[Bug 2116751] Re: openscap probe_file process consumes excessive resources during CIS scan

Heather Lemon 2116751 at bugs.launchpad.net
Fri Aug 22 20:42:02 UTC 2025 

full output of crashing oscap
https://pastebin.canonical.com/p/DCbXrvM8NG/

** Description changed:

  [ Impact ]
  
  probe_file consumes all the RAM of the system (128GB)
  excessive resource usage running a specific rule which is related to this bug [1]. This has been fixed in OpenSCAP 1.3, while Jammy runs 1.2.17. A fix for this patch has been made [2].
  
  [ Test Plan ]
  
  Steps to Reproduce:
  # create 100 users
  for i in $(seq 1 100); do sudo useradd -N -g users user$i; echo "user-ubu" | sudo passwd  user$i; done
  # create 1000 text files
  for i in $(seq 1 100); do echo "This is test file number $i." > file$i.txt; 1000 $(id -u user$i); done
  # each user opens 100 files and reads it
  for i in $(seq 1 1000); do -u user1 file_1.txt 1000 100 & done
    --> this will start 100 processes having 100 threads each, which are opening 1000 files each (shared between threads)
  
  # Run oscap in a new terminal at the same time
  oscap xccdf eval --rule xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned  --results-arf /tmp/oscap_results.xml /usr/share/xml/scap/ssg/content/ssg-ubuntu2404-ds.xml
  # While oscap runs, strace probe_file for some time in a new terminal
  timeout 10s strace -fttTvyy -o oscap_10s.strace -s 64 -p <pid of probe_file>
  
  look at logs for errors specifically lstat
  
+ A crash occurs, but the program still succeeds.
+ 
+ Title   Ensure All Files Are Owned by a Group
+ Rule    xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned
+ FAIL: 304:pthread_timedjoin_np: 0, Success
+ W: oscap:     Can't receive message: 103, Software caused connection abort.
+ E: probe_file: Invalid value of the `recurse_direction' attribute: -1
+ E: probe_file: Invalid value of the `recurse_direction' attribute: -1
+ E: probe_file: Invalid value of the `recurse_direction' attribute: -1
+ E: probe_file: Invalid value of the `recurse_direction' attribute: -1
+ E: probe_file: Invalid value of the `recurse_direction' attribute: -1
+ E: probe_file: Invalid value of the `recurse_direction' attribute: -1
+ E: probe_file: Invalid value of the `recurse_direction' attribute: -1
+ E: probe_file: Invalid value of the `recurse_direction' attribute: -1
+ E: probe_file: Invalid value of the `recurse_direction' attribute: -1
+ E: probe_file: Invalid value of the `recurse_direction' attribute: -1
+ E: probe_file: Invalid value of the `recurse_direction' attribute: -1
+ E: probe_file: Invalid value of the `recurse_direction' attribute: -1
+ E: probe_file: Invalid value of the `recurse_direction' attribute: -1
+ E: probe_file: Invalid value of the `recurse_direction' attribute: -1
+ E: probe_file: Invalid value of the `recurse_direction' attribute: -1
+ Result  error
+ 
+ 
  [ Where Problems Could Occur ]
  
  [ Other Info ]
  
  Backport from upstream.
  
  [1] https://bugzilla.redhat.com/show_bug.cgi?id=1932833
  [2] https://github.com/OpenSCAP/openscap/pull/1803

** Description changed:

  [ Impact ]
  
  probe_file consumes all the RAM of the system (128GB)
  excessive resource usage running a specific rule which is related to this bug [1]. This has been fixed in OpenSCAP 1.3, while Jammy runs 1.2.17. A fix for this patch has been made [2].
  
  [ Test Plan ]
  
  Steps to Reproduce:
  # create 100 users
  for i in $(seq 1 100); do sudo useradd -N -g users user$i; echo "user-ubu" | sudo passwd  user$i; done
  # create 1000 text files
  for i in $(seq 1 100); do echo "This is test file number $i." > file$i.txt; 1000 $(id -u user$i); done
  # each user opens 100 files and reads it
  for i in $(seq 1 1000); do -u user1 file_1.txt 1000 100 & done
    --> this will start 100 processes having 100 threads each, which are opening 1000 files each (shared between threads)
  
  # Run oscap in a new terminal at the same time
  oscap xccdf eval --rule xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned  --results-arf /tmp/oscap_results.xml /usr/share/xml/scap/ssg/content/ssg-ubuntu2404-ds.xml
+ 
  # While oscap runs, strace probe_file for some time in a new terminal
  timeout 10s strace -fttTvyy -o oscap_10s.strace -s 64 -p <pid of probe_file>
+ 
+ Once this happens, it becomes laggy and program is slow.
  
  look at logs for errors specifically lstat
  
  A crash occurs, but the program still succeeds.
  
  Title   Ensure All Files Are Owned by a Group
  Rule    xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned
  FAIL: 304:pthread_timedjoin_np: 0, Success
  W: oscap:     Can't receive message: 103, Software caused connection abort.
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  Result  error
  
- 
  [ Where Problems Could Occur ]
  
  [ Other Info ]
  
  Backport from upstream.
  
  [1] https://bugzilla.redhat.com/show_bug.cgi?id=1932833
  [2] https://github.com/OpenSCAP/openscap/pull/1803

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2116751

Title:
  openscap probe_file process consumes excessive resources during CIS
  scan

Status in openscap package in Ubuntu:
  In Progress
Status in openscap source package in Jammy:
  In Progress
Status in openscap source package in Noble:
  In Progress

Bug description:
  [ Impact ]

  probe_file consumes all the RAM of the system (128GB)
  excessive resource usage running a specific rule which is related to this bug [1]. This has been fixed in OpenSCAP 1.3, while Jammy runs 1.2.17. A fix for this patch has been made [2].

  [ Test Plan ]

  Steps to Reproduce:
  # create 100 users
  for i in $(seq 1 100); do sudo useradd -N -g users user$i; echo "user-ubu" | sudo passwd  user$i; done
  # create 1000 text files
  for i in $(seq 1 100); do echo "This is test file number $i." > file$i.txt; 1000 $(id -u user$i); done
  # each user opens 100 files and reads it
  for i in $(seq 1 1000); do -u user1 file_1.txt 1000 100 & done
    --> this will start 100 processes having 100 threads each, which are opening 1000 files each (shared between threads)

  # Run oscap in a new terminal at the same time
  oscap xccdf eval --rule xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned  --results-arf /tmp/oscap_results.xml /usr/share/xml/scap/ssg/content/ssg-ubuntu2404-ds.xml

  # While oscap runs, strace probe_file for some time in a new terminal
  timeout 10s strace -fttTvyy -o oscap_10s.strace -s 64 -p <pid of probe_file>

  Once this happens, it becomes laggy and program is slow.

  look at logs for errors specifically lstat

  A crash occurs, but the program still succeeds.

  Title   Ensure All Files Are Owned by a Group
  Rule    xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned
  FAIL: 304:pthread_timedjoin_np: 0, Success
  W: oscap:     Can't receive message: 103, Software caused connection abort.
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  E: probe_file: Invalid value of the `recurse_direction' attribute: -1
  Result  error

  [ Where Problems Could Occur ]

  [ Other Info ]

  Backport from upstream.

  [1] https://bugzilla.redhat.com/show_bug.cgi?id=1932833
  [2] https://github.com/OpenSCAP/openscap/pull/1803

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/2116751/+subscriptions

More information about the Ubuntu-sponsors mailing list