oscap-podman and oscap-docker evaluate all rules as notapplicable

[jan-cerny]

Description of Problem:

When scanning an UBI 8 image using oscap-podman or oscap-docker, all rules are evaluated as notapplicable.

This problem has been discovered during a review of #1931 but isn't caused by that PR.

OpenSCAP Version:

openscap-1.3.7-1.fc37.x86_64
podman-4.3.1-1.fc37.x86_64

Operating System & Version:

F 37

Steps to Reproduce:

with oscap-podman:

1. sudo podman pull registry.access.redhat.com/ubi8/ubi
2. sudo oscap-podman registry.access.redhat.com/ubi8/ubi:latest xccdf eval --profile xccdf_org.ssgproject.content_profile_stig /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

with oscap-docker:

1. sudo systemctl start podman
2. sudo podman pull registry.access.redhat.com/ubi8/ubi
3. sudo oscap-docker image registry.access.redhat.com/ubi8/ubi:latest xccdf eval --profile xccdf_org.ssgproject.content_profile_stig /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

Actual Results:

all rules are notapplicable

Expected Results:

some rules are applicable and evaluated

Additional Information / Debugging Steps:

[jcerny@thinkpad ~]$ sudo podman images registry.access.redhat.com/ubi8/ubi:latest
REPOSITORY                           TAG         IMAGE ID      CREATED      SIZE
registry.access.redhat.com/ubi8/ubi  latest      270f760d3d04  13 days ago  214 MB

[candrews]

I thought figured out the cause of this problem and submitted a PR to fix it: ComplianceAsCode/content#10320

I was wrong.

[candrews]

At ComplianceAsCode/content#10320 (comment) it was asked:

Could the problem be instead related to the RPM DB in Fedora might be incompatible with the RPM DB in UBI 8?

I did some testing on my Fedora 37 system using:

ID="$(podman create $IMAGE)" && DIR="$(podman mount $ID)" && rpm --root "$DIR" -q bash && podman rm -f "$ID"

• Can Fedora 37 read the registry.fedoraproject.org/fedora:37 rpmdb? (This is a sanity check)
  Result:
  bash-5.2.15-1.fc37.x86_64

• Can Fedora 37 read theregistry.fedoraproject.org/fedora:36 rpmdb?
  Result:
  bash-5.2.15-1.fc36.x86_64

• Can Fedora 37 read the registry.fedoraproject.org/fedora:35 rpmdb?
  Result:
  package bash is not installed

• Can Fedora 37 read the registry.access.redhat.com/ubi9/ubi:latest rpmdb?
  Result:
  package bash is not installed

• Can Fedora 37 read the registry.access.redhat.com/ubi8/ubi:latest rpmdb?
  Result:
  package bash is not installed

• Can Fedora 37 read the registry.access.redhat.com/ubi7/ubi:latest rpmdb?
  Result:
  package bash is not installed

rpm is apparently not backwards compatible (newer rpm cannot always read older rpm databases).

[candrews]

In fedora 36, the rpm dbpath changed from /var/lib/rpm to /usr/lib/sysimage/rpm

The default dbpath on a given system can be determined by running: rpm -E "%{_dbpath}"

Given that knowledge, I re-ran the previous test by this time specified the dbpath to what the value should be:

ID="$(podman create $IMAGE)" && DIR="$(podman mount $ID)" && rpm --root "$DIR" --dbpath=/var/lib/rpm -q bash && podman rm -f "$ID"

• Can Fedora 37 read the registry.fedoraproject.org/fedora:35 rpmdb?
  Result:
  bash-5.1.8-3.fc35.x86_64

• Can Fedora 37 read the registry.access.redhat.com/ubi9/ubi:latest rpmdb?
  Result:
  bash-5.1.8-6.el9_1.x86_64

• Can Fedora 37 read the registry.access.redhat.com/ubi8/ubi:latest rpmdb?
  Result:
  bash-4.4.20-4.el8_6.x86_64

• Can Fedora 37 read the registry.access.redhat.com/ubi7/ubi:latest rpmdb?
  Result:
  bash-4.2.46-35.el7_9.x86_64

[candrews]

I can think of a few ways we could solve this problem:

1. Specify the appropriate dbpath for each operating system

For each operating system, specify a dbpath to use:

• For Fedora >=36, use /usr/lib/sysimage/rpm
• For Fedora < 36 and Red Hat <=9, use /var/lib/rpm
• For SLES, use /var/lib/rpm

2. Use /usr/lib/sysimage/rpm if it exists, fallback to /var/lib/rpm if not

If /usr/lib/sysimage/rpm exists, use that as the dbpath, otherwise, use /var/lib/rpm.

3. Always use /var/lib/rpm

Fedora has /var/lib/rpm symlinked to /usr/lib/sysimage/rpm (and I suspect will for a long time for backwards compatibility). Therefore, dbpath=/var/lib/rpm always works. We could simply always use /var/lib/rpm (and not rely on the librpm default).

Testing confirms that this approach works:
ID="$(podman create registry.fedoraproject.org/fedora:38)" && DIR="$(podman mount $ID)" && rpm --root "$DIR" --dbpath=/var/lib/rpm -q bash && podman rm -f "$ID" returns bash-5.2.15-3.fc38.x86_64 demonstrating that --dbpath=/var/lib/rpm works for fedora 38.

I think this would be implemented by adding:

rpmPushMacro(NULL, "_dbpath", NULL, "/var/lib/rpm", RMIL_CMDLINE);

at appropriate locations.
As that's how the rpm cli implements setting the dbpath: https://github.com/rpm-software-management/rpm/blob/rpm-4.18.0-release/lib/poptALL.c#L158
This is also how Fedora changed the default: https://src.fedoraproject.org/rpms/rpm/c/0b9f813cd529a1fc7c1336e62d82b90c81f517f1?branch=f36

Conclusion

I think option 3 is the easiest, most maintainable and therefore best option.