[Bug 2116751] Re: openscap probe_file process consumes excessive resources during CIS scan

Heather Lemon Thu, 28 Aug 2025 08:30:40 -0700

htop output

** Description changed:


  [ Impact ]
  
- probe_file consumes all the RAM of the system (128GB)
+ probe_file executable consumes all the RAM of the system.
  excessive resource usage running a specific rule which is related to this bug 
[1]. This has been fixed in OpenSCAP 1.3, while Jammy runs 1.2.17. A fix for 
this patch has been made [2].
  
  [ Test Plan ]
  
  Steps to Reproduce:
+ In a Jammy VM:
+ 
+ Have SSSD installed. [3]
+ 
+ Consume a portion of RAM with python script. My testing was 1/2 capacity.
+ ```
+ import time
+ # Set a target memory usage in gigabytes
+ target_gigabytes = 4
+ # Calculate the number of bytes
+ target_bytes = target_gigabytes * (1024 ** 3)
+ 
+ # Create a list to hold the allocated memory
+ memory_hog = []
+ 
+ print(f"Allocating {target_gigabytes}GB of memory. This might freeze
+ your system.")
+ 
+ try:
+     while True:
+         # Append a large block of bytes to the list
+         # Adjust the size of the block (e.g., 1024*1024) to control 
allocation speed
+         memory_hog.append(b" " * (1024 * 1024 * 100)) # Allocate 100MB at a 
time
+         if sum(len(x) for x in memory_hog) >= target_bytes:
+             break
+     print("Allocation complete. Memory held.")
+     # The script will now hold the allocated memory until you close it.
+     while True:
+         time.sleep(1)
+ except MemoryError:
+     print("Memory allocation failed. The system ran out of resources.")
+ except Exception as e:
+     print(f"An error occurred: {e}")
+ ```
+ 
  # create 100 users
  for i in $(seq 1 100); do sudo useradd -N -g users user$i; echo "user-ubu" | 
sudo passwd  user$i; done
  # create 1000 text files
  for i in $(seq 1 100); do echo "This is test file number $i." > file$i.txt; 
1000 $(id -u user$i); done
  # each user opens 100 files and reads it
  for i in $(seq 1 1000); do -u user1 file_1.txt 1000 100 & done
    --> this will start 100 processes having 100 threads each, which are 
opening 1000 files each (shared between threads)
  
- # Run oscap in a new terminal at the same time
- oscap xccdf eval --rule 
xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned  --results-arf 
/tmp/oscap_results.xml /usr/share/xml/scap/ssg/content/ssg-ubuntu2404-ds.xml
+ # Run oscap in a new terminal at the same time as executing the third step.
+ oscap xccdf eval --rule 
xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned  --results-arf 
/tmp/oscap_results.xml /usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml
  
  # While oscap runs, strace probe_file for some time in a new terminal
  timeout 10s strace -fttTvyy -o oscap_10s.strace -s 64 -p <pid of probe_file>
  
+ # find probe_file executable
+ ps -aux | grep probe_file 
+ ```
+ root        6165  0.0  0.0 288064 11264 pts/3    Sl+  09:12   0:00 
/usr/lib/x86_64-linux-gnu/openscap/probe_file
+ root        6197 52.4  0.1 288064 22248 pts/3    Sl+  09:12   0:09 
/usr/lib/x86_64-linux-gnu/openscap/probe_file
+ ubuntu      6408  0.0  0.0   9212  2560 pts/5    R+   09:12   0:00 grep 
--color=auto probe_file
+ ```
+ # attach strace
+ sudo timeout 10s strace -fttTvyy -o oscap_10s20250823.strace -s 64 -p 6197
+ strace: Process 6197 attached with 5 threads
+ 
+ You can also pull up system monitor and watch memory be consumed. 
+ Or just run htop and sort by memory. [see screenshot]
  Once this happens, it becomes laggy and program is slow.
  
- look at logs for errors specifically lstat
+ look at logs for errors specifically lstat in strace output.
  
  A crash occurs, but the program still succeeds.
  
  Title   Ensure All Files Are Owned by a Group
  Rule    xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned
  FAIL: 304:pthread_timedjoin_np: 0, Success
  W: oscap:     Can't receive message: 103, Software caused connection abort.
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  Result  error
  
+ or something like 
+ Title   Ensure All Files Are Owned by a Group
+ Rule    xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned
+ W: oscap:     Obtrusive data from probe!
+ Result  fail
+ 
  [ Where Problems Could Occur ]
+ 
  
  [ Other Info ]
  
  Backport from upstream.
  
  [1] https://bugzilla.redhat.com/show_bug.cgi?id=1932833
  [2] https://github.com/OpenSCAP/openscap/pull/1803
+ [3] 
https://documentation.ubuntu.com/server/how-to/sssd/with-active-directory/index.html

** Attachment added: "Screenshot from 2025-08-28 09-18-48.png"
   
https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/2116751/+attachment/5903118/+files/Screenshot%20from%202025-08-28%2009-18-48.png

** Description changed:

  [ Impact ]
  
- probe_file executable consumes all the RAM of the system.
+ probe_file executable consumes all the RAM of the system during a CIS scan 
with openscap tool.
  excessive resource usage running a specific rule which is related to this bug 
[1]. This has been fixed in OpenSCAP 1.3, while Jammy runs 1.2.17. A fix for 
this patch has been made [2].
  
