ComplianceAsCode · Vincent056 · Nov 12, 2025 · Nov 15, 2025 · Nov 18, 2025 · Nov 18, 2025
diff --git a/products/rhcos4/product.yml b/products/rhcos4/product.yml
@@ -20,6 +20,10 @@ groups:
 
 sshd_distributed_config: "true"
 
+# Enable runtime sshd configuration checking for compliance operator scans
+# Compliance Operator fetches the result of sshd -T and stores it in a file
+sshd_runtime_check: "true"
+
 cpes_root: "../../shared/applicability"
 cpes:
   - rhcos4:

diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja
@@ -1033,9 +1033,10 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo
 :type datatype: str
 
 #}}
-{{%- macro sshd_oval_check(parameter, value, missing_parameter_pass, config_is_distributed, xccdf_variable="", datatype="", rule_id=None, rule_title=None) -%}}
+{{%- macro sshd_oval_check(parameter, value, missing_parameter_pass, config_is_distributed, runtime_check="false", xccdf_variable="", datatype="", rule_id=None, rule_title=None) -%}}
 {{%- set sshd_config_path = "/etc/ssh/sshd_config" %}}
 {{%- set sshd_config_dir = "/etc/ssh/sshd_config.d" -%}}
+{{%- set sshd_runtime_path = "/tmp/runtime/sshd_effective_config" -%}}
 {{%- if xccdf_variable -%}}
 {{%- set description = "Ensure '" ~ parameter ~ "' is configured with value configured in " ~ xccdf_variable ~ " variable in " ~ sshd_config_path %}}
 {{%- else -%}}
@@ -1072,18 +1073,28 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo
           definition_ref="package_openssh-server_installed" />
         {{% endif %}}
         <criteria comment="sshd is configured correctly" operator="AND">
-          <criteria comment="the configuration is correct if it exists" operator="AND">
-            {{{- oval_line_in_file_criterion(sshd_config_path, parameter, avoid_conflicting=true, rule_id=rule_id) | indent(10)}}}
-            {{%- if config_is_distributed == "true" %}}
-            {{{- oval_line_in_directory_criterion(sshd_config_dir, parameter, avoid_conflicting=true, rule_id=rule_id) | indent(10) }}}
-            {{%- endif %}}
-            {{% if product in ["ol8", "ol9"] %}}
-            {{{- oval_line_in_file_criterion("sshd_config included", parameter, id_stem=rule_id ~ "_sshd_included_files", avoid_conflicting=true, rule_id=rule_id) | indent(10)}}}
+          {{%- if runtime_check == "true" %}}
+          <criteria comment="runtime configuration exists and is correct" operator="AND">
+            <criterion comment="runtime config file exists" test_ref="test_runtime_config_present_{{{ rule_id }}}" />
+            <criterion comment="runtime config matches expected value" test_ref="test_runtime_{{{ parameter }}}_{{{ rule_id }}}" />
+          </criteria>
+          {{%- endif %}}
+          {{%- if runtime_check != "true" %}}
+          <criteria comment="static configuration is correct" operator="AND">
+            <criteria comment="the configuration is correct if it exists" operator="AND">
+              {{{- oval_line_in_file_criterion(sshd_config_path, parameter, avoid_conflicting=true, rule_id=rule_id) | indent(12)}}}
+              {{%- if config_is_distributed == "true" %}}
+              {{{- oval_line_in_directory_criterion(sshd_config_dir, parameter, avoid_conflicting=true, rule_id=rule_id) | indent(12) }}}
+              {{%- endif %}}
+              {{% if product in ["ol8", "ol9"] %}}
+              {{{- oval_line_in_file_criterion("sshd_config included", parameter, id_stem=rule_id ~ "_sshd_included_files", avoid_conflicting=true, rule_id=rule_id) | indent(12)}}}
+              {{% endif %}}
+            </criteria>
+            {{%- if not missing_parameter_pass %}}
+            <criterion comment="the configuration exists" test_ref="test_{{{ parameter }}}_present_{{{ rule_id }}}" />
             {{% endif %}}
           </criteria>
-          {{%- if not missing_parameter_pass %}}
-          <criterion comment="the configuration exists" test_ref="test_{{{ parameter }}}_present_{{{ rule_id }}}" />
-          {{% endif %}}
+          {{%- endif %}}
         </criteria>
       </criteria>
     </criteria>
@@ -1162,6 +1173,49 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo
   </ind:textfilecontent54_test>
 
