Add runtime SSHD config checking for OpenShift

Add runtime SSHD config checking for OpenShift compliance operatorThe compliance operator fetches runtime SSHD config from the cluster andfeeds it to the scanner before scans. Adds `sshd_runtime_check` option(default: false, true for RHCOS4), updates OVAL macros, and sets default

Author: Vincent056

products/rhcos4/product.yml

@@ -20,6 +20,9 @@ groups:
 
 sshd_distributed_config: "true"
 
+# Enable runtime sshd configuration checking for compliance operator scans
+sshd_runtime_check: "true"
+
 cpes_root: "../../shared/applicability"
 cpes:
   - rhcos4:

shared/macros/10-oval.jinja

@@ -1033,9 +1033,10 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo
 :type datatype: str
 
 #}}
-{{%- macro sshd_oval_check(parameter, value, missing_parameter_pass, config_is_distributed, xccdf_variable="", datatype="", rule_id=None, rule_title=None) -%}}
+{{%- macro sshd_oval_check(parameter, value, missing_parameter_pass, config_is_distributed, runtime_check="false", xccdf_variable="", datatype="", rule_id=None, rule_title=None) -%}}
 {{%- set sshd_config_path = "/etc/ssh/sshd_config" %}}
 {{%- set sshd_config_dir = "/etc/ssh/sshd_config.d" -%}}
+{{%- set sshd_runtime_path = "/etc/compliance-operator/runtime/sshd_effective_config" -%}}
 {{%- if xccdf_variable -%}}
 {{%- set description = "Ensure '" ~ parameter ~ "' is configured with value configured in " ~ xccdf_variable ~ " variable in " ~ sshd_config_path %}}
 {{%- else -%}}
@@ -1081,6 +1082,12 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo
             {{{- oval_line_in_file_criterion("sshd_config included", parameter, id_stem=rule_id ~ "_sshd_included_files", avoid_conflicting=true, rule_id=rule_id) | indent(10)}}}
             {{% endif %}}
           </criteria>
+          {{%- if runtime_check == "true" %}}
+          <criteria comment="runtime configuration is correct" operator="OR">
+            <criterion comment="runtime config file does not exist" test_ref="test_runtime_config_absent_{{{ rule_id }}}" />
+            <criterion comment="runtime config matches expected value" test_ref="test_runtime_{{{ parameter }}}_{{{ rule_id }}}" />
+          </criteria>
+          {{%- endif %}}
           {{%- if not missing_parameter_pass %}}
           <criterion comment="the configuration exists" test_ref="test_{{{ parameter }}}_present_{{{ rule_id }}}" />
           {{% endif %}}
@@ -1162,6 +1169,49 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo
   </ind:textfilecontent54_test>
 
   {{% endif %}}
+
+  {{%- if runtime_check == "true" %}}
+  <!-- Runtime configuration checks -->
+  <ind:textfilecontent54_test id="test_runtime_config_absent_{{{ rule_id }}}" version="1"
+                              check="none satisfy" check_existence="none_exist"
+                              comment="Check if runtime config file exists">
+    <ind:object object_ref="obj_runtime_config_file_{{{ rule_id }}}" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_runtime_config_file_{{{ rule_id }}}" version="1">
+    <ind:filepath>{{{ sshd_runtime_path }}}</ind:filepath>
+    <ind:pattern operation="pattern match">.*</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test id="test_runtime_{{{ parameter }}}_{{{ rule_id }}}" version="1"
+                              check="all" check_existence="at_least_one_exists"
+                              comment="Check runtime {{{ parameter }}} value">
+    <ind:object object_ref="obj_runtime_{{{ parameter }}}_{{{ rule_id }}}" />
+    {{%- if xccdf_variable -%}}
+    <ind:state state_ref="state_runtime_{{{ parameter }}}_{{{ rule_id }}}_xccdf" />
+    {{%- else -%}}
+    <ind:state state_ref="state_runtime_{{{ parameter }}}_{{{ rule_id }}}" />
+    {{%- endif -%}}
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_runtime_{{{ parameter }}}_{{{ rule_id }}}" version="1">
+    <ind:filepath>{{{ sshd_runtime_path }}}</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*{{{ parameter | lower }}}[\s]+(.*)$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  {{%- if xccdf_variable -%}}
+  <ind:textfilecontent54_state id="state_runtime_{{{ parameter }}}_{{{ rule_id }}}_xccdf" version="1">
+    <ind:subexpression operation="equals" datatype="{{{ datatype }}}" var_ref="{{{ xccdf_variable }}}" />
+  </ind:textfilecontent54_state>
+  {{%- else -%}}
+  <ind:textfilecontent54_state id="state_runtime_{{{ parameter }}}_{{{ rule_id }}}" version="1">
+    <ind:subexpression operation="{{{ 'pattern match' if datatype == 'string' else 'equals' }}}" datatype="{{{ datatype }}}">{{{ value }}}</ind:subexpression>
+  </ind:textfilecontent54_state>
+  {{%- endif -%}}
+  {{%- endif %}}
+
 </def-group>
 {{%- endmacro %}}
 