  [ Test Plan ]
  
  Steps to Reproduce:
  In a Jammy VM:
  
  Have SSSD installed. [3]
  
  Consume a portion of RAM with python script. My testing was 1/2 capacity.
  ```
  import time
  # Set a target memory usage in gigabytes
  target_gigabytes = 4
  # Calculate the number of bytes
  target_bytes = target_gigabytes * (1024 ** 3)
  
  # Create a list to hold the allocated memory
  memory_hog = []
  
  print(f"Allocating {target_gigabytes}GB of memory. This might freeze
  your system.")
  
  try:
-     while True:
-         # Append a large block of bytes to the list
-         # Adjust the size of the block (e.g., 1024*1024) to control 
allocation speed
-         memory_hog.append(b" " * (1024 * 1024 * 100)) # Allocate 100MB at a 
time
-         if sum(len(x) for x in memory_hog) >= target_bytes:
-             break
-     print("Allocation complete. Memory held.")
-     # The script will now hold the allocated memory until you close it.
-     while True:
-         time.sleep(1)
+     while True:
+         # Append a large block of bytes to the list
+         # Adjust the size of the block (e.g., 1024*1024) to control 
allocation speed
+         memory_hog.append(b" " * (1024 * 1024 * 100)) # Allocate 100MB at a 
time
+         if sum(len(x) for x in memory_hog) >= target_bytes:
+             break
+     print("Allocation complete. Memory held.")
+     # The script will now hold the allocated memory until you close it.
+     while True:
+         time.sleep(1)
  except MemoryError:
-     print("Memory allocation failed. The system ran out of resources.")
+     print("Memory allocation failed. The system ran out of resources.")
  except Exception as e:
-     print(f"An error occurred: {e}")
+     print(f"An error occurred: {e}")
  ```
  
  # create 100 users
  for i in $(seq 1 100); do sudo useradd -N -g users user$i; echo "user-ubu" | 
sudo passwd  user$i; done
  # create 1000 text files
  for i in $(seq 1 100); do echo "This is test file number $i." > file$i.txt; 
1000 $(id -u user$i); done
  # each user opens 100 files and reads it
  for i in $(seq 1 1000); do -u user1 file_1.txt 1000 100 & done
    --> this will start 100 processes having 100 threads each, which are 
opening 1000 files each (shared between threads)
  
  # Run oscap in a new terminal at the same time as executing the third step.
  oscap xccdf eval --rule 
xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned  --results-arf 
/tmp/oscap_results.xml /usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml
  
  # While oscap runs, strace probe_file for some time in a new terminal
  timeout 10s strace -fttTvyy -o oscap_10s.strace -s 64 -p <pid of probe_file>
  
  # find probe_file executable
- ps -aux | grep probe_file 
+ ps -aux | grep probe_file
  ```
  root        6165  0.0  0.0 288064 11264 pts/3    Sl+  09:12   0:00 
/usr/lib/x86_64-linux-gnu/openscap/probe_file
  root        6197 52.4  0.1 288064 22248 pts/3    Sl+  09:12   0:09 
/usr/lib/x86_64-linux-gnu/openscap/probe_file
  ubuntu      6408  0.0  0.0   9212  2560 pts/5    R+   09:12   0:00 grep 
--color=auto probe_file
  ```
  # attach strace
  sudo timeout 10s strace -fttTvyy -o oscap_10s20250823.strace -s 64 -p 6197
  strace: Process 6197 attached with 5 threads
  
- You can also pull up system monitor and watch memory be consumed. 
+ You can also pull up system monitor and watch memory be consumed.
  Or just run htop and sort by memory. [see screenshot]
  Once this happens, it becomes laggy and program is slow.
  
  look at logs for errors specifically lstat in strace output.
  
  A crash occurs, but the program still succeeds.
  
  Title   Ensure All Files Are Owned by a Group
  Rule    xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned
  FAIL: 304:pthread_timedjoin_np: 0, Success
  W: oscap:     Can't receive message: 103, Software caused connection abort.
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  Result  error
  
- or something like 
+ or something like
  Title   Ensure All Files Are Owned by a Group
  Rule    xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned
  W: oscap:     Obtrusive data from probe!
  Result  fail
  
  [ Where Problems Could Occur ]
- 
  
  [ Other Info ]
  
  Backport from upstream.
  
  [1] https://bugzilla.redhat.com/show_bug.cgi?id=1932833
  [2] https://github.com/OpenSCAP/openscap/pull/1803
  [3] 
https://documentation.ubuntu.com/server/how-to/sssd/with-active-directory/index.html

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2116751

Title:
  openscap probe_file process consumes excessive resources during CIS
  scan

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/2116751/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2116751] Re: openscap probe_file process consumes excessive resources during CIS scan

Reply via email to