From 22e46de8f93e8e2aac51448b9beba91834012cb4 Mon Sep 17 00:00:00 2001
From: Vincent Shen <wenshen@redhat.com>
Date: Wed, 12 Nov 2025 01:02:36 -0800
Subject: [PATCH 1/7] Add runtime SSHD config checking for OpenShift

Add runtime SSHD config checking for OpenShift compliance operatorThe compliance operator fetches runtime SSHD config from the cluster andfeeds it to the scanner before scans. Adds `sshd_runtime_check` option(default: false, true for RHCOS4), updates OVAL macros, and sets default
---
 products/rhcos4/product.yml                   |  3 +
 shared/macros/10-oval.jinja                   | 83 ++++++++++++++++---
 .../templates/sshd_lineinfile/oval.template   |  4 +-
 ssg/constants.py                              |  1 +
 ssg/products.py                               |  4 +
 5 files changed, 82 insertions(+), 13 deletions(-)

diff --git a/products/rhcos4/product.yml b/products/rhcos4/product.yml
index d1ae9ebf1ba..3fc9455e138 100644
--- a/products/rhcos4/product.yml
+++ b/products/rhcos4/product.yml
@@ -20,6 +20,9 @@ groups:
 
 sshd_distributed_config: "true"
 
+# Enable runtime sshd configuration checking for compliance operator scans
+sshd_runtime_check: "true"
+
 cpes_root: "../../shared/applicability"
 cpes:
   - rhcos4:
diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja
index 260d2d73f5c..4e8bcc7681b 100644
--- a/shared/macros/10-oval.jinja
+++ b/shared/macros/10-oval.jinja
@@ -1033,9 +1033,10 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo
 :type datatype: str
 
 #}}
-{{%- macro sshd_oval_check(parameter, value, missing_parameter_pass, config_is_distributed, xccdf_variable="", datatype="", rule_id=None, rule_title=None) -%}}
+{{%- macro sshd_oval_check(parameter, value, missing_parameter_pass, config_is_distributed, runtime_check="false", xccdf_variable="", datatype="", rule_id=None, rule_title=None) -%}}
 {{%- set sshd_config_path = "/etc/ssh/sshd_config" %}}
 {{%- set sshd_config_dir = "/etc/ssh/sshd_config.d" -%}}
+{{%- set sshd_runtime_path = "/etc/compliance-operator/runtime/sshd_effective_config" -%}}
 {{%- if xccdf_variable -%}}
 {{%- set description = "Ensure '" ~ parameter ~ "' is configured with value configured in " ~ xccdf_variable ~ " variable in " ~ sshd_config_path %}}
 {{%- else -%}}
@@ -1071,19 +1072,30 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo
         <extend_definition comment="rpm package openssh-server installed"
           definition_ref="package_openssh-server_installed" />
         {{% endif %}}
-        <criteria comment="sshd is configured correctly" operator="AND">
-          <criteria comment="the configuration is correct if it exists" operator="AND">
-            {{{- oval_line_in_file_criterion(sshd_config_path, parameter, avoid_conflicting=true, rule_id=rule_id) | indent(10)}}}
-            {{%- if config_is_distributed == "true" %}}
-            {{{- oval_line_in_directory_criterion(sshd_config_dir, parameter, avoid_conflicting=true, rule_id=rule_id) | indent(10) }}}
+        <criteria comment="sshd is configured correctly" operator="OR">
+          {{%- if runtime_check == "true" %}}
+          <criteria comment="runtime configuration exists and is correct" operator="AND">
+            <criterion comment="runtime config file exists" test_ref="test_runtime_config_present_{{{ rule_id }}}" />
+            <criterion comment="runtime config matches expected value" test_ref="test_runtime_{{{ parameter }}}_{{{ rule_id }}}" />
+          </criteria>
+          {{%- endif %}}
+          <criteria comment="static configuration is correct (when runtime config doesn't exist or runtime check disabled)" operator="AND">
+            {{%- if runtime_check == "true" %}}
+            <criterion comment="runtime config file does not exist" test_ref="test_runtime_config_absent_{{{ rule_id }}}" />
             {{%- endif %}}
-            {{% if product in ["ol8", "ol9"] %}}
-            {{{- oval_line_in_file_criterion("sshd_config included", parameter, id_stem=rule_id ~ "_sshd_included_files", avoid_conflicting=true, rule_id=rule_id) | indent(10)}}}
+            <criteria comment="the configuration is correct if it exists" operator="AND">
+              {{{- oval_line_in_file_criterion(sshd_config_path, parameter, avoid_conflicting=true, rule_id=rule_id) | indent(12)}}}
+              {{%- if config_is_distributed == "true" %}}
+              {{{- oval_line_in_directory_criterion(sshd_config_dir, parameter, avoid_conflicting=true, rule_id=rule_id) | indent(12) }}}
+              {{%- endif %}}
+              {{% if product in ["ol8", "ol9"] %}}
+              {{{- oval_line_in_file_criterion("sshd_config included", parameter, id_stem=rule_id ~ "_sshd_included_files", avoid_conflicting=true, rule_id=rule_id) | indent(12)}}}
+              {{% endif %}}
+            </criteria>
+            {{%- if not missing_parameter_pass %}}
+            <criterion comment="the configuration exists" test_ref="test_{{{ parameter }}}_present_{{{ rule_id }}}" />
             {{% endif %}}
           </criteria>
-          {{%- if not missing_parameter_pass %}}
-          <criterion comment="the configuration exists" test_ref="test_{{{ parameter }}}_present_{{{ rule_id }}}" />
-          {{% endif %}}
         </criteria>
       </criteria>
     </criteria>
@@ -1162,6 +1174,55 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo
   </ind:textfilecontent54_test>
 
