Permission denied error while running openscap role

Support
, ,
1

Problem:
Permission denied error while running openscap role
Expected outcome:
Openscap scan should execute

Other relevant data:

I am trying to run openscap scan through foreman by assigning ansible role. I was able to run ansible role which complete as status success

image
image1461×171 20.1 KB

But after that, when I try to do openscap scanning I am getting this error.
image
image1616×402 31.7 KB

Any help would be appreciated

2

This seems more like a generic REX issue. I’d first try to enforce the scap directly on the machine. SSH to it and try running foreman_scap_client 1 as root. 1 stands for the ID of the openscap policy you’ve defined in Foreman, double check that in /etc/foreman_scap_client/config.yaml. It should be one of the keys in there. If this is the only policy you’ve defined, most likely it will be 1.

If that works, look at Administer → Remote Execution Features → foreman_openscap_run_scans, most likely you have Run OpenSCAP scans - Ansible default, try changing it to Run OpenSCAP scans. There may be some issue in that playbook, by changing it as suggested, it would default to use pure SSH to trigger the scan.

3 
foreman_scap_client 1
Policy id 1 not found.
4

Do you have /var/tmp mounted with noexec by any chance?

5

I meant /var/tmp on the remote machine.

6

Oh no, it was not mounted with exec. I have done that and now I am getting this error

image
image1566×285 25.8 KB

8

Any luck @Marek_Hulan @aruzicka ?

9

Attaching Production.log if that helps

2022-04-13T08:13:39 [I|app|1056976b] Started GET "/job_invocations/50/rerun?host_ids%5B%5D=66" for 144.54.174.26 at 2022-04-13 08:13:39 -0400
2022-04-13T08:13:39 [I|app|1056976b] Processing by JobInvocationsController#rerun as HTML
2022-04-13T08:13:39 [I|app|1056976b]   Parameters: {"host_ids"=>["66"], "id"=>"50"}
2022-04-13T08:13:39 [I|app|1056976b]   Rendering /usr/share/gems/gems/foreman_remote_execution-5.0.1/app/views/job_invocations/new.html.erb within layouts/application
2022-04-13T08:13:39 [I|app|1056976b]   Rendered /usr/share/gems/gems/foreman_remote_execution-5.0.1/app/views/job_invocations/_description_fields.html.erb (Duration: 8.2ms | Allocations: 6941)
2022-04-13T08:13:39 [I|app|1056976b]   Rendered template_inputs/_invocation_form.html.erb (Duration: 4.9ms | Allocations: 6780)
2022-04-13T08:13:39 [I|app|1056976b]   Rendered /usr/share/gems/gems/foreman_remote_execution-5.0.1/app/views/job_invocations/_description_fields.html.erb (Duration: 5.8ms | Allocations: 6806)
2022-04-13T08:13:39 [I|app|1056976b]   Rendered /usr/share/gems/gems/foreman-tasks-5.2.0/app/views/common/_trigger_form.html.erb (Duration: 12.3ms | Allocations: 15562)
2022-04-13T08:13:39 [I|app|1056976b]   Rendered /usr/share/gems/gems/foreman_remote_execution-5.0.1/app/views/job_invocations/_preview_hosts_modal.html.erb (Duration: 4.1ms | Allocations: 6265)
2022-04-13T08:13:39 [I|app|1056976b]   Rendered /usr/share/gems/gems/foreman_remote_execution-5.0.1/app/views/job_invocations/_rerun_taxonomies.html.erb (Duration: 3.2ms | Allocations: 6133)
2022-04-13T08:13:39 [I|app|1056976b]   Rendered /usr/share/gems/gems/foreman_remote_execution-5.0.1/app/views/job_invocations/_form.html.erb (Duration: 80.0ms | Allocations: 75913)
2022-04-13T08:13:39 [I|app|1056976b]   Rendered /usr/share/gems/gems/foreman_remote_execution-5.0.1/app/views/job_invocations/new.html.erb within layouts/application (Duration: 88.9ms | Allocations: 82328)
2022-04-13T08:13:39 [I|app|1056976b]   Rendered layouts/_application_content.html.erb (Duration: 3.0ms | Allocations: 6421)
2022-04-13T08:13:39 [I|app|1056976b]   Rendering layouts/base.html.erb
2022-04-13T08:13:39 [I|app|1056976b]   Rendered layouts/base.html.erb (Duration: 19.7ms | Allocations: 27393)
2022-04-13T08:13:39 [I|app|1056976b] Completed 200 OK in 156ms (Views: 111.1ms | ActiveRecord: 13.4ms | Allocations: 140233)
2022-04-13T08:13:40 [I|app|c0cc8cdf] Started GET "/notification_recipients" for 144.54.174.26 at 2022-04-13 08:13:40 -0400
2022-04-13T08:13:40 [I|app|c0cc8cdf] Processing by NotificationRecipientsController#index as JSON
2022-04-13T08:13:40 [I|app|c0cc8cdf] Completed 200 OK in 7ms (Views: 0.1ms | ActiveRecord: 1.2ms | Allocations: 2216)


