Skip to content

feat(rules): alma8 crypto_policy divergence + alma9 SSG-drift sweep (#127 PR B)#132

Merged
SupremeCommanderHedgehog merged 1 commit into
mainfrom
audit-story-pr-b-alma8-divergence-alma9-sweep
Jun 20, 2026
Merged

feat(rules): alma8 crypto_policy divergence + alma9 SSG-drift sweep (#127 PR B)#132
SupremeCommanderHedgehog merged 1 commit into
mainfrom
audit-story-pr-b-alma8-divergence-alma9-sweep

Conversation

@SupremeCommanderHedgehog

Copy link
Copy Markdown
Owner

Summary

Final PR of the cross-distro audit-story (#127). Two coordinated changes:

1. alma9 SSG-drift sweep

Three of the alma9 rules' emit_tailoring methods referenced SSG rule IDs that no longer exist in current ssg-almalinux9-ds.xml (0.1.80). Drift surfaced by cross-referencing the hardcoded IDs against docs/audit-story/alma9-rule-ids.txt from phase 1.

Rule Stale ID Action
crypto_policy sshd_use_approved_kex, sshd_use_approved_macs, sshd_use_approved_mac_ordered drop (3 of 5)
faillock_safety accounts_passwords_pam_faillock_even_deny_root rename → _deny_root (SSG dropped the even_ prefix)
dod_root_ca install_DoD_intermediate_certificates drop entirely (no equivalent rule on current SSG)

Cleanup is non-functional (oscap warns-and-continues on unknown IDs at install time) but makes exceptions.md an accurate audit trail.

2. alma8 crypto_policy divergence

First real exercise of the "re-export → divergent impl" pattern from #121 phase 2's spec. ssg-almalinux8-ds.xml (0.1.74) has two sshd cipher checks that ssg-almalinux9-ds.xml (0.1.80) dropped:

  • sshd_use_approved_kex_ordered_stig
  • sshd_use_approved_macs

With the alma8 re-export from #121 phase 2, alma8 was only disabling what alma9 disables — missing those two. Replaced src/ks_gen/rules/alma8/crypto_policy.py from a 5-line re-export to a real implementation that disables 4 IDs (alma9's 2 + alma8-only 2) when cfg.crypto.policy != STIG. Reuses alma9's _emit_post helper (the bash is identical on AL8 and AL9 — update-crypto-policies shipped in RHEL 8.0).

tests/test_registry.py::test_registry_alma8_re_exports_same_rule_instances_as_alma9 gains a _DIVERGENT set carving out crypto_policy. When more rules diverge in the future, add to that set + document why.

Snapshot deltas

alma9 fixtures (8 affected): Tailored XCCDF rules: 13 → 9 (lost 3 stale crypto + 1 dod; faillock renames in place). crypto_policy exception "Disabled XCCDF rules:" list shrinks from 5 → 2. dod_root_ca exception loses its "Disabled XCCDF rules:" subsection. faillock_safety exception rule entry renamed.

alma8_minimal: Tailored XCCDF rules: 13 → 11 (inherits alma9 cleanup BUT adds 2 alma8-specific cipher disables — net effect: +2 - 4 = -2). crypto_policy exception lists 4 IDs (alma8-specific set) vs alma9's 2.

ubuntu_minimal: NOT affected — PR A's Ubuntu IDs are independent of this sweep.

Spec: docs/superpowers/specs/2026-06-20-audit-story-pr-b-alma8-divergence-alma9-sweep-design.md

Test plan

  • 7 new alma8 crypto_policy tests in tests/rules/test_alma8_crypto_policy.py cover: divergence from alma9 RULE singleton; 4-ID emit_tailoring; STIG-policy no-op; exception_entry shape; emit_post identity with alma9 (helper reuse).
  • Updated 3 alma9 rule tests for the changed implementations (test_crypto_policy.py, test_faillock_safety.py, test_dod_root_ca.py).
  • Updated registry test to carry the _DIVERGENT set carve-out.
  • 9 golden snapshots regenerated — diffs match the spec's predictions exactly.
  • Full CI chain run locally: ruff check && ruff format --check && mypy && pytest -q — all four green (956 passed = 948 from end of v0.28.0 + 8 net).
  • Each commit on this branch is GPG-signed with BE707B220C995478.

After this PR

#127 is complete end-to-end. Subsequent work would be SSG-version-bump maintenance (re-run phase 1 extractor, sweep again) or new ks-gen rules added under the same audit-story scaffolding.

The audit-story journey in summary:

Related: #127 (parent), #128 (phase 1 — data), #130 (PR A — ubuntu2404), #121 (alma8 ports), #81 (ubuntu2404 ports).