shared/templates/sshd_lineinfile/oval.template

@@ -1,5 +1,5 @@
 {{%- if XCCDF_VARIABLE -%}}
-{{{ sshd_oval_check(parameter=PARAMETER, xccdf_variable=XCCDF_VARIABLE, missing_parameter_pass=MISSING_PARAMETER_PASS, config_is_distributed=sshd_distributed_config, datatype=DATATYPE, rule_id=rule_id, rule_title=rule_title) }}}
+{{{ sshd_oval_check(parameter=PARAMETER, xccdf_variable=XCCDF_VARIABLE, missing_parameter_pass=MISSING_PARAMETER_PASS, config_is_distributed=sshd_distributed_config, runtime_check=sshd_runtime_check, datatype=DATATYPE, rule_id=rule_id, rule_title=rule_title) }}}
 {{%- else -%}}
-{{{ sshd_oval_check(parameter=PARAMETER, value=VALUE, missing_parameter_pass=MISSING_PARAMETER_PASS, config_is_distributed=sshd_distributed_config, datatype=DATATYPE, rule_id=rule_id, rule_title=rule_title) }}}
+{{{ sshd_oval_check(parameter=PARAMETER, value=VALUE, missing_parameter_pass=MISSING_PARAMETER_PASS, config_is_distributed=sshd_distributed_config, runtime_check=sshd_runtime_check, datatype=DATATYPE, rule_id=rule_id, rule_title=rule_title) }}}
 {{%- endif -%}}

ssg/constants.py

@@ -462,6 +462,7 @@
 DEFAULT_RSYSLOG_CAFILE = '/etc/pki/tls/cert.pem'
 DEFAULT_FAILLOCK_PATH = '/var/run/faillock'
 DEFAULT_SSH_DISTRIBUTED_CONFIG = 'false'
+DEFAULT_SSH_RUNTIME_CHECK = 'false'
 DEFAULT_PRODUCT = 'example'
 DEFAULT_CHRONY_CONF_PATH = '/etc/chrony.conf'
 DEFAULT_CHRONY_D_PATH = '/etc/chrony.d/'

ssg/products.py

@@ -17,6 +17,7 @@
                         DEFAULT_AUDIT_WATCHES_STYLE,
                         DEFAULT_RSYSLOG_CAFILE,
                         DEFAULT_SSH_DISTRIBUTED_CONFIG,
+                        DEFAULT_SSH_RUNTIME_CHECK,
                         DEFAULT_CHRONY_CONF_PATH,
                         DEFAULT_CHRONY_D_PATH,
                         DEFAULT_AUDISP_CONF_PATH,
@@ -108,6 +109,9 @@ def _get_implied_properties(existing_properties):
     if "sshd_distributed_config" not in existing_properties:
         result["sshd_distributed_config"] = DEFAULT_SSH_DISTRIBUTED_CONFIG
 
+    if "sshd_runtime_check" not in existing_properties:
+        result["sshd_runtime_check"] = DEFAULT_SSH_RUNTIME_CHECK
+
     if "product" not in existing_properties:
         result["product"] = DEFAULT_PRODUCT