2022-04-13T08:14:06 [I|app|f1d2ba30] Started POST "/job_invocations" for 144.54.174.26 at 2022-04-13 08:14:06 -0400
2022-04-13T08:14:06 [I|app|f1d2ba30] Processing by JobInvocationsController#create as HTML
2022-04-13T08:14:06 [I|app|f1d2ba30]   Parameters: {"utf8"=>"✓", "authenticity_token"=>"d1IucOAK1KcriOraYN4aNalPK3RkjfgjbFSMUYVG7bDNdiNH5zGufLClZNF6MI8/18fkw2m6PB+O+06p1fazyw==", "job_invocation"=>{"job_category"=>"OpenSCAP", "remote_execution_feature_id"=>"", "providers"=>{"SSH"=>{"job_template_id"=>"169", "job_templates"=>{"169"=>{"effective_user"=>"root", "execution_timeout_interval"=>""}, "170"=>{"input_values"=>"[FILTERED]", "effective_user"=>"", "execution_timeout_interval"=>""}}}}, "description"=>"", "description_override"=>"Run scan for all OpenSCAP policies on host", "description_format"=>"Run scan for all OpenSCAP policies on host", "password"=>"[FILTERED]", "key_passphrase"=>"", "effective_user_password"=>"[FILTERED]", "concurrency_level"=>"", "time_span"=>""}, "targeting"=>{"bookmark_id"=>"", "search_query"=>"name ^ (almalinux-8-4-dev-development)", "randomized_ordering"=>"false", "targeting_type"=>"static_query"}, "fakepassword"=>"[FILTERED]", "triggering"=>{"mode"=>"immediate", "start_at_raw"=>"2022-04-13 17:43", "start_before_raw"=>"", "input_type"=>"daily", "cronline"=>"", "days"=>"", "days_of_week"=>{"1"=>"0", "2"=>"0", "3"=>"0", "4"=>"0", "5"=>"0", "6"=>"0", "7"=>"0"}, "time"=>{"time(1i)"=>"2022", "time(2i)"=>"4", "time(3i)"=>"13", "time(4i)"=>"17", "time(5i)"=>"43"}, "max_iteration"=>"", "end_time_limited"=>"false", "end_time"=>{"end_time(1i)"=>"2022", "end_time(2i)"=>"4", "end_time(3i)"=>"13", "end_time(4i)"=>"17", "end_time(5i)"=>"43"}, "purpose"=>""}, "commit"=>"Submit"}
2022-04-13T08:14:06 [I|aud|f1d2ba30] JobInvocation (51) create event on job_category OpenSCAP
2022-04-13T08:14:06 [I|aud|f1d2ba30] JobInvocation (51) create event on description Run scan for all OpenSCAP policies on host
2022-04-13T08:14:06 [I|aud|f1d2ba30] JobInvocation (51) create event on concurrency_level
2022-04-13T08:14:06 [I|aud|f1d2ba30] JobInvocation (51) create event on time_span
2022-04-13T08:14:06 [I|aud|f1d2ba30] JobInvocation (51) create event on execution_timeout_interval
2022-04-13T08:14:06 [I|aud|f1d2ba30] JobInvocation (51) create event on password [redacted]
2022-04-13T08:14:06 [I|aud|f1d2ba30] JobInvocation (51) create event on key_passphrase
2022-04-13T08:14:06 [I|aud|f1d2ba30] JobInvocation (51) create event on remote_execution_feature_id
2022-04-13T08:14:06 [I|aud|f1d2ba30] JobInvocation (51) create event on effective_user_password
2022-04-13T08:14:06 [I|bac|f1d2ba30] Task {label: , id: e9774087-4fc9-4bc1-b9e8-f188eb314db7, execution_plan_id: ec72b0fe-9571-42b7-b4c0-46667ab74324} state changed: pending
2022-04-13T08:14:06 [I|bac|f1d2ba30] Task {label: Actions::RemoteExecution::RunHostsJob, id: e9774087-4fc9-4bc1-b9e8-f188eb314db7, execution_plan_id: ec72b0fe-9571-42b7-b4c0-46667ab74324} state changed: planning
2022-04-13T08:14:06 [I|bac|f1d2ba30] Task {label: Actions::RemoteExecution::RunHostsJob, id: e9774087-4fc9-4bc1-b9e8-f188eb314db7, execution_plan_id: ec72b0fe-9571-42b7-b4c0-46667ab74324} state changed: planned
2022-04-13T08:14:06 [I|app|f1d2ba30] Redirected to https://ingbtcpic6vl324.code1.emi.philips.com/job_invocations/51
2022-04-13T08:14:06 [I|app|f1d2ba30] Completed 302 Found in 182ms (ActiveRecord: 40.2ms | Allocations: 55551)