   {{% endif %}}
+
+  {{%- if runtime_check == "true" %}}
+  <!-- Runtime configuration checks -->
+  <ind:textfilecontent54_test id="test_runtime_config_absent_{{{ rule_id }}}" version="1"
+                              check="none satisfy" check_existence="none_exist"
+                              comment="Check if runtime config file exists">
+    <ind:object object_ref="obj_runtime_config_file_{{{ rule_id }}}" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_test id="test_runtime_config_present_{{{ rule_id }}}" version="1"
+                              check="all" check_existence="at_least_one_exists"
+                              comment="Check if runtime config file exists">
+    <ind:object object_ref="obj_runtime_config_file_{{{ rule_id }}}" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_runtime_config_file_{{{ rule_id }}}" version="1">
+    <ind:filepath>{{{ sshd_runtime_path }}}</ind:filepath>
+    <ind:pattern operation="pattern match">.*</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test id="test_runtime_{{{ parameter }}}_{{{ rule_id }}}" version="1"
+                              check="all" check_existence="at_least_one_exists"
+                              comment="Check runtime {{{ parameter }}} value">
+    <ind:object object_ref="obj_runtime_{{{ parameter }}}_{{{ rule_id }}}" />
+    {{%- if xccdf_variable -%}}
+    <ind:state state_ref="state_runtime_{{{ parameter }}}_{{{ rule_id }}}_xccdf" />
+    {{%- else -%}}
+    <ind:state state_ref="state_runtime_{{{ parameter }}}_{{{ rule_id }}}" />
+    {{%- endif -%}}
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_runtime_{{{ parameter }}}_{{{ rule_id }}}" version="1">
+    <ind:filepath>{{{ sshd_runtime_path }}}</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*{{{ parameter | lower }}}[\s]+(.*)$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  {{%- if xccdf_variable -%}}
+  <ind:textfilecontent54_state id="state_runtime_{{{ parameter }}}_{{{ rule_id }}}_xccdf" version="1">
+    <ind:subexpression operation="equals" datatype="{{{ datatype }}}" var_ref="{{{ xccdf_variable }}}" />
+  </ind:textfilecontent54_state>
+  {{%- else -%}}
+  <ind:textfilecontent54_state id="state_runtime_{{{ parameter }}}_{{{ rule_id }}}" version="1">
+    <ind:subexpression operation="{{{ 'pattern match' if datatype == 'string' else 'equals' }}}" datatype="{{{ datatype }}}">{{{ value }}}</ind:subexpression>
+  </ind:textfilecontent54_state>
+  {{%- endif -%}}
+  {{%- endif %}}
+
 </def-group>
 {{%- endmacro %}}
 
