap/ssg/content/ssg-ubuntu2404-ds.xml + # While oscap runs, strace probe_file for some time in a new terminal timeout 10s strace -fttTvyy -o oscap_10s.strace -s 64 -p <pid of probe_file> + + Once this happens, it becomes laggy and program is slow. look at logs for errors specifically lstat A crash occurs, but the program still succeeds. Title Ensure All Files Are Owned by a Group Rule xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned FAIL: 304:pthread_timedjoin_np: 0, Success W: oscap: Can't receive message: 103, Software caused connection abort. E: probe_file: Invalid value of the `recurse_direction' attribute: -1 E: probe_file: Invalid value of the `recurse_direction' attribute: -1 E: probe_file: Invalid value of the `recurse_direction' attribute: -1 E: probe_file: Invalid value of the `recurse_direction' attribute: -1 E: probe_file: Invalid value of the `recurse_direction' attribute: -1 E: probe_file: Invalid value of the `recurse_direction' attribute: -1 E: probe_file: Invalid value of the `recurse_direction' attribute: -1 E: probe_file: Invalid value of the `recurse_direction' attribute: -1 E: probe_file: Invalid value of the `recurse_direction' attribute: -1 E: probe_file: Invalid value of the `recurse_direction' attribute: -1 E: probe_file: Invalid value of the `recurse_direction' attribute: -1 E: probe_file: Invalid value of the `recurse_direction' attribute: -1 E: probe_file: Invalid value of the `recurse_direction' attribute: -1 E: probe_file: Invalid value of the `recurse_direction' attribute: -1 E: probe_file: Invalid value of the `recurse_direction' attribute: -1 Result error - [ Where Problems Could Occur ] [ Other Info ] Backport from upstream. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1932833 [2] https://github.com/OpenSCAP/openscap/pull/1803 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2116751 Title: openscap probe_file process consumes excessive resources during CIS scan To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/2116751/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