2022-04-13T08:14:06 [I|bac|f1d2ba30] Task {label: Actions::RemoteExecution::RunHostsJob, id: e9774087-4fc9-4bc1-b9e8-f188eb314db7, execution_plan_id: ec72b0fe-9571-42b7-b4c0-46667ab74324} state changed: running
2022-04-13T08:14:06 [I|app|bf882a1d] Started GET "/job_invocations/51" for 144.54.174.26 at 2022-04-13 08:14:06 -0400
2022-04-13T08:14:06 [I|app|bf882a1d] Processing by JobInvocationsController#show as HTML
2022-04-13T08:14:06 [I|app|bf882a1d]   Parameters: {"id"=>"51"}
2022-04-13T08:14:06 [I|app|bf882a1d]   Rendering /usr/share/gems/gems/foreman_remote_execution-5.0.1/app/views/job_invocations/show.html.erb within layouts/application
2022-04-13T08:14:06 [I|app|bf882a1d]   Rendered /usr/share/gems/gems/foreman_remote_execution-5.0.1/app/views/job_invocations/_card_results.html.erb (Duration: 3.7ms | Allocations: 6254)
2022-04-13T08:14:06 [I|app|bf882a1d]   Rendered /usr/share/gems/gems/foreman_remote_execution-5.0.1/app/views/job_invocations/_card_schedule.html.erb (Duration: 4.8ms | Allocations: 6658)
2022-04-13T08:14:06 [I|bac|f1d2ba30] Task {label: , id: 7ab9bf4a-fb04-405a-91b1-3c81f034324a, execution_plan_id: 1b6186d8-f736-4cc3-94a0-3e5a99501905} state changed: pending
2022-04-13T08:14:06 [I|app|bf882a1d]   Rendered /usr/share/gems/gems/foreman_remote_execution-5.0.1/app/views/job_invocations/_card_target_hosts.html.erb (Duration: 5.6ms | Allocations: 7077)
2022-04-13T08:14:06 [I|bac|f1d2ba30] Task {label: Actions::RemoteExecution::RunHostJob, id: 7ab9bf4a-fb04-405a-91b1-3c81f034324a, execution_plan_id: 1b6186d8-f736-4cc3-94a0-3e5a99501905} state changed: planning
2022-04-13T08:14:06 [I|app|bf882a1d]   Rendered /usr/share/gems/gems/foreman_remote_execution-5.0.1/app/views/job_invocations/_tab_hosts.html.erb (Duration: 4.0ms | Allocations: 6170)
2022-04-13T08:14:06 [I|app|bf882a1d]   Rendered /usr/share/gems/gems/foreman_remote_execution-5.0.1/app/views/job_invocations/_tab_overview.html.erb (Duration: 36.2ms | Allocations: 39254)
2022-04-13T08:14:06 [I|bac|f1d2ba30] Task {label: Actions::RemoteExecution::RunHostJob, id: 7ab9bf4a-fb04-405a-91b1-3c81f034324a, execution_plan_id: 1b6186d8-f736-4cc3-94a0-3e5a99501905} state changed: planned
2022-04-13T08:14:06 [I|bac|f1d2ba30] Task {label: Actions::RemoteExecution::RunHostJob, id: 7ab9bf4a-fb04-405a-91b1-3c81f034324a, execution_plan_id: 1b6186d8-f736-4cc3-94a0-3e5a99501905} state changed: running
2022-04-13T08:14:06 [I|app|bf882a1d]   Rendered /usr/share/gems/gems/foreman_remote_execution-5.0.1/app/views/job_invocations/_user_input.html.erb (Duration: 429.8ms | Allocations: 23928)
2022-04-13T08:14:06 [I|app|bf882a1d]   Rendered /usr/share/gems/gems/foreman_remote_execution-5.0.1/app/views/job_invocations/_tab_preview_templates.html.erb (Duration: 439.3ms | Allocations: 33013)
2022-04-13T08:14:06 [I|app|bf882a1d]   Rendered /usr/share/gems/gems/foreman_remote_execution-5.0.1/app/views/job_invocations/show.html.erb within layouts/application (Duration: 503.8ms | Allocations: 88968)
2022-04-13T08:14:06 [I|app|bf882a1d]   Rendered layouts/_application_content.html.erb (Duration: 3.9ms | Allocations: 6158)
2022-04-13T08:14:06 [I|app|bf882a1d]   Rendering layouts/base.html.erb
2022-04-13T08:14:06 [I|app|bf882a1d]   Rendered layouts/base.html.erb (Duration: 22.7ms | Allocations: 27368)
2022-04-13T08:14:06 [I|app|bf882a1d] Completed 200 OK in 553ms (Views: 397.5ms | ActiveRecord: 141.9ms | Allocations: 136809)