diff --git a/shared/templates/sshd_lineinfile/oval.template b/shared/templates/sshd_lineinfile/oval.template
index 99bc7dbee39..d3f4218ec30 100644
--- a/shared/templates/sshd_lineinfile/oval.template
+++ b/shared/templates/sshd_lineinfile/oval.template
@@ -1,5 +1,5 @@
 {{%- if XCCDF_VARIABLE -%}}
-{{{ sshd_oval_check(parameter=PARAMETER, xccdf_variable=XCCDF_VARIABLE, missing_parameter_pass=MISSING_PARAMETER_PASS, config_is_distributed=sshd_distributed_config, datatype=DATATYPE, rule_id=rule_id, rule_title=rule_title) }}}
+{{{ sshd_oval_check(parameter=PARAMETER, xccdf_variable=XCCDF_VARIABLE, missing_parameter_pass=MISSING_PARAMETER_PASS, config_is_distributed=sshd_distributed_config, runtime_check=sshd_runtime_check, datatype=DATATYPE, rule_id=rule_id, rule_title=rule_title) }}}
 {{%- else -%}}
-{{{ sshd_oval_check(parameter=PARAMETER, value=VALUE, missing_parameter_pass=MISSING_PARAMETER_PASS, config_is_distributed=sshd_distributed_config, datatype=DATATYPE, rule_id=rule_id, rule_title=rule_title) }}}
+{{{ sshd_oval_check(parameter=PARAMETER, value=VALUE, missing_parameter_pass=MISSING_PARAMETER_PASS, config_is_distributed=sshd_distributed_config, runtime_check=sshd_runtime_check, datatype=DATATYPE, rule_id=rule_id, rule_title=rule_title) }}}
 {{%- endif -%}}
diff --git a/ssg/constants.py b/ssg/constants.py
index 25a9693a4cb..832732e1f40 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -462,6 +462,7 @@
 DEFAULT_RSYSLOG_CAFILE = '/etc/pki/tls/cert.pem'
 DEFAULT_FAILLOCK_PATH = '/var/run/faillock'
 DEFAULT_SSH_DISTRIBUTED_CONFIG = 'false'
+DEFAULT_SSH_RUNTIME_CHECK = 'false'
 DEFAULT_PRODUCT = 'example'
 DEFAULT_CHRONY_CONF_PATH = '/etc/chrony.conf'
 DEFAULT_CHRONY_D_PATH = '/etc/chrony.d/'
diff --git a/ssg/products.py b/ssg/products.py
index c08f9cb7562..25cb41c3776 100644
--- a/ssg/products.py
+++ b/ssg/products.py
@@ -17,6 +17,7 @@
                         DEFAULT_AUDIT_WATCHES_STYLE,
                         DEFAULT_RSYSLOG_CAFILE,
                         DEFAULT_SSH_DISTRIBUTED_CONFIG,
+                        DEFAULT_SSH_RUNTIME_CHECK,
                         DEFAULT_CHRONY_CONF_PATH,
                         DEFAULT_CHRONY_D_PATH,
                         DEFAULT_AUDISP_CONF_PATH,
@@ -108,6 +109,9 @@ def _get_implied_properties(existing_properties):
     if "sshd_distributed_config" not in existing_properties:
         result["sshd_distributed_config"] = DEFAULT_SSH_DISTRIBUTED_CONFIG
 
+    if "sshd_runtime_check" not in existing_properties:
+        result["sshd_runtime_check"] = DEFAULT_SSH_RUNTIME_CHECK
+
     if "product" not in existing_properties:
         result["product"] = DEFAULT_PRODUCT
 

From c5e83eee04bbb9343da1fa097f3451946f49a0e2 Mon Sep 17 00:00:00 2001
From: Vincent Shen <wenshen@redhat.com>
Date: Fri, 14 Nov 2025 18:29:59 -0800
Subject: [PATCH 2/7] Update SSHD runtime check configuration and OVAL macros

