Hello everybody,
there are now numerous PRs upstream now that disable the machine platform designation of certain rules - see https://github.com/ComplianceAsCode/content/pulls?q=is%3Apr+is%3Aopen+platform%3Amachine
Historically, this project uses one profile that is intended to scan both running systems and container images. Obviously, scanning of lifeless filesystems (a.k.a offline scanning) is limited, and the machine platform has been used to control rule applicability to such environments (i.e. environments other than running bare-metal systems or VMs).
This way is cheap, a bit dirty, and the following categories of rules ended up being machine-only:
  1. Rules that are not applicable in containers, or rules that represent serious antipatterns (e.g. kernel-related rules, partition-related rules)
  2. Rules that can't be checked for in offline scans due to OVAL limitations (anything that requires the /proc filesystem)
  3. Rules that represent a likely antipattern (systemd in containers)
  4. Rules that OpenSCAP can't properly offline-scan.
It is quite clear that in case No. 4, removal of the machine platform is the right thing to do, although it is likely to cause problems elsewhere. However, it is at best questionable in case 3. For example, there is a way to determine whether we are scanning a filesystem of a systemd-powered container, and execute the check accordingly, but until all the bits are in place, removing the platform from the rule will make the situation worse for the majority of use cases.
Therefore, I suggest that we reach a consensus about what to do with those PRs, as they are making the list of open PRs difficult to navigate in.
My proposal is to close all PRs that touch rules falling into categories 1-3, as those PRs don't make the situation any better.