From b3ca5586410c341c445236452950344e21460edc Mon Sep 17 00:00:00 2001 From: Peter Macko <44851174+macko1@users.noreply.github.com> Date: Tue, 30 Jun 2026 18:37:07 +0200 Subject: [PATCH 1/3] sshd_disable_compression: accept both "no" and "delayed" DISA STIG V-258002 allows Compression in /etc/ssh/sshd_config to be set to "no" or "delayed". The rule only accepted "no". Add custom OVAL, bash, and ansible remediations: - oval/shared.xml: check with value="(no|delayed)" (pattern match) - bash/shared.sh: remediation writes "no" (strictest valid value) - ansible/shared.yml: remediation writes "no" - tests/delayed_value.pass.sh: verify "delayed" passes Add "stig" option with value "no|delayed" to var_sshd_disable_compression.var. Update RHEL 9 and OL9 STIG controls to select var_sshd_disable_compression=stig. --- controls/stig_ol9.yml | 2 +- .../ansible/shared.yml | 14 +++++++++++++ .../sshd_disable_compression/bash/shared.sh | 8 ++++++++ .../sshd_disable_compression/oval/shared.xml | 20 +++++++++++++++++++ .../sshd_disable_compression/rule.yml | 3 ++- .../tests/delayed_value.pass.sh | 8 ++++++++ .../var_sshd_disable_compression.var | 1 + products/rhel9/controls/stig_rhel9.yml | 2 +- .../data/profile_stability/rhel9/stig.profile | 2 +- .../profile_stability/rhel9/stig_gui.profile | 2 +- 10 files changed, 57 insertions(+), 5 deletions(-) create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/bash/shared.sh create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/oval/shared.xml create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/delayed_value.pass.sh diff --git a/controls/stig_ol9.yml b/controls/stig_ol9.yml index 74da77642a66..169fe0a98c33 100644 --- a/controls/stig_ol9.yml +++ b/controls/stig_ol9.yml @@ -1709,7 +1709,7 @@ controls: authentication. rules: - sshd_disable_compression - - var_sshd_disable_compression=no + - var_sshd_disable_compression=stig status: automated - id: OL09-00-002359 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml new file mode 100644 index 000000000000..6d0860e54f07 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml @@ -0,0 +1,14 @@ +# platform = multi_platform_all +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low +# Same metadata as other sshd_lineinfile rules (e.g. sshd_set_idle_timeout). + +{{{ ansible_sshd_set( + parameter="Compression", + value="no", + config_is_distributed=sshd_distributed_config, + config_basename="00-complianceascode-hardening.conf", + rule_title=rule_title +) }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/bash/shared.sh new file mode 100644 index 000000000000..496011812264 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/bash/shared.sh @@ -0,0 +1,8 @@ +# platform = multi_platform_all +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low +# Same metadata as other sshd_lineinfile rules (e.g. sshd_set_idle_timeout). + +{{{ bash_sshd_remediation(parameter="Compression", value="no", config_is_distributed=sshd_distributed_config, config_basename="00-complianceascode-hardening.conf", rule_id=rule_id) }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/oval/shared.xml new file mode 100644 index 000000000000..9cde20e33e2e --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/oval/shared.xml @@ -0,0 +1,20 @@ +{{%- if product == 'sle16' -%}} +{{{ sshd_oval_check_usr( + parameter="Compression", + value="(no|delayed)", + missing_parameter_pass=false, + datatype="string", + rule_id=rule_id, + rule_title=rule_title +) }}} +{{%- else -%}} +{{{ sshd_oval_check( + parameter="Compression", + value="(no|delayed)", + missing_parameter_pass=false, + config_is_distributed=sshd_distributed_config, + datatype="string", + rule_id=rule_id, + rule_title=rule_title +) }}} +{{%- endif -%}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml index 588f91a3396d..a969a0c2fa63 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml @@ -48,11 +48,13 @@ ocil: |-
$ sudo grep Compression /etc/ssh/sshd_config
If configured properly, output should be
no
or
delayed
. +# yamllint disable rule:key-duplicates {{% if product == "ol7" %}} platform: os_linux[ol]<7.4 {{% elif product == "sle12" %}} platform: package[openssh]<7.4 {{% endif %}} +# yamllint enable rule:key-duplicates fixtext: '{{{ fixtext_sshd_lineinfile("Compression", xccdf_value("var_sshd_disable_compression"), no) }}}' @@ -64,4 +66,3 @@ template: parameter: Compression xccdf_variable: var_sshd_disable_compression datatype: string - diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/delayed_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/delayed_value.pass.sh new file mode 100644 index 000000000000..ac433fa2043c --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/delayed_value.pass.sh @@ -0,0 +1,8 @@ +#!