Enhance the SSHD runtime configuration checking by updating the path for the compliance operator's runtime effective config file to a temp file. Modify the OVAL macros to conditionally adjust the criteria operator based on the runtime check status, ensuring accurate compliance checks.
---
 products/rhcos4/product.yml |  1 +
 shared/macros/10-oval.jinja | 11 +++++------
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/products/rhcos4/product.yml b/products/rhcos4/product.yml
index 3fc9455e138..ef98003f7cd 100644
--- a/products/rhcos4/product.yml
+++ b/products/rhcos4/product.yml
@@ -21,6 +21,7 @@ groups:
 sshd_distributed_config: "true"
 
 # Enable runtime sshd configuration checking for compliance operator scans
+# Compliance Operation fetch the result of sshd -T and store it in a file
 sshd_runtime_check: "true"
 
 cpes_root: "../../shared/applicability"
diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja
index 4e8bcc7681b..da83eefd2bd 100644
--- a/shared/macros/10-oval.jinja
+++ b/shared/macros/10-oval.jinja
@@ -1036,7 +1036,7 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo
 {{%- macro sshd_oval_check(parameter, value, missing_parameter_pass, config_is_distributed, runtime_check="false", xccdf_variable="", datatype="", rule_id=None, rule_title=None) -%}}
 {{%- set sshd_config_path = "/etc/ssh/sshd_config" %}}
 {{%- set sshd_config_dir = "/etc/ssh/sshd_config.d" -%}}
-{{%- set sshd_runtime_path = "/etc/compliance-operator/runtime/sshd_effective_config" -%}}
+{{%- set sshd_runtime_path = "/tmp/runtime/sshd_effective_config" -%}}
 {{%- if xccdf_variable -%}}
 {{%- set description = "Ensure '" ~ parameter ~ "' is configured with value configured in " ~ xccdf_variable ~ " variable in " ~ sshd_config_path %}}
 {{%- else -%}}
@@ -1072,17 +1072,15 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo
         <extend_definition comment="rpm package openssh-server installed"
           definition_ref="package_openssh-server_installed" />
         {{% endif %}}
-        <criteria comment="sshd is configured correctly" operator="OR">
+        <criteria comment="sshd is configured correctly" operator="{{% if runtime_check == "true" %}}AND{{% else %}}OR{{% endif %}}">
           {{%- if runtime_check == "true" %}}
           <criteria comment="runtime configuration exists and is correct" operator="AND">
             <criterion comment="runtime config file exists" test_ref="test_runtime_config_present_{{{ rule_id }}}" />
             <criterion comment="runtime config matches expected value" test_ref="test_runtime_{{{ parameter }}}_{{{ rule_id }}}" />
           </criteria>
           {{%- endif %}}
-          <criteria comment="static configuration is correct (when runtime config doesn't exist or runtime check disabled)" operator="AND">
-            {{%- if runtime_check == "true" %}}
-            <criterion comment="runtime config file does not exist" test_ref="test_runtime_config_absent_{{{ rule_id }}}" />
-            {{%- endif %}}
+          {{%- if runtime_check != "true" %}}
+          <criteria comment="static configuration is correct" operator="AND">
             <criteria comment="the configuration is correct if it exists" operator="AND">
               {{{- oval_line_in_file_criterion(sshd_config_path, parameter, avoid_conflicting=true, rule_id=rule_id) | indent(12)}}}
               {{%- if config_is_distributed == "true" %}}
@@ -1096,6 +1094,7 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo
             <criterion comment="the configuration exists" test_ref="test_{{{ parameter }}}_present_{{{ rule_id }}}" />
             {{% endif %}}
           </criteria>
+          {{%- endif %}}
         </criteria>
       </criteria>
     </criteria>

From b01b3d69ecaed249e3d722e27dc4da2118150b35 Mon Sep 17 00:00:00 2001
From: Vincent Shen <wenshen@redhat.com>
Date: Tue, 18 Nov 2025 07:49:51 -0800
Subject: [PATCH 3/7] Update OVAL macro to convert string values to lowercase
 for runtime sshd checks

