[Open-scap] OpenSCAP hangs
Simon Lukasik
slukasik at redhat.com
Thu Dec 19 09:08:40 UTC 2013
On 12/19/2013 02:02 AM, Yao, Wenjie wrote:
> Hi,
>
> I’m evaluating OpenSCAP for a project and did a test scan using SSG
> benchmarks for Linux 6. I run the following command:
>
> *oscap xccdf eval --profile stig-rhel6-server --results ssg-results.xml
> --report ssg-results.html
> /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml*
>
> The scan hangs at evaluating the rule,
> world_writable_files_system_ownership.
>
>
Hello Yao,
>
> I have the following questions and would appreciate your insight:
>
> 1) Why does the scan hang
You will find out when you strace the processes of oscap.
> instead of reporting an error and
> continuing with the rest of the rules?
>
> 2) Does OpenSCAP support timeout so that the scan can abort the
> measurement of a rule after a certain time limit (specified by user) has
> reached.
This is not supported yet. The hard thing is to come-up with some
reasonable default limit time.
>
> 3) When scanning of a rule is stuck or fails (with error), can
> OpenScap spawn another process to continue the rest of the scan?
>
Another option would be to have everything parallelized from start. Some
of the operations are cpu-bounded, others are disk-bounded or
memory-bounded.
Best regards,
--
Simon Lukasik
Security Technologies
More information about the Open-scap-list
mailing list