auditd_audispd_configure_sufficiently_large_partition reports unknown after #11816

[marcusburghardt]

Description of problem:

After the removal of a condition based on the OVAL version in auditd_audispd_configure_sufficiently_large_partition it started to report unknown result:

W: oscap: Entity name 'value' from state (id: 'oval:ssg-state_aacsflp_partition_sufficiently_large:ste:1') not found in item (id: '1011431076').
2024-04-25 04:49:39 test.py:49: lib.results.report_plain:182: ERROR auditd_audispd_configure_sufficiently_large_partition (unknown)

SCAP Security Guide Version:

master branch as of 2024-04-25

Operating System Version:

RHEL 9 and RHEL 8

Steps to Reproduce:

1. ./build_product rhel9
2. copy the datastream to a RHEL9 VM
   2.1. scp build/ssg-rhel9-ds.xml root@rhel9:
3. Start a SSH session with this RHEL9 vm and run the scan for this rule:
   3.1 oscap xccdf eval --profile stig --rule xccdf_org.ssgproject.content_rule_auditd_audispd_configure_sufficiently_large_partition --results-arf /tmp/arf.xml --report /tmp/report.html --oval-results ssg-rhel9-ds.xml

Actual Results:

--- Starting Evaluation ---

Title   Configure a Sufficiently Large Partition for Audit Logs
Rule    xccdf_org.ssgproject.content_rule_auditd_audispd_configure_sufficiently_large_partition
Ident   CCE-88173-0
W: oscap: Entity name 'value' from state (id: 'oval:ssg-state_aacsflp_partition_sufficiently_large:ste:1') not found in item (id: '1047257').
Result  unknown

OpenSCAP Error: Entity 'block_size' has not been found in partition_item (id: 1047256) specified by object 'oval:ssg-obj_aacsflp_audit_partition:obj:1'. [/builddir/build/BUILD/openscap-1.3.8/src/OVAL/oval_component.c:1442]

Expected Results:

Pass or Fail based on the partition size.

Additional Information/Debugging Steps:

Investigating the OVAL and some ARF files it was noticed an issue with the OVAL objects in this rule.
However, when I tried to fix the issue I identified another problem that blocked me to refactor the OVAL.
To properly calculate the partition size it is necessary to collect the total_space and block_size properties as specified in OVAL documentation:

• https://oval-community-guidelines.readthedocs.io/en/latest/oval-schema-documentation/linux-definitions-schema.html?highlight=partition_object#partition-state-1

However, the partition_probe in OpenSCAP has a condition to collect the block_size properly:

• https://github.com/OpenSCAP/openscap/blob/maint-1.3/src/OVAL/probes/unix/linux/partition_probe.c#L233
  The condition was introduced by OpenSCAP/openscap@683ed8c

I didn't find more context about this condition.
I didn't find an alternative to get the partition size without this block_size property. I am open to ideas.
So, we should first consider if we can update this on the scanner side. Otherwise, we should revert the condition removed by #11816 to avoid this issue.

[marcusburghardt]

A straightforward idea (thanks to @jan-cerny) is to define the version 5.11.2 in our content, instead of only 5.11.
I am still investigating but in some preliminar tests this would work.

Here is the changelog I found about OVAL 5.11.2

• https://github.com/OVALProject/Language/blob/master/changelog.5.11.2.txt

And this is the relevant issue:

• Update partition_test documentation OVALProject/Language#183

These issues not relevant to block_size but are are also related to partition_test:

• Clarification needed for linux-def:partition_state/space_left OVALProject/Language#262
• Proposed update to Linux partition_test OVALProject/Language#269

Analyzing the changelog I didn't find any obvious negative impact in our content if we set the version from 5.11 to 5.11.2.

The OVAL 5.11.2 is stable and was released in 2016-11-30 and is the current version.

[marcusburghardt]

It seems the OVAL condition was introduced by a050df5, in 2021.