Skip to content

sshd_disable_compression: accept both "no" and "delayed" - RHEL 9 STIG#14831

Open
macko1 wants to merge 3 commits into
ComplianceAsCode:masterfrom
macko1:13078_sshd_disable_compression
Open

sshd_disable_compression: accept both "no" and "delayed" - RHEL 9 STIG#14831
macko1 wants to merge 3 commits into
ComplianceAsCode:masterfrom
macko1:13078_sshd_disable_compression

Conversation

@macko1

@macko1 macko1 commented Jun 26, 2026

Copy link
Copy Markdown
Collaborator

Description:

DISA STIG V-258002 (RHEL-09-255130) requires that sshd must not allow compression or must only allow compression after successful authentication. The Compression parameter in /etc/ssh/sshd_config accepts no (disables compression) and delayed (compresses only after authentication). Both satisfy the STIG requirement.

Systems with Compression delayed were incorrectly flagged as non-compliant because the sshd_lineinfile template generated an OVAL check with operation="equals" and var_sshd_disable_compression, forcing an exact match against no.

The fix: custom OVAL check accepts both no and delayed (regex ^(no|delayed)$). Custom bash and ansible remediations write Compression no (strictest valid value).

Rationale:

  • 8 rules in the codebase use custom OVAL, bash, and ansible to handle variables with multiple acceptable values:

    • set_password_hashing_algorithm_logindefs
    • set_password_hashing_algorithm_passwordauth
    • set_password_hashing_algorithm_systemauth
    • auditd_data_disk_error_action
    • auditd_data_disk_full_action
    • auditd_data_retention_admin_space_left_action
    • auditd_data_retention_space_left_action
    • auditd_name_format
  • The stig option name follows the convention in var_password_hashing_algorithm (cis_rhel8, cis_ubuntu2204)

  • Fixes sshd_disable_compression only seems to check for no #13078

Review Hints:

Test on RHEL 9:

  1. Build and verify the generated OVAL uses pattern match with ^(no|delayed)$:
./build_product rhel9 -r sshd_disable_compression
grep 'subexpression' build/rhel9/checks/oval/sshd_disable_compression.xml
  1. Build the test container image from Dockerfiles/test_suite-rhel9 (use your SSH public key):
podman build \
    --build-arg "CLIENT_PUBLIC_KEY=$(cat <ssh_public_key>)" \
    -t ssg_test_suite \
    -f Dockerfiles/test_suite-rhel9 Dockerfiles/
  1. Run rule tests with bash remediation (SSH_ADDITIONAL_OPTIONS must point to the same key used in step 2):
SSH_ADDITIONAL_OPTIONS="-o IdentityFile=<ssh_private_key>" \
  tests/automatus.py rule \
    --container ssg_test_suite \
    --datastream build/ssg-rhel9-ds.xml \
    --remediate-using bash \
    sshd_disable_compression
  1. Run rule tests with ansible remediation (requires a VM, not a container):
tests/automatus.py rule \
    --libvirt qemu:///session <vm_name> \
    --datastream build/ssg-rhel9-ds.xml \
    --remediate-using ansible \
    sshd_disable_compression

@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Jun 26, 2026
@openshift-ci

openshift-ci Bot commented Jun 26, 2026

Copy link
Copy Markdown

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@macko1 macko1 force-pushed the 13078_sshd_disable_compression branch from eb216f4 to 20d65c5 Compare June 26, 2026 16:30
@Mab879 Mab879 added this to the 0.1.82 milestone Jun 26, 2026
@macko1 macko1 force-pushed the 13078_sshd_disable_compression branch 3 times, most recently from 69fdd62 to e95c01f Compare June 29, 2026 12:40
@macko1 macko1 marked this pull request as ready for review June 29, 2026 13:24
@openshift-ci openshift-ci Bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Jun 29, 2026
@Mab879

Mab879 commented Jun 29, 2026

Copy link
Copy Markdown
Member

Please adjust the title to remove DRAFT from the title, if ready for review.

@jan-cerny jan-cerny self-assigned this Jun 30, 2026
@jan-cerny

Copy link
Copy Markdown
Collaborator

@macko1 The CI fail on CentOS 9 with Ansible looks legit, the test /hardening/host-os/ansible/stig fails with this message

2026-06-29 14:01:01 test.py:36: lib.results.report_plain:205: FAIL playbook: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf ({"changed": false, "msg": "failed to validate: rc:255 error:/root/.ansible/tmp/ansible-tmp-1782741659.9151416-34613-6065194520285/tmpx1erwkpr line 1: unsupported option \"no|delayed\".\r\n"})

@macko1 macko1 changed the title DRAFT: sshd_disable_compression: accept both "no" and "delayed" sshd_disable_compression: accept both "no" and "delayed" Jun 30, 2026
@macko1

macko1 commented Jun 30, 2026

Copy link
Copy Markdown
Collaborator Author

Please adjust the title to remove DRAFT from the title, if ready for review.

#14831 (comment) - I thought that the 'Merge request ready' event will remove the 'draft' from the title, I didn't double check. (iirc gitlab does this)

Apparently not. Fixed @Mab879, thanks for the headsup.