/bin/bash +# DISA STIG V-258002 allows both "no" and "delayed". +# The custom OVAL in oval/shared.xml checks for (no|delayed) with a +# hardcoded value. + +source common.sh + +{{{ bash_sshd_remediation(parameter="Compression", value="delayed", config_is_distributed=sshd_distributed_config, rule_id=rule_id) -}}} diff --git a/linux_os/guide/services/ssh/ssh_server/var_sshd_disable_compression.var b/linux_os/guide/services/ssh/ssh_server/var_sshd_disable_compression.var index 0e35a03c5f70..a9043c027e23 100644 --- a/linux_os/guide/services/ssh/ssh_server/var_sshd_disable_compression.var +++ b/linux_os/guide/services/ssh/ssh_server/var_sshd_disable_compression.var @@ -13,4 +13,5 @@ interactive: false options: no: no delayed: delayed + stig: "no|delayed" default: no diff --git a/products/rhel9/controls/stig_rhel9.yml b/products/rhel9/controls/stig_rhel9.yml index 76fd04b8c832..fb5a3d4f3bba 100644 --- a/products/rhel9/controls/stig_rhel9.yml +++ b/products/rhel9/controls/stig_rhel9.yml @@ -1974,7 +1974,7 @@ controls: authentication. rules: - sshd_disable_compression - - var_sshd_disable_compression=no + - var_sshd_disable_compression=stig status: automated - id: RHEL-09-255135 diff --git a/tests/data/profile_stability/rhel9/stig.profile b/tests/data/profile_stability/rhel9/stig.profile index 73c7af5a3cf8..6d835f718983 100644 --- a/tests/data/profile_stability/rhel9/stig.profile +++ b/tests/data/profile_stability/rhel9/stig.profile @@ -537,7 +537,7 @@ var_rekey_limit_time=1hour var_selinux_policy_name=targeted var_selinux_state=enforcing var_smartcard_drivers=cac -var_sshd_disable_compression=no +var_sshd_disable_compression=stig var_sshd_set_keepalive=1 var_sssd_certificate_verification_digest_function=sha512 var_sudo_timestamp_timeout=always_prompt diff --git a/tests/data/profile_stability/rhel9/stig_gui.profile b/tests/data/profile_stability/rhel9/stig_gui.profile index 0d9576e8d48f..82033b88561c 100644 --- a/tests/data/profile_stability/rhel9/stig_gui.profile +++ b/tests/data/profile_stability/rhel9/stig_gui.profile @@ -535,7 +535,7 @@ var_rekey_limit_time=1hour var_selinux_policy_name=targeted var_selinux_state=enforcing var_smartcard_drivers=cac -var_sshd_disable_compression=no +var_sshd_disable_compression=stig var_sshd_set_keepalive=1 var_sssd_certificate_verification_digest_function=sha512 var_sudo_timestamp_timeout=always_prompt From d77b3caf15532d467c266c37b788bf093dde2aaf Mon Sep 17 00:00:00 2001 From: Peter Macko <44851174+macko1@users.noreply.github.com> Date: Tue, 30 Jun 2026 18:37:27 +0200 Subject: [PATCH 2/3] sshd_lineinfile: change test wrong_value from "delayed" to "yes" "delayed" is now a valid value for sshd_disable_compression. "yes" is always invalid per DISA STIG V-258002. --- shared/templates/sshd_lineinfile/template.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/templates/sshd_lineinfile/template.py b/shared/templates/sshd_lineinfile/template.py index d87c9d4832cc..bb18768c26a3 100644 --- a/shared/templates/sshd_lineinfile/template.py +++ b/shared/templates/sshd_lineinfile/template.py @@ -17,7 +17,7 @@ def set_variables_for_test_scenarios(data): data["wrong_value"] = "30:10:110" data["correct_value"] = "10:30:60" elif data["xccdf_variable"] == "var_sshd_disable_compression": - data["wrong_value"] = "delayed" + data["wrong_value"] = "yes" data["correct_value"] = "no" else: data["wrong_value"] = "wrong_value" From 2462b4185738e5b95ee9a612281aa96f55dc3dc3 Mon Sep 17 00:00:00 2001 From: Peter Macko <44851174+macko1@users.noreply.github.com> Date: Tue, 30 Jun 2026 18:37:35 +0200 Subject: [PATCH 3/3] tests: clarify variables directive in README.md --- tests/README.md | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/tests/README.md b/tests/README.md index 8b439b7e0fb3..4f27354cf435 100644 --- a/tests/README.md +++ b/tests/README.md @@ -179,7 +179,7 @@ The header consists of comments (starting by `#`). Possible keys are: restricted. Use this only if the scenario makes sense only in a specific profile. Typically, a rule doesn't depend on a profile and behaves the same way regardless the profile it's a part of. If the rule is parametrized by - variables (XCCDF Values), use the `variables` key instead. This key is + variables (XCCDF `` elements), use the `variables` key instead. This key is intended to be used in regression testing of bugs in profiles, it isn't intended for casual use. - `check` is a string specifying one of the available check engine types @@ -193,11 +193,16 @@ The header consists of comments (starting by `#`). Possible keys are: scenario would break test runs, because OpenSCAP generates reports into the /tmp directory). - `templates` has no effect at the moment. -- `variables` is a comma-separated list of XCCDF values that sets a different - default value for XCCDF variables in a form `=`. - Typically, you use only one of `profile` or `variables` in scenario metadata - - default values are effective only if the variable is not defined using a - selector, which is exactly what profiles do. +- `variables` overrides the default value of XCCDF `` elements + in the data stream: + - Comma-separated, in the form `=` + - The variable must already exist as a `` element in the + data stream + - Use the actual value (e.g. `no|delayed`), not the option name + from the `.var` file (e.g. `stig`) + - Do not combine with `profile` in the same scenario -- the profile + selects variable values on its own, overriding the `variables` + directive Examples of test scenario: