feat(rules): alma8 crypto_policy divergence + alma9 SSG-drift sweep (#127 PR B)#132
Merged
SupremeCommanderHedgehog merged 1 commit intoJun 20, 2026
Conversation
…127 PR B) Final PR of the cross-distro audit-story (#127). Two coordinated changes: ## alma9 SSG-drift sweep Three of the alma9 rules' emit_tailoring methods referenced SSG rule IDs that no longer exist in current ssg-almalinux9-ds.xml (0.1.80). Drift surfaced by cross-referencing the hardcoded IDs against docs/audit-story/alma9-rule-ids.txt from phase 1. Cleanup is non-functional (oscap warns-and-continues on unknown IDs at install time) but makes exceptions.md an accurate audit trail. - src/ks_gen/rules/alma9/crypto_policy.py: dropped sshd_use_approved_kex, sshd_use_approved_macs, and sshd_use_approved_mac_ordered — none of those exist in current alma9 SSG. _TAILORED_WHEN_NOT_STIG shrinks from 5 → 2 entries. Also: extracted emit_post into a module-level _emit_post helper so the alma8 divergent impl can reuse it. - src/ks_gen/rules/alma9/faillock_safety.py: renamed _RULE_EVEN_DENY_ROOT → _RULE_DENY_ROOT (the upstream SSG dropped the "even_" prefix). cfg.overrides.faillock.even_deny_root field name unchanged — that's the operator-facing knob. - src/ks_gen/rules/alma9/dod_root_ca.py: dropped the install_DoD_intermediate_certificates rule reference entirely (no longer in SSG). emit_tailoring returns []; exception_entry still returns a populated record with empty stig_rules_disabled (mirror ubuntu2404's shape from #127 PR A — audit trail still captures the operator's opt-out even when there's no SSG rule to actually disable). ## alma8 crypto_policy divergence First real exercise of the "re-export → divergent impl" pattern from #121 phase 2's spec. alma8 SSG (0.1.74) has two sshd cipher checks that alma9 SSG (0.1.80) dropped: - sshd_use_approved_kex_ordered_stig - sshd_use_approved_macs With the alma8 re-export from #121 phase 2, alma8 was only disabling what alma9 disables — missing those two. Replaced src/ks_gen/rules/alma8/crypto_policy.py from a 5-line re-export to a real implementation that disables 4 IDs (alma9's 2 + alma8-only 2) when policy != STIG. Reuses alma9's _emit_post helper (the bash is identical on AL8 and AL9 — `update-crypto-policies` shipped in RHEL 8.0). tests/test_registry.py:test_registry_alma8_re_exports_same_rule_instances_as_alma9 gains a _DIVERGENT set carving out crypto_policy. When more rules diverge in the future, add to that set + document why. ## Tests - 7 new alma8 crypto_policy tests in tests/rules/test_alma8_crypto_policy.py: divergence from alma9 RULE singleton; 4-ID emit_tailoring; STIG-policy no-op; exception_entry shape; emit_post identity with alma9. - Updated existing alma9 tests for the changed implementations: test_crypto_policy.py (assert 2-ID set), test_faillock_safety.py (renamed assertion), test_dod_root_ca.py (assert empty emit_tailoring + populated exception with empty disabled list). - 9 golden snapshots regenerated: 8 alma9 fixtures + test_alma8_minimal (which shows both the inherited alma9 cleanup AND the alma8 divergent crypto additions). ubuntu_minimal NOT affected (PR A's IDs are Ubuntu-specific and independent of this sweep). Per-fixture snapshot delta (alma9): Tailored XCCDF rules: 13 → 9 (lost 3 stale crypto + 1 dod; faillock renames in place; ubuntu/alma8 differ). crypto_policy exception 'Disabled XCCDF rules:' list: 5 → 2 entries. dod_root_ca exception loses its 'Disabled XCCDF rules:' subsection. faillock_safety exception rule entry renamed. Per-fixture snapshot delta (alma8_minimal): Tailored XCCDF rules: 13 → 11 (inherits alma9 cleanup but adds 2 alma8-specific cipher disables). crypto_policy exception 'Disabled XCCDF rules:' list: 5 → 4 entries with alma8-specific IDs. dod + faillock changes match alma9 (re-exports). Spec: docs/superpowers/specs/2026-06-20-audit-story-pr-b-alma8-divergence-alma9-sweep-design.md Refs #127. After this PR, #127 is complete end-to-end.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Final PR of the cross-distro audit-story (#127). Two coordinated changes:
