Add runtime SSHD config checking for OpenShift

Add runtime SSHD config checking for OpenShift compliance operatorThe compliance operator fetches runtime SSHD config from the cluster andfeeds it to the scanner before scans. Adds `sshd_runtime_check` option(default: false, true for RHCOS4), updates OVAL macros, and sets default

Author: Vincent056

products/rhcos4/product.yml

@@ -20,6 +20,9 @@ groups:
 
 sshd_distributed_config: "true"
 
+# Enable runtime sshd configuration checking for compliance operator scans
+sshd_runtime_check: "true"
+
 cpes_root: "../../shared/applicability"
 cpes:
   - rhcos4:

shared/macros/10-oval.jinja

@@ -1033,9 +1033,10 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo
 :type datatype: str
 
 #}}
-{{%- macro sshd_oval_check(parameter, value, missing_parameter_pass, config_is_distributed, xccdf_variable="", datatype="", rule_id=None, rule_title=None) -%}}
+{{%- macro sshd_oval_check(parameter, value, missing_parameter_pass, config_is_distributed, runtime_check="false", xccdf_variable="", datatype="", rule_id=None, rule_title=None) -%}}
 {{%- set sshd_config_path = "/etc/ssh/sshd_config" %}}
 {{%- set sshd_config_dir = "/etc/ssh/sshd_config.d" -%}}
+{{%- set sshd_runtime_path = "/etc/compliance-operator/runtime/sshd_effective_config" -%}}
 {{%- if xccdf_variable -%}}
 {{%- set description = "Ensure '" ~ parameter ~ "' is configured with value configured in " ~ xccdf_variable ~ " variable in " ~ sshd_config_path %}}
 {{%- else -%}}
@@ -1071,19 +1072,30 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo
         <extend_definition comment="rpm package openssh-server installed"
           definition_ref="package_openssh-server_installed" />
         {{% endif %}}
-        <criteria comment="sshd is configured correctly" operator="AND">
-          <criteria comment="the configuration is correct if it exists" operator="AND">
-            {{{- oval_line_in_file_criterion(sshd_config_path, parameter, avoid_conflicting=true, rule_id=rule_id) | indent(10)}}}
-            {{%- if config_is_distributed == "true" %}}
-            {{{- oval_line_in_directory_criterion(sshd_config_dir, parameter, avoid_conflicting=true, rule_id=rule_id) | indent(10) }}}
+        <criteria comment="sshd is configured correctly" operator="OR">
+          {{%- if runtime_check == "true" %}}
+          <criteria comment="runtime configuration exists and is correct" operator="AND">
+            <criterion comment="runtime config file exists" test_ref="test_runtime_config_present_{{{ rule_id }}}" />
+            <criterion comment="runtime config matches expected value" test_ref="test_runtime_{{{ parameter }}}_{{{ rule_id }}}" />
+          </criteria>
+          {{%- endif %}}
+          <criteria comment="static configuration is correct (when runtime config doesn't exist or runtime check disabled)" operator="AND">
+            {{%- if runtime_check == "true" %}}
+            <criterion comment="runtime config file does not exist" test_ref="test_runtime_config_absent_{{{ rule_id }}}" />
             {{%- endif %}}
-            {{% if product in ["ol8", "ol9"] %}}
-            {{{- oval_line_in_file_criterion("sshd_config included", parameter, id_stem=rule_id ~ "_sshd_included_files", avoid_conflicting=true, rule_id=rule_id) | indent(10)}}}
+            <criteria comment="the configuration is correct if it exists" operator="AND">
+              {{{- oval_line_in_file_criterion(sshd_config_path, parameter, avoid_conflicting=true, rule_id=rule_id) | indent(12)}}}
+              {{%- if config_is_distributed == "true" %}}
+              {{{- oval_line_in_directory_criterion(sshd_config_dir, parameter, avoid_conflicting=true, rule_id=rule_id) | indent(12) }}}
+              {{%- endif %}}
+              {{% if product in ["ol8", "ol9"] %}}
+              {{{- oval_line_in_file_criterion("sshd_config included", parameter, id_stem=rule_id ~ "_sshd_included_files", avoid_conflicting=true, rule_id=rule_id) | indent(12)}}}
+              {{% endif %}}
+            </criteria>
+            {{%- if not missing_parameter_pass %}}
+            <criterion comment="the configuration exists" test_ref="test_{{{ parameter }}}_present_{{{ rule_id }}}" />
             {{% endif %}}
           </criteria>
-          {{%- if not missing_parameter_pass %}}
-          <criterion comment="the configuration exists" test_ref="test_{{{ parameter }}}_present_{{{ rule_id }}}" />
-          {{% endif %}}
         </criteria>
       </criteria>
     </criteria>
@@ -1162,6 +1174,55 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo
   </ind:textfilecontent54_test>
 