---
 shared/macros/10-oval.jinja | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja
index da83eefd2bd..effcb6b4693 100644
--- a/shared/macros/10-oval.jinja
+++ b/shared/macros/10-oval.jinja
@@ -1217,7 +1217,7 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo
   </ind:textfilecontent54_state>
   {{%- else -%}}
   <ind:textfilecontent54_state id="state_runtime_{{{ parameter }}}_{{{ rule_id }}}" version="1">
-    <ind:subexpression operation="{{{ 'pattern match' if datatype == 'string' else 'equals' }}}" datatype="{{{ datatype }}}">{{{ value }}}</ind:subexpression>
+    <ind:subexpression operation="{{{ 'pattern match' if datatype == 'string' else 'equals' }}}" datatype="{{{ datatype }}}">{{{ value | lower if datatype == 'string' else value }}}</ind:subexpression>
   </ind:textfilecontent54_state>
   {{%- endif -%}}
   {{%- endif %}}

From f3038dd7697bb20c3160d86a999b5dd397f53334 Mon Sep 17 00:00:00 2001
From: Lance Bragstad <lbragsta@redhat.com>
Date: Tue, 18 Nov 2025 12:55:31 -0600
Subject: [PATCH 4/7] Update product stability to include sshd_runtime_check

This is a new parameter, that defaults to false. Update the test data so
that it's included in product stability.
---
 tests/data/product_stability/alinux2.yml      | 1 +
 tests/data/product_stability/alinux3.yml      | 1 +
 tests/data/product_stability/anolis23.yml     | 1 +
 tests/data/product_stability/anolis8.yml      | 1 +
 tests/data/product_stability/debian11.yml     | 1 +
 tests/data/product_stability/debian12.yml     | 1 +
 tests/data/product_stability/debian13.yml     | 1 +
 tests/data/product_stability/eks.yml          | 1 +
 tests/data/product_stability/example.yml      | 1 +
 tests/data/product_stability/fedora.yml       | 1 +
 tests/data/product_stability/firefox.yml      | 1 +
 tests/data/product_stability/ocp4.yml         | 1 +
 tests/data/product_stability/ol7.yml          | 1 +
 tests/data/product_stability/ol8.yml          | 1 +
 tests/data/product_stability/ol9.yml          | 1 +
 tests/data/product_stability/openembedded.yml | 1 +
 tests/data/product_stability/opensuse.yml     | 5 +++--
 tests/data/product_stability/rhcos4.yml       | 1 +
 tests/data/product_stability/rhel10.yml       | 1 +
 tests/data/product_stability/rhel8.yml        | 1 +
 tests/data/product_stability/rhel9.yml        | 1 +
 tests/data/product_stability/rhv4.yml         | 1 +
 tests/data/product_stability/sle12.yml        | 1 +
 tests/data/product_stability/sle15.yml        | 1 +
 tests/data/product_stability/ubuntu2204.yml   | 1 +
 tests/data/product_stability/ubuntu2404.yml   | 1 +
 26 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/tests/data/product_stability/alinux2.yml b/tests/data/product_stability/alinux2.yml
index a5ea062bfc8..758ed04ab27 100644
--- a/tests/data/product_stability/alinux2.yml
+++ b/tests/data/product_stability/alinux2.yml
@@ -85,6 +85,7 @@ reference_uris:
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'false'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
 - 5
diff --git a/tests/data/product_stability/alinux3.yml b/tests/data/product_stability/alinux3.yml
index 9cfcf3c7f5f..e8df627c48b 100644
--- a/tests/data/product_stability/alinux3.yml
+++ b/tests/data/product_stability/alinux3.yml
@@ -85,6 +85,7 @@ reference_uris:
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'false'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
 - 5
diff --git a/tests/data/product_stability/anolis23.yml b/tests/data/product_stability/anolis23.yml
index f358fb6d2b3..8b41ee0abeb 100644
--- a/tests/data/product_stability/anolis23.yml
+++ b/tests/data/product_stability/anolis23.yml
@@ -84,6 +84,7 @@ reference_uris:
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'false'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
 - 5
diff --git a/tests/data/product_stability/anolis8.yml b/tests/data/product_stability/anolis8.yml
index 6ea514a4da3..906bbe9a484 100644
--- a/tests/data/product_stability/anolis8.yml
+++ b/tests/data/product_stability/anolis8.yml
@@ -84,6 +84,7 @@ reference_uris:
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'false'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
 - 5
diff --git a/tests/data/product_stability/debian11.yml b/tests/data/product_stability/debian11.yml
index 4a82ddf4bf2..fe41f44198e 100644
--- a/tests/data/product_stability/debian11.yml
+++ b/tests/data/product_stability/debian11.yml
@@ -94,6 +94,7 @@ reference_uris:
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'false'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