1. alma9 SSG-drift sweep
Three of the alma9 rules'
emit_tailoringmethods referenced SSG rule IDs that no longer exist in currentssg-almalinux9-ds.xml(0.1.80). Drift surfaced by cross-referencing the hardcoded IDs againstdocs/audit-story/alma9-rule-ids.txtfrom phase 1.crypto_policysshd_use_approved_kex,sshd_use_approved_macs,sshd_use_approved_mac_orderedfaillock_safetyaccounts_passwords_pam_faillock_even_deny_root_deny_root(SSG dropped theeven_prefix)dod_root_cainstall_DoD_intermediate_certificatesCleanup is non-functional (oscap warns-and-continues on unknown IDs at install time) but makes
exceptions.mdan accurate audit trail.2. alma8 crypto_policy divergence
First real exercise of the "re-export → divergent impl" pattern from #121 phase 2's spec.
ssg-almalinux8-ds.xml(0.1.74) has two sshd cipher checks thatssg-almalinux9-ds.xml(0.1.80) dropped:sshd_use_approved_kex_ordered_stigsshd_use_approved_macsWith the alma8 re-export from #121 phase 2, alma8 was only disabling what alma9 disables — missing those two. Replaced
src/ks_gen/rules/alma8/crypto_policy.pyfrom a 5-line re-export to a real implementation that disables 4 IDs (alma9's 2 + alma8-only 2) whencfg.crypto.policy != STIG. Reuses alma9's_emit_posthelper (the bash is identical on AL8 and AL9 —update-crypto-policiesshipped in RHEL 8.0).tests/test_registry.py::test_registry_alma8_re_exports_same_rule_instances_as_alma9gains a_DIVERGENTset carving outcrypto_policy. When more rules diverge in the future, add to that set + document why.Snapshot deltas
alma9 fixtures (8 affected):
Tailored XCCDF rules: 13 → 9(lost 3 stale crypto + 1 dod; faillock renames in place).crypto_policyexception "Disabled XCCDF rules:" list shrinks from 5 → 2.dod_root_caexception loses its "Disabled XCCDF rules:" subsection.faillock_safetyexception rule entry renamed.alma8_minimal:
Tailored XCCDF rules: 13 → 11(inherits alma9 cleanup BUT adds 2 alma8-specific cipher disables — net effect: +2 - 4 = -2). crypto_policy exception lists 4 IDs (alma8-specific set) vs alma9's 2.ubuntu_minimal: NOT affected — PR A's Ubuntu IDs are independent of this sweep.
Spec:
docs/superpowers/specs/2026-06-20-audit-story-pr-b-alma8-divergence-alma9-sweep-design.mdTest plan
tests/rules/test_alma8_crypto_policy.pycover: divergence from alma9 RULE singleton; 4-IDemit_tailoring; STIG-policy no-op; exception_entry shape;emit_postidentity with alma9 (helper reuse)._DIVERGENTset carve-out.ruff check && ruff format --check && mypy && pytest -q— all four green (956 passed = 948 from end of v0.28.0 + 8 net).BE707B220C995478.After this PR
#127 is complete end-to-end. Subsequent work would be SSG-version-bump maintenance (re-run phase 1 extractor, sweep again) or new ks-gen rules added under the same audit-story scaffolding.
The audit-story journey in summary:
scripts/audit_story/extract_ssg_rule_ids.py+ committed rule-ID lists per distro + cross-distro diff.emit_tailoring+exception_entryfor all 14 ubuntu2404 rules.crypto_policydivergence.Related: #127 (parent), #128 (phase 1 — data), #130 (PR A — ubuntu2404), #121 (alma8 ports), #81 (ubuntu2404 ports).