diff --git a/products/rhel10/profiles/default.profile b/products/rhel10/profiles/default.profile index f3d25357504..815f962954c 100644 --- a/products/rhel10/profiles/default.profile +++ b/products/rhel10/profiles/default.profile @@ -43,3 +43,4 @@ selections: - partition_for_dev_shm - file_etc_security_opasswd - sshd_use_strong_macs + - configure_ssh_crypto_policy diff --git a/products/rhel10/profiles/e8.profile b/products/rhel10/profiles/e8.profile index 22d12b91101..05d7fbf6c28 100644 --- a/products/rhel10/profiles/e8.profile +++ b/products/rhel10/profiles/e8.profile @@ -38,3 +38,4 @@ selections: - '!package_rsh_removed' - '!package_rsh-server_removed' - '!security_patches_up_to_date' + - '!configure_ssh_crypto_policy' diff --git a/products/rhel10/profiles/hipaa.profile b/products/rhel10/profiles/hipaa.profile index 265d0b12601..30635f49784 100644 --- a/products/rhel10/profiles/hipaa.profile +++ b/products/rhel10/profiles/hipaa.profile @@ -67,3 +67,4 @@ selections: - '!service_rlogin_disabled' - '!service_rsh_disabled' - '!service_rexec_disabled' + - '!configure_ssh_crypto_policy' diff --git a/products/rhel10/profiles/ism_o.profile b/products/rhel10/profiles/ism_o.profile index c80b939e42e..f4dac5f9b53 100644 --- a/products/rhel10/profiles/ism_o.profile +++ b/products/rhel10/profiles/ism_o.profile @@ -61,3 +61,4 @@ selections: - '!package_xinetd_removed' - '!service_xinetd_disabled' - '!ensure_oracle_gpgkey_installed' + - '!configure_ssh_crypto_policy' diff --git a/products/rhel10/profiles/ism_o_secret.profile b/products/rhel10/profiles/ism_o_secret.profile index c2c51ac1f9b..9ced033943f 100644 --- a/products/rhel10/profiles/ism_o_secret.profile +++ b/products/rhel10/profiles/ism_o_secret.profile @@ -63,3 +63,4 @@ selections: - '!package_xinetd_removed' - '!service_xinetd_disabled' - '!ensure_oracle_gpgkey_installed' + - '!configure_ssh_crypto_policy' diff --git a/products/rhel10/profiles/ism_o_top_secret.profile b/products/rhel10/profiles/ism_o_top_secret.profile index c6423efdecf..a2c5304b3b6 100644 --- a/products/rhel10/profiles/ism_o_top_secret.profile +++ b/products/rhel10/profiles/ism_o_top_secret.profile @@ -61,3 +61,4 @@ selections: - '!package_xinetd_removed' - '!service_xinetd_disabled' - '!ensure_oracle_gpgkey_installed' + - '!configure_ssh_crypto_policy' diff --git a/products/rhel10/profiles/ospp.profile b/products/rhel10/profiles/ospp.profile index 23e2baf806f..7a27e453470 100644 --- a/products/rhel10/profiles/ospp.profile +++ b/products/rhel10/profiles/ospp.profile @@ -27,3 +27,4 @@ selections: - '!package_scap-security-guide_installed' # Currently not working RHEL 10, changes are being made to FIPS mode. Investigation is recommended. - '!enable_dracut_fips_module' + - '!configure_ssh_crypto_policy' diff --git a/products/rhel10/profiles/pci-dss.profile b/products/rhel10/profiles/pci-dss.profile index ca135303e71..db0c1698725 100644 --- a/products/rhel10/profiles/pci-dss.profile +++ b/products/rhel10/profiles/pci-dss.profile @@ -84,3 +84,4 @@ selections: - '!sshd_use_approved_ciphers' - '!security_patches_up_to_date' - '!kernel_module_dccp_disabled' + - '!configure_ssh_crypto_policy' diff --git a/products/rhel9/controls/ccn_rhel9.yml b/products/rhel9/controls/ccn_rhel9.yml index 3233252f5d0..2c622df1085 100644 --- a/products/rhel9/controls/ccn_rhel9.yml +++ b/products/rhel9/controls/ccn_rhel9.yml @@ -321,7 +321,7 @@ controls: - advanced status: automated rules: - - configure_ssh_crypto_policy + - configure_crypto_policy - id: A.5.SEC-RHEL7 title: Network Session Inactivity is Controlled @@ -650,7 +650,7 @@ controls: notes: |- It overlaps the rule in A.5.SEC-RHEL6 requirement related_rules: - - configure_ssh_crypto_policy + - configure_crypto_policy - id: A.11.SEC-RHEL7 title: GUI Idle Time is Limited diff --git a/products/rhel9/controls/cis_rhel9.yml b/products/rhel9/controls/cis_rhel9.yml index 517085dc303..24478f95f77 100644 --- a/products/rhel9/controls/cis_rhel9.yml +++ b/products/rhel9/controls/cis_rhel9.yml @@ -560,9 +560,11 @@ controls: levels: - l1_server - l1_workstation - status: automated - rules: - - configure_ssh_crypto_policy + status: not applicable + notes: |- + The variable CRYPTO_POLICY required by this CIS requirement is no longer honored by sshd on any RHEL 9 system. + This requirement will be removed from CIS Benchmark in future releases, + see https://workbench.cisecurity.org/tickets/26215. - id: 1.6.3 title: Ensure system wide crypto policy disables sha1 hash and signature support (Automated) diff --git a/products/rhel9/profiles/default.profile b/products/rhel9/profiles/default.profile index 9b7709cd406..3eef0daccff 100644 --- a/products/rhel9/profiles/default.profile +++ b/products/rhel9/profiles/default.profile @@ -588,3 +588,4 @@ selections: - audit_rules_etc_cron_d - audit_rules_var_spool_cron - audit_rules_login_events_tallylog + - configure_ssh_crypto_policy diff --git a/products/rhel9/profiles/e8.profile b/products/rhel9/profiles/e8.profile index c1b5319205d..ca0de6f135e 100644 --- a/products/rhel9/profiles/e8.profile +++ b/products/rhel9/profiles/e8.profile @@ -32,3 +32,4 @@ selections: # Following rules are not applicable to RHEL - '!package_talk_removed' - '!package_talk-server_removed' + - '!configure_ssh_crypto_policy' diff --git a/products/rhel9/profiles/hipaa.profile b/products/rhel9/profiles/hipaa.profile index 0593ad33ab5..14b6bd693f7 100644 --- a/products/rhel9/profiles/hipaa.profile +++ b/products/rhel9/profiles/hipaa.profile @@ -92,3 +92,4 @@ selections: - "!sshd_use_approved_macs" - "!sshd_use_priv_separation" - "!package_sequoia-sq_installed" + - '!configure_ssh_crypto_policy' diff --git a/products/rhel9/profiles/ism_o.profile b/products/rhel9/profiles/ism_o.profile index 871c534c8c2..25abf69ea92 100644 --- a/products/rhel9/profiles/ism_o.profile +++ b/products/rhel9/profiles/ism_o.profile @@ -80,5 +80,6 @@ selections: - '!package_xinetd_removed' - '!service_xinetd_disabled' - '!ensure_oracle_gpgkey_installed' + - '!configure_ssh_crypto_policy' # This package is not available in RHEL 9 - '!package_sequoia-sq_installed' diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile index 3afe66d77f9..4c6591a49be 100644 --- a/products/rhel9/profiles/ospp.profile +++ b/products/rhel9/profiles/ospp.profile @@ -26,3 +26,4 @@ selections: - var_authselect_profile=minimal - '!package_dnf-plugin-subscription-manager_installed' - '!package_sequoia-sq_installed' + - '!configure_ssh_crypto_policy' diff --git a/products/rhel9/profiles/pci-dss.profile b/products/rhel9/profiles/pci-dss.profile index 22055285f8d..1b19fbb2d2e 100644 --- a/products/rhel9/profiles/pci-dss.profile +++ b/products/rhel9/profiles/pci-dss.profile @@ -74,3 +74,4 @@ selections: - '!audit_rules_mac_modification_etc_selinux' - '!audit_rules_dac_modification_fchmodat2' - '!package_sequoia-sq_installed' + - '!configure_ssh_crypto_policy' diff --git a/tests/data/profile_stability/rhel10/e8.profile b/tests/data/profile_stability/rhel10/e8.profile index 3403e873a09..5591e0ee071 100644 --- a/tests/data/profile_stability/rhel10/e8.profile +++ b/tests/data/profile_stability/rhel10/e8.profile @@ -30,7 +30,6 @@ auditd_log_format auditd_name_format auditd_write_logs configure_crypto_policy -configure_ssh_crypto_policy dir_perms_world_writable_sticky_bits dnf-automatic_security_updates_only ensure_gpgcheck_globally_activated diff --git a/tests/data/profile_stability/rhel10/hipaa.profile b/tests/data/profile_stability/rhel10/hipaa.profile index 8f155a64dd5..7462ce6fe3d 100644 --- a/tests/data/profile_stability/rhel10/hipaa.profile +++ b/tests/data/profile_stability/rhel10/hipaa.profile @@ -91,7 +91,6 @@ auditd_data_retention_max_log_file_action auditd_data_retention_max_log_file_action_stig auditd_data_retention_space_left_action configure_crypto_policy -configure_ssh_crypto_policy dconf_db_up_to_date disable_ctrlaltdel_burstaction disable_ctrlaltdel_reboot diff --git a/tests/data/profile_stability/rhel10/ism_o.profile b/tests/data/profile_stability/rhel10/ism_o.profile index 0c9e1510efa..6e2e3b5d57f 100644 --- a/tests/data/profile_stability/rhel10/ism_o.profile +++ b/tests/data/profile_stability/rhel10/ism_o.profile @@ -64,7 +64,6 @@ configure_crypto_policy configure_firewalld_ports configure_kerberos_crypto_policy configure_opensc_card_drivers -configure_ssh_crypto_policy dir_perms_world_writable_sticky_bits disable_host_auth dnf-automatic_apply_updates diff --git a/tests/data/profile_stability/rhel10/ism_o_secret.profile b/tests/data/profile_stability/rhel10/ism_o_secret.profile index 75c91e6c50b..20654bfb087 100644 --- a/tests/data/profile_stability/rhel10/ism_o_secret.profile +++ b/tests/data/profile_stability/rhel10/ism_o_secret.profile @@ -64,7 +64,6 @@ configure_crypto_policy configure_firewalld_ports configure_kerberos_crypto_policy configure_opensc_card_drivers -configure_ssh_crypto_policy dir_perms_world_writable_sticky_bits disable_host_auth dnf-automatic_apply_updates diff --git a/tests/data/profile_stability/rhel10/ism_o_top_secret.profile b/tests/data/profile_stability/rhel10/ism_o_top_secret.profile index fe0855f1f63..5449f56570a 100644 --- a/tests/data/profile_stability/rhel10/ism_o_top_secret.profile +++ b/tests/data/profile_stability/rhel10/ism_o_top_secret.profile @@ -64,7 +64,6 @@ configure_crypto_policy configure_firewalld_ports configure_kerberos_crypto_policy configure_opensc_card_drivers -configure_ssh_crypto_policy dir_perms_world_writable_sticky_bits disable_host_auth dnf-automatic_apply_updates diff --git a/tests/data/profile_stability/rhel10/ospp.profile b/tests/data/profile_stability/rhel10/ospp.profile index 4e8be22afd6..9daf0711559 100644 --- a/tests/data/profile_stability/rhel10/ospp.profile +++ b/tests/data/profile_stability/rhel10/ospp.profile @@ -62,7 +62,6 @@ auditd_name_format chronyd_client_only configure_crypto_policy configure_openssl_crypto_policy -configure_ssh_crypto_policy configure_usbguard_auditbackend disable_ctrlaltdel_burstaction disable_ctrlaltdel_reboot diff --git a/tests/data/profile_stability/rhel10/pci-dss.profile b/tests/data/profile_stability/rhel10/pci-dss.profile index b89fbac1f5d..59838d7233f 100644 --- a/tests/data/profile_stability/rhel10/pci-dss.profile +++ b/tests/data/profile_stability/rhel10/pci-dss.profile @@ -74,7 +74,6 @@ chronyd_run_as_chrony_user chronyd_specify_remote_server configure_crypto_policy configure_firewalld_ports -configure_ssh_crypto_policy coredump_disable_backtraces coredump_disable_storage dconf_db_up_to_date diff --git a/tests/data/profile_stability/rhel9/ccn_advanced.profile b/tests/data/profile_stability/rhel9/ccn_advanced.profile index 38452e57d9d..48e0df9e5a5 100644 --- a/tests/data/profile_stability/rhel9/ccn_advanced.profile +++ b/tests/data/profile_stability/rhel9/ccn_advanced.profile @@ -51,7 +51,6 @@ banner_etc_motd chronyd_run_as_chrony_user chronyd_specify_remote_server configure_crypto_policy -configure_ssh_crypto_policy dconf_db_up_to_date dconf_gnome_banner_enabled dconf_gnome_disable_automount diff --git a/tests/data/profile_stability/rhel9/ccn_basic.profile b/tests/data/profile_stability/rhel9/ccn_basic.profile index 67e6f4851f7..46991f170e4 100644 --- a/tests/data/profile_stability/rhel9/ccn_basic.profile +++ b/tests/data/profile_stability/rhel9/ccn_basic.profile @@ -37,7 +37,6 @@ banner_etc_issue banner_etc_issue_net banner_etc_motd configure_crypto_policy -configure_ssh_crypto_policy dconf_db_up_to_date dconf_gnome_banner_enabled dconf_gnome_login_banner_text diff --git a/tests/data/profile_stability/rhel9/ccn_intermediate.profile b/tests/data/profile_stability/rhel9/ccn_intermediate.profile index 318feaa0688..c75ff8b20c2 100644 --- a/tests/data/profile_stability/rhel9/ccn_intermediate.profile +++ b/tests/data/profile_stability/rhel9/ccn_intermediate.profile @@ -40,7 +40,6 @@ banner_etc_motd chronyd_run_as_chrony_user chronyd_specify_remote_server configure_crypto_policy -configure_ssh_crypto_policy dconf_db_up_to_date dconf_gnome_banner_enabled dconf_gnome_disable_automount diff --git a/tests/data/profile_stability/rhel9/cis.profile b/tests/data/profile_stability/rhel9/cis.profile index e7ba04ad19a..ba51336e39d 100644 --- a/tests/data/profile_stability/rhel9/cis.profile +++ b/tests/data/profile_stability/rhel9/cis.profile @@ -113,7 +113,6 @@ chronyd_run_as_chrony_user chronyd_specify_remote_server cis_banner_text=cis configure_custom_crypto_policy_cis -configure_ssh_crypto_policy coredump_disable_backtraces coredump_disable_storage dconf_db_up_to_date diff --git a/tests/data/profile_stability/rhel9/cis_server_l1.profile b/tests/data/profile_stability/rhel9/cis_server_l1.profile index c8101f3586c..f45794e90a3 100644 --- a/tests/data/profile_stability/rhel9/cis_server_l1.profile +++ b/tests/data/profile_stability/rhel9/cis_server_l1.profile @@ -42,7 +42,6 @@ chronyd_run_as_chrony_user chronyd_specify_remote_server cis_banner_text=cis configure_custom_crypto_policy_cis -configure_ssh_crypto_policy coredump_disable_backtraces coredump_disable_storage dconf_db_up_to_date diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l1.profile b/tests/data/profile_stability/rhel9/cis_workstation_l1.profile index 35e41ca4603..f55102cc2a6 100644 --- a/tests/data/profile_stability/rhel9/cis_workstation_l1.profile +++ b/tests/data/profile_stability/rhel9/cis_workstation_l1.profile @@ -42,7 +42,6 @@ chronyd_run_as_chrony_user chronyd_specify_remote_server cis_banner_text=cis configure_custom_crypto_policy_cis -configure_ssh_crypto_policy coredump_disable_backtraces coredump_disable_storage dconf_db_up_to_date diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile