DRAFT: sshd_disable_compression: accept both "no" and "delayed"

[macko1]

sshd_disable_compression: accept both "no" and "delayed"

Description:

Allow sshd_disable_compression to accept both no and delayed.

DISA STIG V-258002 (RHEL-09-255130) requires that sshd must not allow compression or must only allow compression after successful authentication. The Compression parameter in /etc/ssh/sshd_config controls this:

• Compression no -- disables compression entirely
• Compression delayed -- compresses only after authentication
• Both satisfy the STIG requirement

The problem:

• Systems with Compression delayed were incorrectly flagged as non-compliant
• The oval_line_in_file_state_xccdf_variable macro in shared/macros/10-oval.jinja hardcoded operation="equals", forcing an exact match against the single value selected by the RHEL 9 STIG profile (var_sshd_disable_compression=no)

The fix:

1. Add operation parameter to the OVAL Jinja macros in shared/macros/10-oval.jinja:
   • oval_line_in_file_state_xccdf_variable
   • sshd_oval_check
   • sshd_oval_check_usr
   • Defaults to "equals" so existing rules are unaffected
2. Update shared/templates/sshd_lineinfile/oval.template and template.py to pass operation to the macros
3. Set operation: "pattern match" in sshd_disable_compression/rule.yml so the OVAL check treats var_sshd_disable_compression as a regex
4. Add a stig option (no|delayed) to var_sshd_disable_compression.var
5. Update RHEL 9 and OL9 STIG controls to select var_sshd_disable_compression=stig
6. Add sshd_disable_compression/tests/delayed_value.pass.sh -- sets Compression delayed and verifies the OVAL check passes

Notes:

• Remediation is unchanged -- sets Compression no (strictest valid value)
• sshd_oval_check_usr (used by SLE16) gets the operation parameter so sshd_oval_check and sshd_oval_check_usr have the same interface. No SLE16 rule uses operation="pattern match" today, but oval.template passes operation to both macros
• Both macros are reformatted with comments
• shared/templates/sshd_lineinfile/oval.template is simplified:
  • Previously had 4 branches (2x2 matrix: product x XCCDF_VARIABLE)
  • Now passes both value and xccdf_variable to the macro -- the macro checks which one is set and uses it
  • Reduces to 2 branches (product only)

Rationale:

• Adding operation to the macro lets individual rules override the comparison operator to "pattern match" -- the variable value is treated as a regex (no|delayed matches either)

• The variable option is named stig following the convention in var_password_hashing_algorithm (cis_rhel8, cis_ubuntu2204 -- named after the profile)

• operation="pattern match" with var_ref is already used by:

  • banner_etc_issue
  • set_password_hashing_algorithm
  • pam_faillock
  • grub2_bootloader_argument template

• Fixes sshd_disable_compression only seems to check for no #13078

Review Hints:

Build and verify the generated OVAL uses pattern match:

./build_product rhel9 -r sshd_disable_compression
grep 'operation=.*var_ref.*sshd_disable_compression' build/rhel9/checks/oval/sshd_disable_compression.xml

Run rule tests in a container:

SSH_ADDITIONAL_OPTIONS="-o IdentityFile=~/.ssh/id_ed25519" \
  tests/automatus.py rule \
    --container localhost/ssg_test_suite \
    --datastream build/ssg-rhel9-ds.xml \
    --remediate-using bash \
    --make-applicable-in-containers \
    --remove-platforms \
    sshd_disable_compression

All sshd_disable_compression rule tests and sshd_lineinfile template tests pass locally (tested in a UBI 9 container using Automatus), including delayed_value.pass.sh.

To verify other sshd rules are unaffected, run the full template test:

SSH_ADDITIONAL_OPTIONS="-o IdentityFile=~/.ssh/id_ed25519" \
  tests/automatus.py template \
    --container localhost/ssg_test_suite \
    --datastream build/ssg-rhel9-ds.xml \
    --remediate-using bash \
    --make-applicable-in-containers \
    --remove-platforms \
    sshd_lineinfile

Failed CI runs (pre-existing, unrelated to this PR):

• Yaml Lint on Changed yaml files: key-duplicates on sshd_disable_compression/rule.yml line 54
  • The Jinja conditional {{% if product == "ol7" %}} platform: ... {{% elif product == "sle12" %}} platform: ... generates two platform: YAML keys in the raw file
  • yamllint reads the file before Jinja rendering and sees both keys at once
  • Pre-existing -- this conditional was in rule.yml before this PR
• Run Tests (RHEL 8): Couldn't install required packages: crypto-policies-scripts,audit
  • This PR does not change any RHEL 8 content
  • The RHEL 8 test container cannot install crypto-policies-scripts and audit packages (stale or missing repos)
  • These packages are test dependencies for other rules, not sshd_disable_compression
• Red Hat Konflux / compliance-operator-dev-enterprise-contract: supply chain security check for the compliance operator container image (SLSA provenance, trusted build tasks, CVE scans). Tests the container build pipeline, not ComplianceAsCode content rules.
• testing-farm:centos-stream-9-x86_64:contest-ansible, contest-oscap, contest-other:
  • Runs Contest on real CentOS Stream 9 VMs on Testing Farm (Red Hat's shared CI), triggered by Packit
  • Failures are Testing Farm infrastructure issues (VM provisioning, network), not caused by this PR

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all