openscap icon indicating copy to clipboard operation
openscap copied to clipboard
verified publisher icon OpenSCAP

Post remediation scan fails: Can't connect to the probe [oval_probe_ext.c:468]

Open ZappedC64 opened this issue 7 years ago • 5 comments

Description of Problem:

After remediation I get this when running a scan:

Can't connect to the probe [oval_probe_ext.c:468] Can't connect to the probe [oval_probe_ext.c:468] Can't connect to the probe [oval_probe_ext.c:468] Invalid oval result type: -1. [oval_resultTest.c:179] Can't connect to the probe [oval_probe_ext.c:468]

OpenSCAP Version:

1.12.16

Operating System & Version:

RedHat 7.3

Steps to Reproduce:

Run this command:

oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa
--results scap-results-$HOSTNAME/scan-results-after-$HOSTNAME.xml
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

Actual Results:

Can't connect to the probe [oval_probe_ext.c:468] Invalid oval result type: -1. [oval_resultTest.c:179]

Expected Results:

The generated HTML report is incomplete.

Additional Information / Debugging Steps:

Packages installed on RHEL 7.3:

openscap-1.2.16-8.el7_5.x86_64 openscap-scanner-1.2.16-8.el7_5.x86_64 scap-security-guide-0.1.36-9.el7_5.noarch

ZappedC64 avatar Oct 11 '18 14:10 ZappedC64

Hi @ZappedC64 . Does it happen during evaluation of a specific rule?

jan-cerny avatar Oct 17 '18 08:10 jan-cerny

Hello @jan-cerny ,

I think so but it's difficult to tell from the output. This the output I see just before it aborts:

Title Ensure Default SNMP Password Is Not Used Rule xccdf_org.ssgproject.content_rule_snmpd_not_default_password Ident CCE-27386-2 Result pass

OpenSCAP Error: Probe with PID=21895 has been killed with signal 9 [sch_pipe.c:178] Can't close sd [oval_probe_ext.c:522] Invalid oval result type: -1. [oval_resultTest.c:179]

Hope this helps, /Raj

ZappedC64 avatar Oct 17 '18 15:10 ZappedC64

@ZappedC64 Thanks

jan-cerny avatar Oct 18 '18 06:10 jan-cerny

mtopa703-ksar-graph-20191105a

Discovered that openscap is causing the server to run out of memory while scanning.

ZappedC64 avatar Nov 05 '18 17:11 ZappedC64

I ran in to this as well:

...
Title   Mount Remote Filesystems with nosuid
Rule    xccdf_org.ssgproject.content_rule_mount_option_nosuid_remote_filesystems
Ident   CCE-80240-5
Result  pass

OpenSCAP Error: Can't connect to the probe [oval_probe_ext.c:468]
Invalid oval result type: -1. [oval_resultTest.c:179]

$ cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.9 (Maipo)
$ free -m
              total        used        free      shared  buff/cache   available
Mem:           1837         662          75           8        1100         984
Swap:          2047           0        2047
$ yum list installed | egrep scap
openscap.x86_64                       1.2.17-11.el7               @artifact-rpms
openscap-containers.noarch            1.2.17-11.el7               @artifact-rpms
openscap-scanner.x86_64               1.2.17-11.el7               @artifact-rpms
openscap-utils.x86_64                 1.2.17-11.el7               @artifact-rpms
perl-Pod-Escapes.noarch               1:1.04-297.el7              @artifact-rpms
scap-security-guide.noarch            0.1.49-13.el7               @artifact-rpms

oscap xccdf eval --benchmark-id xccdf_org.ssgproject.content_benchmark_RHEL-7 --profile xccdf_org.ssgproject.content_profile_stig --results scan-results.xml --report post-ansible-report.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

$ getenforce
Enforcing

benhosmer avatar Oct 28 '20 20:10 benhosmer