 - 5
diff --git a/tests/data/product_stability/debian12.yml b/tests/data/product_stability/debian12.yml
index 8fe0afe738a..92d6c32ecc1 100644
--- a/tests/data/product_stability/debian12.yml
+++ b/tests/data/product_stability/debian12.yml
@@ -95,6 +95,7 @@ reference_uris:
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'false'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
 - 5
diff --git a/tests/data/product_stability/debian13.yml b/tests/data/product_stability/debian13.yml
index 75a041831bf..7a7f6411132 100644
--- a/tests/data/product_stability/debian13.yml
+++ b/tests/data/product_stability/debian13.yml
@@ -95,6 +95,7 @@ reference_uris:
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'false'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
 - 5
diff --git a/tests/data/product_stability/eks.yml b/tests/data/product_stability/eks.yml
index b1c88cb7b8b..df97dc7eb94 100644
--- a/tests/data/product_stability/eks.yml
+++ b/tests/data/product_stability/eks.yml
@@ -92,6 +92,7 @@ reference_uris:
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'false'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
 - 5
diff --git a/tests/data/product_stability/example.yml b/tests/data/product_stability/example.yml
index b44035b82b6..2cbad33f7fd 100644
--- a/tests/data/product_stability/example.yml
+++ b/tests/data/product_stability/example.yml
@@ -86,6 +86,7 @@ reference_uris:
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'false'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
 - 5
diff --git a/tests/data/product_stability/fedora.yml b/tests/data/product_stability/fedora.yml
index b0cc325cbc6..d37cbd094bc 100644
--- a/tests/data/product_stability/fedora.yml
+++ b/tests/data/product_stability/fedora.yml
@@ -130,6 +130,7 @@ reference_uris:
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
 sshd_distributed_config: 'true'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
 - 5
diff --git a/tests/data/product_stability/firefox.yml b/tests/data/product_stability/firefox.yml
index 5e2e4b39888..757c88d7b68 100644
--- a/tests/data/product_stability/firefox.yml
+++ b/tests/data/product_stability/firefox.yml
@@ -81,6 +81,7 @@ reference_uris:
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'false'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
 - 5
diff --git a/tests/data/product_stability/ocp4.yml b/tests/data/product_stability/ocp4.yml
index 6d944e445d7..c09dcc8094d 100644
--- a/tests/data/product_stability/ocp4.yml
+++ b/tests/data/product_stability/ocp4.yml
@@ -192,6 +192,7 @@ reference_uris:
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'false'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
 - 5
diff --git a/tests/data/product_stability/ol7.yml b/tests/data/product_stability/ol7.yml
index 28fc8780ad5..1a9e0671987 100644
--- a/tests/data/product_stability/ol7.yml
+++ b/tests/data/product_stability/ol7.yml
@@ -96,6 +96,7 @@ reference_uris:
 release_key_fingerprint: 42144123FECFC55B9086313D72F97B74EC551F03
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'false'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
 - 5
diff --git a/tests/data/product_stability/ol8.yml b/tests/data/product_stability/ol8.yml
index 98abd16cb3d..e983100c0b2 100644
--- a/tests/data/product_stability/ol8.yml
+++ b/tests/data/product_stability/ol8.yml
@@ -95,6 +95,7 @@ reference_uris:
 release_key_fingerprint: 76FD3DB13AB67410B89DB10E82562EA9AD986DA3
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'false'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
 - 5
diff --git a/tests/data/product_stability/ol9.yml b/tests/data/product_stability/ol9.yml
index e3173eaef35..1bc329e1439 100644
--- a/tests/data/product_stability/ol9.yml
+++ b/tests/data/product_stability/ol9.yml
@@ -99,6 +99,7 @@ reference_uris:
 release_key_fingerprint: 3E6D826D3FBAB389C2F38E34BC4D06A08D8B756F
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'true'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
 - 5
diff --git a/tests/data/product_stability/openembedded.yml b/tests/data/product_stability/openembedded.yml
index 68ecc97b11e..4c6072ee64d 100644
--- a/tests/data/product_stability/openembedded.yml
+++ b/tests/data/product_stability/openembedded.yml
@@ -97,6 +97,7 @@ reference_uris:
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'false'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
 - 5
diff --git a/tests/data/product_stability/opensuse.yml b/tests/data/product_stability/opensuse.yml
index 36f1cdb2d0f..23aeb63e1c7 100644
--- a/tests/data/product_stability/opensuse.yml
+++ b/tests/data/product_stability/opensuse.yml
@@ -92,8 +92,9 @@ reference_uris:
   stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
-sshd_distributed_config: "false"
-sysctl_remediate_drop_in_file: "false"
+sshd_distributed_config: 'false'
+sshd_runtime_check: 'false'
+sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
   - 5
   - 11
diff --git a/tests/data/product_stability/rhcos4.yml b/tests/data/product_stability/rhcos4.yml
index 2518614670e..3e9a08aa1c6 100644
--- a/tests/data/product_stability/rhcos4.yml
+++ b/tests/data/product_stability/rhcos4.yml
@@ -90,6 +90,7 @@ reference_uris:
 release_key_fingerprint: 567E347AD0044ADE55BA8A5F199E2F91FD431D51
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'true'
+sshd_runtime_check: 'true'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
 - 5
diff --git a/tests/data/product_stability/rhel10.yml b/tests/data/product_stability/rhel10.yml
index 284e8461348..494900236d8 100644
--- a/tests/data/product_stability/rhel10.yml
+++ b/tests/data/product_stability/rhel10.yml
@@ -97,6 +97,7 @@ reference_uris:
 release_key_fingerprint: 567E347AD0044ADE55BA8A5F199E2F91FD431D51
 rsyslog_cafile: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
 sshd_distributed_config: 'true'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
 - 5
diff --git a/tests/data/product_stability/rhel8.yml b/tests/data/product_stability/rhel8.yml
index d8aef9ae364..f1150341102 100644
--- a/tests/data/product_stability/rhel8.yml
+++ b/tests/data/product_stability/rhel8.yml
@@ -147,6 +147,7 @@ reference_uris:
 release_key_fingerprint: 567E347AD0044ADE55BA8A5F199E2F91FD431D51
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'false'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
 - 5
diff --git a/tests/data/product_stability/rhel9.yml b/tests/data/product_stability/rhel9.yml
index cd1afd61b31..6a0a6212cec 100644
--- a/tests/data/product_stability/rhel9.yml
+++ b/tests/data/product_stability/rhel9.yml
@@ -104,6 +104,7 @@ reference_uris:
 release_key_fingerprint: 567E347AD0044ADE55BA8A5F199E2F91FD431D51
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'true'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
 - 5
diff --git a/tests/data/product_stability/rhv4.yml b/tests/data/product_stability/rhv4.yml
index 198d6f3db0a..016aec57a2e 100644
--- a/tests/data/product_stability/rhv4.yml
+++ b/tests/data/product_stability/rhv4.yml
@@ -95,6 +95,7 @@ reference_uris:
 release_key_fingerprint: 567E347AD0044ADE55BA8A5F199E2F91FD431D51
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'false'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
 - 5
diff --git a/tests/data/product_stability/sle12.yml b/tests/data/product_stability/sle12.yml
index 858c9119c96..b42e4494310 100644
--- a/tests/data/product_stability/sle12.yml
+++ b/tests/data/product_stability/sle12.yml
@@ -95,6 +95,7 @@ reference_uris:
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'false'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'true'
 target_oval_version:
 - 5
diff --git a/tests/data/product_stability/sle15.yml b/tests/data/product_stability/sle15.yml
index a3cecb59132..04912acb800 100644
--- a/tests/data/product_stability/sle15.yml
+++ b/tests/data/product_stability/sle15.yml
@@ -101,6 +101,7 @@ reference_uris:
 release_key_fingerprint: FEAB502539D846DB2C0961CA70AF9E8139DB7C82
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'false'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'true'
 target_oval_version:
 - 5
diff --git a/tests/data/product_stability/ubuntu2204.yml b/tests/data/product_stability/ubuntu2204.yml
index 7ed5f5618ae..52b7d05fd2b 100644
--- a/tests/data/product_stability/ubuntu2204.yml
+++ b/tests/data/product_stability/ubuntu2204.yml
@@ -103,6 +103,7 @@ reference_uris:
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'true'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
 - 5
diff --git a/tests/data/product_stability/ubuntu2404.yml b/tests/data/product_stability/ubuntu2404.yml
index 9ce793a8454..dd4cf290ffe 100644
--- a/tests/data/product_stability/ubuntu2404.yml
+++ b/tests/data/product_stability/ubuntu2404.yml
@@ -104,6 +104,7 @@ reference_uris:
   stigref: https://www.cyber.mil/stigs/srg-stig-tools/
 rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'true'
+sshd_runtime_check: 'false'
 sysctl_remediate_drop_in_file: 'false'
 target_oval_version:
 - 5

From a03734196c1eebbc20d5fcb85981c18b414d29f3 Mon Sep 17 00:00:00 2001
From: Vincent Shen <wenshen@redhat.com>
Date: Wed, 19 Nov 2025 08:54:31 -0800
Subject: [PATCH 5/7] Update products/rhcos4/product.yml

Co-authored-by: Watson Yuuma Sato <wsato@redhat.com>
---
 products/rhcos4/product.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/products/rhcos4/product.yml b/products/rhcos4/product.yml
index ef98003f7cd..d83119dcf13 100644
--- a/products/rhcos4/product.yml
+++ b/products/rhcos4/product.yml
@@ -21,7 +21,7 @@ groups:
 sshd_distributed_config: "true"
 
 # Enable runtime sshd configuration checking for compliance operator scans
-# Compliance Operation fetch the result of sshd -T and store it in a file
+# Compliance Operator fetches the result of sshd -T and stores it in a file
 sshd_runtime_check: "true"
 
 cpes_root: "../../shared/applicability"

From 09a937c0018e9f1eff41f8fb2966dd65771e3085 Mon Sep 17 00:00:00 2001
From: Vincent Shen <wenshen@redhat.com>
Date: Wed, 19 Nov 2025 09:14:30 -0800
Subject: [PATCH 6/7] Updated the OVAL macro to set the criteria operator for
 the SSHD configuration check to a fixed "AND" instead of conditionally based
 on the runtime check status. This change simplifies the logic and ensures
 consistent behavior in compliance checks.

---
 shared/macros/10-oval.jinja | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja
index effcb6b4693..dbb8886fced 100644
--- a/shared/macros/10-oval.jinja
+++ b/shared/macros/10-oval.jinja
@@ -1072,7 +1072,7 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo
         <extend_definition comment="rpm package openssh-server installed"
           definition_ref="package_openssh-server_installed" />
         {{% endif %}}
-        <criteria comment="sshd is configured correctly" operator="{{% if runtime_check == "true" %}}AND{{% else %}}OR{{% endif %}}">
+        <criteria comment="sshd is configured correctly" operator="AND">
           {{%- if runtime_check == "true" %}}
           <criteria comment="runtime configuration exists and is correct" operator="AND">
             <criterion comment="runtime config file exists" test_ref="test_runtime_config_present_{{{ rule_id }}}" />

From 90898bd8715401edec81725353f1379398d542f8 Mon Sep 17 00:00:00 2001
From: Vincent Shen <wenshen@redhat.com>
Date: Tue, 25 Nov 2025 00:52:30 -0800
Subject: [PATCH 7/7] Remove unused runtime configuration check from OVAL
 macro.

---
 shared/macros/10-oval.jinja | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja
index dbb8886fced..6466728189d 100644
--- a/shared/macros/10-oval.jinja
+++ b/shared/macros/10-oval.jinja
@@ -1176,12 +1176,6 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo
 
   {{%- if runtime_check == "true" %}}
   <!-- Runtime configuration checks -->
-  <ind:textfilecontent54_test id="test_runtime_config_absent_{{{ rule_id }}}" version="1"
-                              check="none satisfy" check_existence="none_exist"
-                              comment="Check if runtime config file exists">
-    <ind:object object_ref="obj_runtime_config_file_{{{ rule_id }}}" />
-  </ind:textfilecontent54_test>
-
   <ind:textfilecontent54_test id="test_runtime_config_present_{{{ rule_id }}}" version="1"
                               check="all" check_existence="at_least_one_exists"
                               comment="Check if runtime config file exists">