W: oscap: Filesystem tree cycle detected at /dev/...

[gaure]

• Is this an issue with SCAP Workbench? NO
  • If so, report it here: https://github.com/OpenSCAP/scap-workbench/issues
• Is this an issue with SCAP Security Guide (i.e., related to the content of scans, not the scanner proper)? NO
  • If so, report it here: https://github.com/OpenSCAP/scap-security-guide/issues
• Is this an issue during the OS installation process? NO
  • If so, report it here: https://github.com/OpenSCAP/oscap-anaconda-addon/issues

Thanks!

Description of Problem:

When running oscap command:

$ oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --results-arf arf.xml --report report.html --oval-results scap-security-guide-0.1.73/ssg-ubuntu2204-ds-1.2.xml

The oscap goes into an infinite loop with the following error:

W: oscap: Filesystem tree cycle detected at '/dev/groqA3.pci/driver/0000:01:00.0/subsystem/devices/0000:03:00.0/firmware_node/wakeup/wakeup33/subsystem/wakeup58/device/device:e4/physical_node/0000:e5:00.0/i2c-3/subsystem/devices/i2c-1/device/iommu_group/devices/0000:00:14.3/firmware_node/PNP0501:01/physical_node/driver/00:03/firmware_node/subsystem/devices/device:158/physical_node/iommu/devices/0000:a0:07.1/firmware_node/device:156/physical_node/dma/dma14chan0/subsystem/dma3chan0/device/driver/0000:02:00.2/iommu/devices/0000:03:00.3/usb1/firmware_node/physical_node3/subsystem/devices/5-2/5-2.4/driver/usb5/5-2

OpenSCAP Version:

OpenSCAP command line tool (oscap) 1.4.0
Copyright 2009--2023 Red Hat Inc., Durham, North Carolina.

==== Supported specifications ====
SCAP Version: 1.3
XCCDF Version: 1.2
OVAL Version: 5.11.1
CPE Version: 2.3
Asset Identification Version: 1.1
Asset Reporting Format Version: 1.1

Operating System & Version:

Ubunut 22.04.

Steps to Reproduce:

1. Compile openscanlib from source.
2. Run the oscap eval command using the Ubuntu22.04 datastream file on a hardware with "groq LPU hardware and software installed"

Actual Results:

Infinite loop.
--- Starting Evaluation ---

Title Install AIDE
Rule xccdf_org.ssgproject.content_rule_package_aide_installed
Result fail

Title Build and Test AIDE Database
Rule xccdf_org.ssgproject.content_rule_aide_build_database
Result fail

Title Configure AIDE to Verify the Audit Tools
Rule xccdf_org.ssgproject.content_rule_aide_check_audit_tools
Result fail

Title Configure AIDE To Notify Personnel if Baseline Configurations Are Altered
Rule xccdf_org.ssgproject.content_rule_aide_disable_silentreports
W: oscap: Filesystem tree cycle detected at '/dev/groqA3.pci/iommu_group/devices/0000:61:00.0'.
W: oscap: Filesystem tree cycle detected at '/dev/groqA3.pci/driver/0000:01:00.0/iommu_group/devices/0000:01:00.0'.
W: oscap: Filesystem tree cycle detected at '/dev/groqA3.pci/driver/0000:01:00.0/driver'.
W: oscap: Filesystem tree cycle detected at '/dev/groqA3.pci/driver/0000:01:00.0/subsystem/devices/0000:03:00.0/iommu_group/devices/0000:03:00.0'.
W: oscap: Filesystem tree cycle detected at '/dev/groqA3.pci/driver/0000:01:00.0/subsystem/devices/0000:03:00.0/firmware_node/wakeup/wakeup33/device'.
W: oscap: Filesystem tree cycle detected at '/dev/groqA3.pci/driver/0000:01:00.0/subsystem/devices/0000:03:00.0/firmware_node/wakeup/wakeup33/subsystem/wakeup58/device/device:e4/wakeup/wakeup60/device'.
W: oscap: Filesystem tree cycle detected at '/dev/groqA3.pci/driver/0000:01:00.0/subsystem/devices/0000:03:00.0/firmware_node/wakeup/wakeup33/subsystem/wakeup58/device/device:e4/wakeup/wakeup60/subsystem'.
W: oscap: Filesystem tree cycle detected at '/dev/groqA3.pci/driver/0000:01:00.0/subsystem/devices/0000:03:00.0/firmware_node/wakeup/wakeup33/subsystem/wakeup58/device/device:e4/physical_node/iommu_group/devices/0000:e3:02.0'

Expected Results:

Recursion problem solved as stays in #1534.

Additional Information / Debugging Steps:

NA

[gaure]

This problem is most likely caused by the symbolic links in the /dev directory.

[evgenyz]

I wonder which rule actually fails, it can't be xccdf_org.ssgproject.content_rule_aide_disable_silentreports. Can you please provide full verbose log?

[gaure]

Hi evgenyz, thanks for the prompt response.

Yes it is the Aide rule, I customized the profile, removed the rule and the scan job finished in less than 2 minutes.

I am working on the verbose logs.

[gaure]

Hi evgenyz
Attached is the verbose logs.
It is a big file so I just captured a few lines at the beginning of the aide rule.
You will see when the rule is parsing the "proc" file system, but the issue is when it starts parsing "/dev".
I have the scan running for 62 hours and it does not get out of the "/dev" filesystem. Eventually it crashes because memory problems.
Thanks!
log-trim.txt.gz

[evgenyz]

You can use --rule rule_id to execute just a single rule to avoid collecting unrelated logs.

[gaure]

Hi Evgenyz
Any idea why the probe_file doesn't stop after a predefined depth to avoid the loop?
Or you still need the verbose logs only for that rule? Even with a single rule selection still the logs will be very large.
Best,
GA

[evgenyz]

Is the definition of the object in your DS like this:

<unix:file_object id="oval:ssg-obj_aide_disable_silentreports_config_file:obj:1" version="1" comment="The configuration file /etc/default/aide for aide_disable_silentreports">
   <unix:filepath operation="pattern match">^/etc/default/aide</unix:filepath>
</unix:file_object>

?

[evgenyz]

Probably your problem is this: ComplianceAsCode/content#11973

[gaure]

Thanks a million @evgenyz I will apply the patch.
Have a great weekend.

[gaure]

Problem with the scap-security-guide-0.1.73 content