index a9b64c307ab..f1e16ae9b24 100644 --- a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile +++ b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile @@ -113,7 +113,6 @@ chronyd_run_as_chrony_user chronyd_specify_remote_server cis_banner_text=cis configure_custom_crypto_policy_cis -configure_ssh_crypto_policy coredump_disable_backtraces coredump_disable_storage dconf_db_up_to_date diff --git a/tests/data/profile_stability/rhel9/cui.profile b/tests/data/profile_stability/rhel9/cui.profile index 79ca2a416b3..01636b8f22e 100644 --- a/tests/data/profile_stability/rhel9/cui.profile +++ b/tests/data/profile_stability/rhel9/cui.profile @@ -62,7 +62,6 @@ auditd_name_format chronyd_client_only configure_crypto_policy configure_openssl_crypto_policy -configure_ssh_crypto_policy configure_usbguard_auditbackend disable_ctrlaltdel_burstaction disable_ctrlaltdel_reboot diff --git a/tests/data/profile_stability/rhel9/e8.profile b/tests/data/profile_stability/rhel9/e8.profile index 63d0ffa8cd5..adc371f6fa6 100644 --- a/tests/data/profile_stability/rhel9/e8.profile +++ b/tests/data/profile_stability/rhel9/e8.profile @@ -30,7 +30,6 @@ auditd_log_format auditd_name_format auditd_write_logs configure_crypto_policy -configure_ssh_crypto_policy dir_perms_world_writable_sticky_bits dnf-automatic_security_updates_only enable_authselect diff --git a/tests/data/profile_stability/rhel9/hipaa.profile b/tests/data/profile_stability/rhel9/hipaa.profile index 1d6813b70e7..054de5d28e2 100644 --- a/tests/data/profile_stability/rhel9/hipaa.profile +++ b/tests/data/profile_stability/rhel9/hipaa.profile @@ -69,7 +69,6 @@ audit_rules_usergroup_modification_shadow auditd_audispd_syslog_plugin_activated auditd_data_retention_flush configure_crypto_policy -configure_ssh_crypto_policy dconf_db_up_to_date dconf_gnome_remote_access_credential_prompt dconf_gnome_remote_access_encryption diff --git a/tests/data/profile_stability/rhel9/ism_o.profile b/tests/data/profile_stability/rhel9/ism_o.profile index c6e28795f9f..1d8390886b9 100644 --- a/tests/data/profile_stability/rhel9/ism_o.profile +++ b/tests/data/profile_stability/rhel9/ism_o.profile @@ -47,7 +47,6 @@ auditd_write_logs chronyd_specify_remote_server configure_crypto_policy configure_firewalld_ports -configure_ssh_crypto_policy dir_perms_world_writable_sticky_bits disable_host_auth dnf-automatic_security_updates_only diff --git a/tests/data/profile_stability/rhel9/ospp.profile b/tests/data/profile_stability/rhel9/ospp.profile index c5118f70da8..3cc94350d32 100644 --- a/tests/data/profile_stability/rhel9/ospp.profile +++ b/tests/data/profile_stability/rhel9/ospp.profile @@ -62,7 +62,6 @@ auditd_name_format chronyd_client_only configure_crypto_policy configure_openssl_crypto_policy -configure_ssh_crypto_policy configure_usbguard_auditbackend disable_ctrlaltdel_burstaction disable_ctrlaltdel_reboot diff --git a/tests/data/profile_stability/rhel9/pci-dss.profile b/tests/data/profile_stability/rhel9/pci-dss.profile index 4dca3c64a41..e5a9965c2d2 100644 --- a/tests/data/profile_stability/rhel9/pci-dss.profile +++ b/tests/data/profile_stability/rhel9/pci-dss.profile @@ -72,7 +72,6 @@ chronyd_run_as_chrony_user chronyd_specify_remote_server configure_crypto_policy configure_firewalld_ports -configure_ssh_crypto_policy coredump_disable_backtraces coredump_disable_storage dconf_db_up_to_date