OpenSCAP memory-consumption problems

Updated -

On systems with limited memory, the OpenSCAP scanner might terminate prematurely or it might not generate the results files. The system may print an error message, for example:

Out of memory: Killed process 314803 (oscap) total-vm:14506348kB, anon-rss:5138028kB, file-rss:0kB, shmem-rss:0kB, UID:0 pgtables:24176kB oom_score_adj:0

XPath error : Memory allocation failed : growing nodeset hit limit
growing nodeset hit limit
^
 runtime error: file /usr/share/openscap/xsl/xccdf-report-oval-details.xsl line 38 element key
 Failed to evaluate the 'match' expression.

OpenSCAP stores all collected results in the memory until the scan finishes. In general, we recommend having a system with a memory of at least 2 GB to complete a successful scan.

There are multiple factors why memory consumption is so high:

  • complexity of the selected profile

  • the number of rules that are evaluated and their complexity

  • the number of files stored on the scanned file system and the count of packages installed on that system

The following workarounds can lower memory consumption:

  • You can set the environment variable OSCAP_PROBE_MEMORY_USAGE_RATIO to change the maximum memory usage ratio (used/total) for OpenSCAP probes, the default value is 0.1.

  • You can generate an HTML report instead of generating a report during the scan. For example, instead of using:

$ oscap xccdf eval --results-arf arf.xml --report report.html

You use:

$ oscap xccdf eval --results-arf arf.xml

And then:

$ oscap xccdf generate report arf.xml > report.html

  • You can customize the scanning profile to deselect rules that involve recursion over the entire / file system:

    • rpm_verify_hashes
    • rpm_verify_permissions
    • rpm_verify_ownership
    • file_permissions_unauthorized_world_writable
    • no_files_unowned_by_user
    • dir_perms_world_writable_system_owned
    • file_permissions_unauthorized_suid
    • file_permissions_unauthorized_sgid
    • file_permissions_ungroupowned
    • dir_perms_world_writable_sticky_bits

  • You can try to apply remediation for the rules that are listed in the previous point before completing another scan. These remediations can help reduce the amount of data needed to be collected during the scan and therefore reduce the memory consumption of the scanner.

  • You can use smaller package groups, for example, Server and Minimal Install on systems with limited RAM.

  • You can set a memory limit for the oscap command.

Comments