@jan-cerny I'll take a look, thanks.

Comment thread shared/templates/sshd_lineinfile/template.py Outdated
@jan-cerny

Copy link
Copy Markdown
Collaborator

IIUC it isn't now needed to add/remove DRAFT word to the title anymore because they started to add gray/color item both in the PR and in the list of PRs automatically.

@macko1 macko1 force-pushed the 13078_sshd_disable_compression branch from e95c01f to 6ad1338 Compare June 30, 2026 15:56
@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_compression' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_compression
+++ xccdf_org.ssgproject.content_rule_sshd_disable_compression
@@ -1,7 +1,8 @@
 # Remediation is applicable only in certain platforms
 if rpm --quiet -q kernel-core; then
 
-var_sshd_disable_compression=''
+# Same metadata as other sshd_lineinfile rules (e.g. sshd_set_idle_timeout).
+
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
     LC_ALL=C sed -i "/^\s*Compression\s\+/Id" "/etc/ssh/sshd_config"
@@ -13,7 +14,7 @@
 
 cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
 # Insert at the beginning of the file
-printf '%s\n' "Compression $var_sshd_disable_compression" > "/etc/ssh/sshd_config"
+printf '%s\n' "Compression no" > "/etc/ssh/sshd_config"
 cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
 # Clean up after ourselves.
 rm "/etc/ssh/sshd_config.bak"

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_compression' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_compression
+++ xccdf_org.ssgproject.content_rule_sshd_disable_compression
@@ -14,11 +14,6 @@
   - no_reboot_needed
   - restrict_strategy
   - sshd_disable_compression
-- name: XCCDF Value var_sshd_disable_compression # promote to variable
-  set_fact:
-    var_sshd_disable_compression: !!str 
-  tags:
-    - always
 
 - name: Disable Compression Or Set Compression to delayed
   block:
@@ -46,7 +41,7 @@
       path: /etc/ssh/sshd_config
       create: true
       regexp: (?i)(?i)^\s*Compression\s+
-      line: Compression {{ var_sshd_disable_compression }}
+      line: Compression no
       state: present
       insertbefore: BOF
       validate: /usr/sbin/sshd -t -f %s

@macko1 macko1 force-pushed the 13078_sshd_disable_compression branch 2 times, most recently from 8ac12fc to 43846df Compare June 30, 2026 16:45

@jan-cerny jan-cerny left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have reviewed the code and executed Automatus TSs locally on a RHEL 9 VM back end.

@jan-cerny

Copy link
Copy Markdown
Collaborator

@ComplianceAsCode/oracle-maintainers PTAL whether the new variable selection is OK for OL 9 STIG.

@macko1 macko1 marked this pull request as draft July 1, 2026 09:12
@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Jul 1, 2026
@macko1 macko1 force-pushed the 13078_sshd_disable_compression branch from 43846df to fa5ab23 Compare July 1, 2026 10:07
@macko1 macko1 changed the title sshd_disable_compression: accept both "no" and "delayed" sshd_disable_compression: accept both "no" and "delayed" - RHEL 9 STIG Jul 1, 2026
macko1 added 3 commits July 1, 2026 13:17
DISA STIG V-258002 allows Compression in /etc/ssh/sshd_config
to be set to "no" or "delayed". The rule only accepted "no".

Add custom OVAL, bash, and ansible remediations:
- oval/shared.xml: check with value="(no|delayed)" (pattern match)
- bash/shared.sh: remediation writes "no" (strictest valid value)
- ansible/shared.yml: remediation writes "no"
- tests/delayed_value.pass.sh: verify "delayed" passes

Add "stig" option with value "no|delayed" to
var_sshd_disable_compression.var. Update RHEL 9 and OL9 STIG
controls to select var_sshd_disable_compression=stig.
"delayed" is now a valid value for sshd_disable_compression.
"yes" is always invalid per DISA STIG V-258002.
@macko1 macko1 force-pushed the 13078_sshd_disable_compression branch from fa5ab23 to 2462b41 Compare July 1, 2026 11:17
# disruption = low
# Same metadata as other sshd_lineinfile rules (e.g. sshd_set_idle_timeout).

{{{ bash_sshd_remediation(parameter="Compression", value="no", config_is_distributed=sshd_distributed_config, config_basename="00-complianceascode-hardening.conf", rule_id=rule_id) }}}

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jan-cerny Are we OK with the hardcoded 'value="no"' here and in the ansible remediation?

Other rules instantiate the variables and then extract the correct value. Having explicit 'no' looks better IMHO, even though it breaks the pattern.

@macko1 macko1 marked this pull request as ready for review July 1, 2026 12:51
@openshift-ci openshift-ci Bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Jul 1, 2026
@macko1

macko1 commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator Author

/retest

@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown

@macko1: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/4.19-images 2462b41 link true /test 4.19-images
ci/prow/e2e-aws-openshift-node-compliance 2462b41 link true /test e2e-aws-openshift-node-compliance

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

sshd_disable_compression only seems to check for no

3 participants