   {{% endif %}}
+
+  {{%- if runtime_check == "true" %}}
+  <!-- Runtime configuration checks -->
+  <ind:textfilecontent54_test id="test_runtime_config_present_{{{ rule_id }}}" version="1"
+                              check="all" check_existence="at_least_one_exists"
+                              comment="Check if runtime config file exists">
+    <ind:object object_ref="obj_runtime_config_file_{{{ rule_id }}}" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_runtime_config_file_{{{ rule_id }}}" version="1">
+    <ind:filepath>{{{ sshd_runtime_path }}}</ind:filepath>
+    <ind:pattern operation="pattern match">.*</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test id="test_runtime_{{{ parameter }}}_{{{ rule_id }}}" version="1"
+                              check="all" check_existence="at_least_one_exists"
+                              comment="Check runtime {{{ parameter }}} value">
+    <ind:object object_ref="obj_runtime_{{{ parameter }}}_{{{ rule_id }}}" />
+    {{%- if xccdf_variable -%}}
+    <ind:state state_ref="state_runtime_{{{ parameter }}}_{{{ rule_id }}}_xccdf" />
+    {{%- else -%}}
+    <ind:state state_ref="state_runtime_{{{ parameter }}}_{{{ rule_id }}}" />
+    {{%- endif -%}}
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_runtime_{{{ parameter }}}_{{{ rule_id }}}" version="1">
+    <ind:filepath>{{{ sshd_runtime_path }}}</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*{{{ parameter | lower }}}[\s]+(.*)$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  {{%- if xccdf_variable -%}}
+  <ind:textfilecontent54_state id="state_runtime_{{{ parameter }}}_{{{ rule_id }}}_xccdf" version="1">
+    <ind:subexpression operation="equals" datatype="{{{ datatype }}}" var_ref="{{{ xccdf_variable }}}" />
+  </ind:textfilecontent54_state>
+  {{%- else -%}}
+  <ind:textfilecontent54_state id="state_runtime_{{{ parameter }}}_{{{ rule_id }}}" version="1">
+    <ind:subexpression operation="{{{ 'pattern match' if datatype == 'string' else 'equals' }}}" datatype="{{{ datatype }}}">{{{ value | lower if datatype == 'string' else value }}}</ind:subexpression>
+  </ind:textfilecontent54_state>
+  {{%- endif -%}}
+  {{%- endif %}}
+
 </def-group>
 {{%- endmacro %}}
 

diff --git a/shared/templates/sshd_lineinfile/oval.template b/shared/templates/sshd_lineinfile/oval.template
@@ -1,5 +1,5 @@
 {{%- if XCCDF_VARIABLE -%}}
-{{{ sshd_oval_check(parameter=PARAMETER, xccdf_variable=XCCDF_VARIABLE, missing_parameter_pass=MISSING_PARAMETER_PASS, config_is_distributed=sshd_distributed_config, datatype=DATATYPE, rule_id=rule_id, rule_title=rule_title) }}}
+{{{ sshd_oval_check(parameter=PARAMETER, xccdf_variable=XCCDF_VARIABLE, missing_parameter_pass=MISSING_PARAMETER_PASS, config_is_distributed=sshd_distributed_config, runtime_check=sshd_runtime_check, datatype=DATATYPE, rule_id=rule_id, rule_title=rule_title) }}}
 {{%- else -%}}
-{{{ sshd_oval_check(parameter=PARAMETER, value=VALUE, missing_parameter_pass=MISSING_PARAMETER_PASS, config_is_distributed=sshd_distributed_config, datatype=DATATYPE, rule_id=rule_id, rule_title=rule_title) }}}
+{{{ sshd_oval_check(parameter=PARAMETER, value=VALUE, missing_parameter_pass=MISSING_PARAMETER_PASS, config_is_distributed=sshd_distributed_config, runtime_check=sshd_runtime_check, datatype=DATATYPE, rule_id=rule_id, rule_title=rule_title) }}}
 {{%- endif -%}}
@@ -462,6 +462,7 @@
 DEFAULT_RSYSLOG_CAFILE = '/etc/pki/tls/cert.pem'
 DEFAULT_FAILLOCK_PATH = '/var/run/faillock'
 DEFAULT_SSH_DISTRIBUTED_CONFIG = 'false'
+DEFAULT_SSH_RUNTIME_CHECK = 'false'
 DEFAULT_PRODUCT = 'example'
 DEFAULT_CHRONY_CONF_PATH = '/etc/chrony.conf'
 DEFAULT_CHRONY_D_PATH = '/etc/chrony.d/'

