Rule package_rsh_removed could return false positive on Ubuntu with OpenSCAP 1.4.3

[0intro]

Description of problem:

Since version 1.4.3, OpenSCAP's dpkg probe is able to handle virtual packages.

This causes an issue with the package_rsh_removed rule.

The package_rsh_removed rule checks for the absence of the rsh-client package. However, the rsh-client package could either be the actual unwanted rsh-client package, or a virtual package provided by the openssh-client package.

When the openssh-client package is installed, the virtual package rsh-client is satisfied, hence triggering false positive on the package_rsh_removed rule.

Ubuntu 20.04 and 22.04 both have the issue, since there is a actual rsh-client package present, as well as the rsh-client virtual package provided by the openssh-client package.

Ubuntu 24.04 doesn't have the issue, since the rsh-client package is not present and, while the rsh-client virtual package still exists, it's not provided by any package.

SCAP Security Guide Version:

0.1.78

Operating System Version:

Ubuntu 20.04, 22.04.

[dodys]

OpenSCAP 1.4.3 is not shipped in any Ubuntu (or Debian) release so far, therefore we have no intention or buffer to work on this at the moment.
I would proposed that either you and/or @a-skr work on fixing the remove (and perhaps install) macros, and we will gladly review it.

[a-skr]

The rsh-client virtual package doesn't seems to exist anymore in Debian 13 (it is not present in debian 12 too). I'm not sure a fix is needed for Debian.

list of debian virtual packages:

• debian 13: https://packages.debian.org/stable/virtual/
• debian 12: https://packages.debian.org/oldstable/virtual/