2022-04-13T08:14:09 [I|app|11ea1237] Started POST "/foreman_tasks/api/tasks/callback" for 161.92.211.65 at 2022-04-13 08:14:09 -0400
2022-04-13T08:14:09 [I|app|11ea1237] Processing by ForemanTasks::Api::TasksController#callback as HTML
2022-04-13T08:14:09 [I|app|11ea1237]   Parameters: {"callback"=>{"task_id"=>"7ab9bf4a-fb04-405a-91b1-3c81f034324a", "step_id"=>3}, "data"=>{"result"=>[{"output_type"=>"stdout", "output"=>"File /var/lib/openscap/content/c125daafac369e94f734e6b4e69f849894f70373eb1133678e219b554338eb2d.xml is missing. Downloading it from proxy.\nDownload SCAP content xml from: https://almalinux-8-4-dev-development:9090/compliance/policies/2/content/c125daafac369e94f734e6b4e69f849894f70373eb1133678e219b554338eb2d\nSCAP content is missing and download failed with error: Failed to open TCP connection to almalinux-8-4-dev-development:9090 (getaddrinfo: Name or service not known)\n", "timestamp"=>1649852048.2556946}], "runner_id"=>"cc66b95e-ea19-4da6-8f65-3778127549ff", "exit_status"=>5}, "task"=>{}}
2022-04-13T08:14:09 [I|app|11ea1237] Completed 200 OK in 23ms (Views: 0.1ms | ActiveRecord: 9.8ms | Allocations: 6172)
2022-04-13T08:14:09 [I|bac|f1d2ba30] Event delivered by request 11ea1237-8516-4276-a9d5-20702eea2ebc
2022-04-13T08:14:09 [E|bac|f1d2ba30] Job execution failed
2022-04-13T08:14:09 [I|bac|f1d2ba30] Task {label: Actions::RemoteExecution::RunHostJob, id: 7ab9bf4a-fb04-405a-91b1-3c81f034324a, execution_plan_id: 1b6186d8-f736-4cc3-94a0-3e5a99501905} state changed: stopped  result: error
10

I know next to nothing about openscap, but that output says the target host cannot resolve almalinux-8-4-dev-development.

11

This is resolved

12

In your other thread it seemed the policy has id 2, so it should have been foreman_scap_client 2. If you managed to resolve this, it would be good to explain what was the cause and how it was resolved, so others who will face the same will find an answer.

13

I re-added the policy and that worked