@@ -17,6 +17,7 @@
                         DEFAULT_AUDIT_WATCHES_STYLE,
                         DEFAULT_RSYSLOG_CAFILE,
                         DEFAULT_SSH_DISTRIBUTED_CONFIG,
+                        DEFAULT_SSH_RUNTIME_CHECK,
                         DEFAULT_CHRONY_CONF_PATH,
                         DEFAULT_CHRONY_D_PATH,
                         DEFAULT_AUDISP_CONF_PATH,
@@ -108,6 +109,9 @@ def _get_implied_properties(existing_properties):
     if "sshd_distributed_config" not in existing_properties:
         result["sshd_distributed_config"] = DEFAULT_SSH_DISTRIBUTED_CONFIG
 
+    if "sshd_runtime_check" not in existing_properties:
+        result["sshd_runtime_check"] = DEFAULT_SSH_RUNTIME_CHECK
+
     if "product" not in existing_properties:
         result["product"] = DEFAULT_PRODUCT
 

@@ -85,6 +85,7 @@ reference_uris:
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'false'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
 - 5

@@ -85,6 +85,7 @@ reference_uris:
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'false'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
 - 5

@@ -84,6 +84,7 @@ reference_uris:
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'false'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
 - 5

@@ -84,6 +84,7 @@ reference_uris:
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'false'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
 - 5

@@ -94,6 +94,7 @@ reference_uris:
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'false'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
 - 5

@@ -95,6 +95,7 @@ reference_uris:
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'false'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
 - 5

@@ -95,6 +95,7 @@ reference_uris:
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'false'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
 - 5

@@ -92,6 +92,7 @@ reference_uris:
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'false'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
 - 5

@@ -86,6 +86,7 @@ reference_uris:
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'false'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
 - 5

@@ -130,6 +130,7 @@ reference_uris:
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
 sshd_distributed_config: 'true'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
 - 5

@@ -81,6 +81,7 @@ reference_uris:
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'false'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
 - 5

@@ -192,6 +192,7 @@ reference_uris:
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'false'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
 - 5

@@ -96,6 +96,7 @@ reference_uris:
 release_key_fingerprint: 42144123FECFC55B9086313D72F97B74EC551F03
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'false'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
 - 5

@@ -95,6 +95,7 @@ reference_uris:
 release_key_fingerprint: 76FD3DB13AB67410B89DB10E82562EA9AD986DA3
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'false'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
 - 5

@@ -99,6 +99,7 @@ reference_uris:
 release_key_fingerprint: 3E6D826D3FBAB389C2F38E34BC4D06A08D8B756F
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'true'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
 - 5

@@ -97,6 +97,7 @@ reference_uris:
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'false'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
 - 5

@@ -92,8 +92,9 @@ reference_uris:
   stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
-sshd_distributed_config: "false"
-sysctl_remediate_drop_in_file: "false"
+sshd_distributed_config: 'false'
+sshd_runtime_check: 'false'
+sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
   - 5
   - 11

@@ -90,6 +90,7 @@ reference_uris:
 release_key_fingerprint: 567E347AD0044ADE55BA8A5F199E2F91FD431D51
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'true'
+sshd_runtime_check: 'true'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
 - 5

@@ -97,6 +97,7 @@ reference_uris:
 release_key_fingerprint: 567E347AD0044ADE55BA8A5F199E2F91FD431D51
 rsyslog_cafile: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
 sshd_distributed_config: 'true'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
 - 5

@@ -147,6 +147,7 @@ reference_uris:
 release_key_fingerprint: 567E347AD0044ADE55BA8A5F199E2F91FD431D51
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'false'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
 - 5

@@ -104,6 +104,7 @@ reference_uris:
 release_key_fingerprint: 567E347AD0044ADE55BA8A5F199E2F91FD431D51
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'true'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
 - 5

@@ -95,6 +95,7 @@ reference_uris:
 release_key_fingerprint: 567E347AD0044ADE55BA8A5F199E2F91FD431D51
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'false'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
 - 5

@@ -95,6 +95,7 @@ reference_uris:
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'false'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'true'
 target_oval_version:
 - 5

@@ -101,6 +101,7 @@ reference_uris:
 release_key_fingerprint: FEAB502539D846DB2C0961CA70AF9E8139DB7C82
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'false'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'true'
 target_oval_version:
 - 5

@@ -103,6 +103,7 @@ reference_uris:
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'true'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
 - 5

@@ -104,6 +104,7 @@ reference_uris:
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'true'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
 - 5