-
Bug
-
Resolution: Won't Do
-
Undefined
-
None
-
rhel-8.6.0
-
None
-
Moderate
-
rhel-sst-security-compliance
-
ssg_security
-
None
-
False
-
-
No
-
None
-
None
-
None
-
Release Note Not Required
-
-
x86_64
-
None
Description of problem:
When SSSD enumeration is enabled, oscap runs slower.
Subsequent oscap runs ( after the initial enumeration is over ) are also taking time.
- Without enumeration:
$ date ; time oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --rule xccdf_org.ssgproject.content_rule_no_files_unowned_by_user --thin-results /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
Fri Oct 7 18:48:53 IST 2022
WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2' points out to the remote 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2' file which is referenced from datastream
WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2 file which is referenced from XCCDF content
— Starting Evaluation —
Title Ensure All Files Are Owned by a User
Rule xccdf_org.ssgproject.content_rule_no_files_unowned_by_user
Ident CCE-83499-4
Result fail
real 0m34.565s
user 0m27.348s
sys 0m8.094s
$
- With enumeration:
$ date ; time oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --rule xccdf_org.ssgproject.content_rule_no_files_unowned_by_user --thin-results /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
Fri Oct 7 19:11:27 IST 2022
WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2' points out to the remote 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2' file which is referenced from datastream
WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2 file which is referenced from XCCDF content
— Starting Evaluation —
Title Ensure All Files Are Owned by a User
Rule xccdf_org.ssgproject.content_rule_no_files_unowned_by_user
Ident CCE-83499-4
Result fail
real 0m56.001s
user 0m26.325s
sys 0m7.080s
$
Version-Release number of selected component (if applicable):
$ cat /etc/redhat-release
Red Hat Enterprise Linux release 8.6 (Ootpa)
$
$ rpm -qa | grep sssd
sssd-2.6.2-4.el8_6.1.x86_64
sssd-client-debuginfo-2.6.2-4.el8_6.1.x86_64
sssd-common-2.6.2-4.el8_6.1.x86_64
sssd-ipa-2.6.2-4.el8_6.1.x86_64
sssd-krb5-2.6.2-4.el8_6.1.x86_64
sssd-debugsource-2.6.2-4.el8_6.1.x86_64
sssd-client-2.6.2-4.el8_6.1.x86_64
sssd-dbus-2.6.2-4.el8_6.1.x86_64
sssd-krb5-common-2.6.2-4.el8_6.1.x86_64
python3-sssdconfig-2.6.2-4.el8_6.1.noarch
sssd-nfs-idmap-2.6.2-4.el8_6.1.x86_64
sssd-tools-2.6.2-4.el8_6.1.x86_64
sssd-kcm-2.6.2-4.el8_6.1.x86_64
sssd-common-pac-2.6.2-4.el8_6.1.x86_64
sssd-ad-2.6.2-4.el8_6.1.x86_64
sssd-ldap-2.6.2-4.el8_6.1.x86_64
sssd-proxy-2.6.2-4.el8_6.1.x86_64
sssd-debuginfo-2.6.2-4.el8_6.1.x86_64
$
$ rpm -qa | grep openscap
openscap-scanner-1.3.6-3.el8.x86_64
openscap-debugsource-1.3.6-3.el8.x86_64
openscap-scanner-debuginfo-1.3.6-3.el8.x86_64
openscap-debuginfo-1.3.6-3.el8.x86_64
openscap-1.3.6-3.el8.x86_64
$
How reproducible:
Always.
Steps to Reproduce:
1. Create 10K IPA users, each user having its own home directory.
2. Enable SSSD enumeration.
3. Run the oscap command.
Actual results:
oscap takes longer with enumeration.
Expected results:
After SSSD initial enumeration, one would expect oscap to run faster.
Additional info:
SSSD cache was mount in tmpfs.
Setting ignore_group_members to true doesn't help.
- relates to
-
-
- Closed
-
- external trackers