…127 PR B)

Final PR of the cross-distro audit-story (#127). Two coordinated changes:

## alma9 SSG-drift sweep

Three of the alma9 rules' emit_tailoring methods referenced SSG rule IDs
that no longer exist in current ssg-almalinux9-ds.xml (0.1.80). Drift
surfaced by cross-referencing the hardcoded IDs against
docs/audit-story/alma9-rule-ids.txt from phase 1. Cleanup is non-functional
(oscap warns-and-continues on unknown IDs at install time) but makes
exceptions.md an accurate audit trail.

- src/ks_gen/rules/alma9/crypto_policy.py: dropped sshd_use_approved_kex,
  sshd_use_approved_macs, and sshd_use_approved_mac_ordered — none of
  those exist in current alma9 SSG. _TAILORED_WHEN_NOT_STIG shrinks
  from 5 → 2 entries. Also: extracted emit_post into a module-level
  _emit_post helper so the alma8 divergent impl can reuse it.

- src/ks_gen/rules/alma9/faillock_safety.py: renamed _RULE_EVEN_DENY_ROOT
  → _RULE_DENY_ROOT (the upstream SSG dropped the "even_" prefix).
  cfg.overrides.faillock.even_deny_root field name unchanged — that's
  the operator-facing knob.

- src/ks_gen/rules/alma9/dod_root_ca.py: dropped the
  install_DoD_intermediate_certificates rule reference entirely (no
  longer in SSG). emit_tailoring returns []; exception_entry still
  returns a populated record with empty stig_rules_disabled (mirror
  ubuntu2404's shape from #127 PR A — audit trail still captures the
  operator's opt-out even when there's no SSG rule to actually disable).

## alma8 crypto_policy divergence

First real exercise of the "re-export → divergent impl" pattern from
#121 phase 2's spec. alma8 SSG (0.1.74) has two sshd cipher checks that
alma9 SSG (0.1.80) dropped:
  - sshd_use_approved_kex_ordered_stig
  - sshd_use_approved_macs

With the alma8 re-export from #121 phase 2, alma8 was only disabling
what alma9 disables — missing those two. Replaced
src/ks_gen/rules/alma8/crypto_policy.py from a 5-line re-export to a
real implementation that disables 4 IDs (alma9's 2 + alma8-only 2)
when policy != STIG. Reuses alma9's _emit_post helper (the bash is
identical on AL8 and AL9 — `update-crypto-policies` shipped in
RHEL 8.0).

tests/test_registry.py:test_registry_alma8_re_exports_same_rule_instances_as_alma9
gains a _DIVERGENT set carving out crypto_policy. When more rules
diverge in the future, add to that set + document why.

## Tests

- 7 new alma8 crypto_policy tests in tests/rules/test_alma8_crypto_policy.py:
  divergence from alma9 RULE singleton; 4-ID emit_tailoring; STIG-policy
  no-op; exception_entry shape; emit_post identity with alma9.
- Updated existing alma9 tests for the changed implementations:
  test_crypto_policy.py (assert 2-ID set), test_faillock_safety.py
  (renamed assertion), test_dod_root_ca.py (assert empty emit_tailoring +
  populated exception with empty disabled list).
- 9 golden snapshots regenerated: 8 alma9 fixtures + test_alma8_minimal
  (which shows both the inherited alma9 cleanup AND the alma8 divergent
  crypto additions). ubuntu_minimal NOT affected (PR A's IDs are
  Ubuntu-specific and independent of this sweep).

Per-fixture snapshot delta (alma9):
  Tailored XCCDF rules: 13 → 9 (lost 3 stale crypto + 1 dod; faillock
  renames in place; ubuntu/alma8 differ).
  crypto_policy exception 'Disabled XCCDF rules:' list: 5 → 2 entries.
  dod_root_ca exception loses its 'Disabled XCCDF rules:' subsection.
  faillock_safety exception rule entry renamed.

Per-fixture snapshot delta (alma8_minimal):
  Tailored XCCDF rules: 13 → 11 (inherits alma9 cleanup but adds 2
  alma8-specific cipher disables).
  crypto_policy exception 'Disabled XCCDF rules:' list: 5 → 4 entries
  with alma8-specific IDs.
  dod + faillock changes match alma9 (re-exports).

Spec: docs/superpowers/specs/2026-06-20-audit-story-pr-b-alma8-divergence-alma9-sweep-design.md

Refs #127. After this PR, #127 is complete end-to-end.
@SupremeCommanderHedgehog SupremeCommanderHedgehog merged commit ce88b84 into main Jun 20, 2026
6 checks passed
@SupremeCommanderHedgehog SupremeCommanderHedgehog deleted the audit-story-pr-b-alma8-divergence-alma9-sweep branch June 20, 2026 21:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant