OpenSCAP textfilecontent54 probe does not work in offline mode

[jan-cerny]

Hello, I use openscap-1.2.16-1.fc27.x86_64 on Fedora 27.

I have a serious problem because I can't retrieve data from text files using oscap-chroot.

I use this content:
reproducer.oval.zip
This OVAL file is a textfilecontent54 test that requires that a hello.txt exists in root directory.

I use these steps:

mkdir /tmp/xxx
echo "Hello" > /tmp/xxx/hello.txt
sudo oscap-chroot /tmp/xxx oval eval --results results.xml reproducer.oval.xml

The results.xml doesn't contain data about hello.txt.

 74         <collected_objects>
 75           <object id="oval:x:obj:1" version="1" flag="does not exist"/>
 76         </collected_objects>

Other problem is that it starts working if a file with the same name exists on the host filesystem. In other words, OpenSCAP checks if the given file exists on the host filesystem and then it reads data from a file with same name in guest filesystem.

Example:

mkdir /tmp/zzz
echo "Hello" > /tmp/zzz/hello.txt
sudo  touch /hello.txt
sudo oscap-chroot /tmp/zzz oval eval --results results.xml reproducer.oval.xml

Now the OVAL results contain the data from /tmp/zzz , we can verify that we see "Hello" there, but the file in / is empty. But it required the file in / to exist in order to get data from /tmp/zzz. That I think is completely wrong.

 82       <ind-sys:textfilecontent_item id="1075811" status="exists">
 83             <ind-sys:filepath>/tmp/zzz//hello.txt</ind-sys:filepath>
 84             <ind-sys:path>/tmp/zzz/</ind-sys:path>
 85             <ind-sys:filename>hello.txt</ind-sys:filename>
 86             <ind-sys:pattern>^.*$</ind-sys:pattern>
 87             <ind-sys:instance datatype="int">1</ind-sys:instance>
 88             <ind-sys:line>^.*$</ind-sys:line>
 89             <ind-sys:text>Hello</ind-sys:text>
 90           </ind-sys:textfilecontent_item>
 91         </system_data>

This should be a problem if we scan a container and we want to check configuration compliance of something that is installed only in the container but is not present on the host. Then OpenSCAP isn't able to get the data.

The problem looks to be introduced by 908d002 Unfortunately, when we reviewed that, we haven't considered the oval_fts_open function, which still checks the host filesystem in offline mode.

[jan-cerny]

@matusmarhefka @dahaic Are you excited to improve the test coverage of this problem? The test at https://github.com/OpenSCAP/openscap/blob/maint-1.2/tests/offline_mode/test_offline_mode_textfilecontent54.sh could be a good starting point.

[matusmarhefka]

@jan-cerny I am excited 😄