   {{% endif %}}
+
+  {{%- if runtime_check == "true" %}}
+  <!-- Runtime configuration checks -->
+  <ind:textfilecontent54_test id="test_runtime_config_absent_{{{ rule_id }}}" version="1"
+                              check="none satisfy" check_existence="none_exist"
+                              comment="Check if runtime config file exists">
+    <ind:object object_ref="obj_runtime_config_file_{{{ rule_id }}}" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_test id="test_runtime_config_present_{{{ rule_id }}}" version="1"
+                              check="all" check_existence="at_least_one_exists"
+                              comment="Check if runtime config file exists">
+    <ind:object object_ref="obj_runtime_config_file_{{{ rule_id }}}" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_runtime_config_file_{{{ rule_id }}}" version="1">
+    <ind:filepath>{{{ sshd_runtime_path }}}</ind:filepath>
+    <ind:pattern operation="pattern match">.*</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test id="test_runtime_{{{ parameter }}}_{{{ rule_id }}}" version="1"
+                              check="all" check_existence="at_least_one_exists"
+                              comment="Check runtime {{{ parameter }}} value">
+    <ind:object object_ref="obj_runtime_{{{ parameter }}}_{{{ rule_id }}}" />
+    {{%- if xccdf_variable -%}}
+    <ind:state state_ref="state_runtime_{{{ parameter }}}_{{{ rule_id }}}_xccdf" />
+    {{%- else -%}}
+    <ind:state state_ref="state_runtime_{{{ parameter }}}_{{{ rule_id }}}" />
+    {{%- endif -%}}
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_runtime_{{{ parameter }}}_{{{ rule_id }}}" version="1">
+    <ind:filepath>{{{ sshd_runtime_path }}}</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*{{{ parameter | lower }}}[\s]+(.*)$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  {{%- if xccdf_variable -%}}
+  <ind:textfilecontent54_state id="state_runtime_{{{ parameter }}}_{{{ rule_id }}}_xccdf" version="1">
+    <ind:subexpression operation="equals" datatype="{{{ datatype }}}" var_ref="{{{ xccdf_variable }}}" />
+  </ind:textfilecontent54_state>
+  {{%- else -%}}
+  <ind:textfilecontent54_state id="state_runtime_{{{ parameter }}}_{{{ rule_id }}}" version="1">
+    <ind:subexpression operation="{{{ 'pattern match' if datatype == 'string' else 'equals' }}}" datatype="{{{ datatype }}}">{{{ value }}}</ind:subexpression>
+  </ind:textfilecontent54_state>
+  {{%- endif -%}}
+  {{%- endif %}}
+
 </def-group>
 {{%- endmacro %}}
 

shared/templates/sshd_lineinfile/oval.template

@@ -1,5 +1,5 @@
 {{%- if XCCDF_VARIABLE -%}}
-{{{ sshd_oval_check(parameter=PARAMETER, xccdf_variable=XCCDF_VARIABLE, missing_parameter_pass=MISSING_PARAMETER_PASS, config_is_distributed=sshd_distributed_config, datatype=DATATYPE, rule_id=rule_id, rule_title=rule_title) }}}
+{{{ sshd_oval_check(parameter=PARAMETER, xccdf_variable=XCCDF_VARIABLE, missing_parameter_pass=MISSING_PARAMETER_PASS, config_is_distributed=sshd_distributed_config, runtime_check=sshd_runtime_check, datatype=DATATYPE, rule_id=rule_id, rule_title=rule_title) }}}
 {{%- else -%}}
-{{{ sshd_oval_check(parameter=PARAMETER, value=VALUE, missing_parameter_pass=MISSING_PARAMETER_PASS, config_is_distributed=sshd_distributed_config, datatype=DATATYPE, rule_id=rule_id, rule_title=rule_title) }}}
+{{{ sshd_oval_check(parameter=PARAMETER, value=VALUE, missing_parameter_pass=MISSING_PARAMETER_PASS, config_is_distributed=sshd_distributed_config, runtime_check=sshd_runtime_check, datatype=DATATYPE, rule_id=rule_id, rule_title=rule_title) }}}
 {{%- endif -%}}

ssg/constants.py

@@ -462,6 +462,7 @@
 DEFAULT_RSYSLOG_CAFILE = '/etc/pki/tls/cert.pem'
 DEFAULT_FAILLOCK_PATH = '/var/run/faillock'
 DEFAULT_SSH_DISTRIBUTED_CONFIG = 'false'
+DEFAULT_SSH_RUNTIME_CHECK = 'false'
 DEFAULT_PRODUCT = 'example'
 DEFAULT_CHRONY_CONF_PATH = '/etc/chrony.conf'
 DEFAULT_CHRONY_D_PATH = '/etc/chrony.d/'

ssg/products.py

@@ -17,6 +17,7 @@
                         DEFAULT_AUDIT_WATCHES_STYLE,
                         DEFAULT_RSYSLOG_CAFILE,
                         DEFAULT_SSH_DISTRIBUTED_CONFIG,
+                        DEFAULT_SSH_RUNTIME_CHECK,
                         DEFAULT_CHRONY_CONF_PATH,
                         DEFAULT_CHRONY_D_PATH,
                         DEFAULT_AUDISP_CONF_PATH,
@@ -108,6 +109,9 @@ def _get_implied_properties(existing_properties):
     if "sshd_distributed_config" not in existing_properties:
         result["sshd_distributed_config"] = DEFAULT_SSH_DISTRIBUTED_CONFIG
 
+    if "sshd_runtime_check" not in existing_properties:
+        result["sshd_runtime_check"] = DEFAULT_SSH_RUNTIME_CHECK
+
     if "product" not in existing_properties:
         result["product"] = DEFAULT_PRODUCT