[Bug 2116751] Re: openscap probe_file process consumes excessive resources during CIS scan

Ubuntu Foundations Team Bug Bot 2116751 at bugs.launchpad.net
Tue Jul 29 20:24:39 UTC 2025 

The attachment "lp2116751-noble.debdiff" seems to be a debdiff.  The
ubuntu-sponsors team has been subscribed to the bug report so that they
can review and hopefully sponsor the debdiff.  If the attachment isn't a
patch, please remove the "patch" flag from the attachment, remove the
"patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe
the team.

[This is an automated message performed by a Launchpad user owned by
~brian-murray, for any issue please contact him.]

** Tags added: patch

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2116751

Title:
  openscap probe_file process consumes excessive resources during CIS
  scan

Status in openscap package in Ubuntu:
  In Progress
Status in openscap source package in Jammy:
  In Progress
Status in openscap source package in Noble:
  In Progress

Bug description:
  [ Impact ]

  probe_file consumes all the RAM of the system (128GB)
  excessive resource usage running a specific rule which is related to this bug [1]. This has been fixed in OpenSCAP 1.3, while Jammy runs 1.2.17. A fix for this patch has been made [2].

  [ Test Plan ]

  sudo apt install openscap-scanner

  
  Steps to Reproduce:

  1. Create 100 users
    # for i in $(seq 1 100); do useradd -N -g users user$i; echo "redhat" | passwd --stdin user$i; done
  2. Compile generate_files in attachment to generate files for the users (group is set to unused group id 9999 on purpose)
    # for i in $(seq 1 100); do ./generate_files 1000 $(id -u user$i); done
  3. Compile many_files_and_threads in attachment to spawn many processes having many threads and opening many files
    # for i in $(seq 1 100); do sudo -u user$i /usr/local/bin/many_files_and_threads 1000 100 & done
    --> this will start 100 processes having 100 threads each, which are opening 1000 files each (shared between threads)

  4. Run oscap
    # /usr/bin/oscap xccdf eval --rule xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned --profile xccdf_org.ssgproject.content_profile_C2S --results-arf /tmp/oscap_results.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
  5. While oscap runs, strace probe_file for some time
    # timeout 10s strace -fttTvyy -o oscap_10s.strace -s 64 -p <pid of probe_file>

  look at logs for errors specifically lstat

  [ Where Problems Could Occur ]

  [ Other Info ]

  Backport from upstream.

  [1] https://bugzilla.redhat.com/show_bug.cgi?id=1932833
  [2] https://github.com/OpenSCAP/openscap/pull/1803

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/2116751/+subscriptions

More information about the Ubuntu-sponsors mailing list