From 89159fa0e66a43fb9956216c6540083bc0e33d74 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Sun, 28 Dec 2025 16:39:23 +0100 Subject: [PATCH] Remove rule configure_ssh_crypto_policy from RHEL 9 and 19 The variable CRYPTO_POLICY is no longer honored by sshd on any RHEL 9 and 10 system. This variable has been removed in RHEL 9 and replaced by using the Include directive in sshd_config. Therefore, we will remove the rule configure_ssh_crypto_policy that configures this variable from all RHEL 9 profiles. Resolves: https://issues.redhat.com/browse/RHEL-65737 --- products/rhel10/profiles/default.profile | 1 + products/rhel10/profiles/e8.profile | 1 + products/rhel10/profiles/hipaa.profile | 1 + products/rhel10/profiles/ism_o.profile | 1 + products/rhel10/profiles/ism_o_secret.profile | 1 + products/rhel10/profiles/ism_o_top_secret.profile | 1 + products/rhel10/profiles/ospp.profile | 1 + products/rhel10/profiles/pci-dss.profile | 1 + products/rhel9/controls/ccn_rhel9.yml | 4 ++-- products/rhel9/controls/cis_rhel9.yml | 8 +++++--- products/rhel9/profiles/default.profile | 1 + products/rhel9/profiles/e8.profile | 1 + products/rhel9/profiles/hipaa.profile | 1 + products/rhel9/profiles/ism_o.profile | 1 + products/rhel9/profiles/ospp.profile | 1 + products/rhel9/profiles/pci-dss.profile | 1 + tests/data/profile_stability/rhel10/e8.profile | 1 - tests/data/profile_stability/rhel10/hipaa.profile | 1 - tests/data/profile_stability/rhel10/ism_o.profile | 1 - tests/data/profile_stability/rhel10/ism_o_secret.profile | 1 - .../profile_stability/rhel10/ism_o_top_secret.profile | 1 - tests/data/profile_stability/rhel10/ospp.profile | 1 - tests/data/profile_stability/rhel10/pci-dss.profile | 1 - tests/data/profile_stability/rhel9/ccn_advanced.profile | 1 - tests/data/profile_stability/rhel9/ccn_basic.profile | 1 - .../data/profile_stability/rhel9/ccn_intermediate.profile | 1 - tests/data/profile_stability/rhel9/cis.profile | 1 - tests/data/profile_stability/rhel9/cis_server_l1.profile | 1 - .../profile_stability/rhel9/cis_workstation_l1.profile | 1 - .../profile_stability/rhel9/cis_workstation_l2.profile | 1 - tests/data/profile_stability/rhel9/cui.profile | 1 - tests/data/profile_stability/rhel9/e8.profile | 1 - tests/data/profile_stability/rhel9/hipaa.profile | 1 - tests/data/profile_stability/rhel9/ism_o.profile | 1 - tests/data/profile_stability/rhel9/ospp.profile | 1 - tests/data/profile_stability/rhel9/pci-dss.profile | 1 - 36 files changed, 21 insertions(+), 25 deletions(-) diff --git a/products/rhel10/profiles/default.profile b/products/rhel10/profiles/default.profile index f3d25357504f..815f962954ca 100644 --- a/products/rhel10/profiles/default.profile +++ b/products/rhel10/profiles/default.profile @@ -43,3 +43,4 @@ selections: - partition_for_dev_shm - file_etc_security_opasswd - sshd_use_strong_macs + - configure_ssh_crypto_policy diff --git a/products/rhel10/profiles/e8.profile b/products/rhel10/profiles/e8.profile index 22d12b911019..05d7fbf6c281 100644 --- a/products/rhel10/profiles/e8.profile +++ b/products/rhel10/profiles/e8.profile @@ -38,3 +38,4 @@ selections: - '!package_rsh_removed' - '!package_rsh-server_removed' - '!security_patches_up_to_date' + - '!configure_ssh_crypto_policy' diff --git a/products/rhel10/profiles/hipaa.profile b/products/rhel10/profiles/hipaa.profile index 265d0b126017..30635f497846 100644 --- a/products/rhel10/profiles/hipaa.profile +++ b/products/rhel10/profiles/hipaa.profile @@ -67,3 +67,4 @@ selections: - '!service_rlogin_disabled' - '!service_rsh_disabled' - '!service_rexec_disabled' + - '!configure_ssh_crypto_policy' diff --git a/products/rhel10/profiles/ism_o.profile b/products/rhel10/profiles/ism_o.profile index c80b939e42e3..f4dac5f9b53d 100644 --- a/products/rhel10/profiles/ism_o.profile +++ b/products/rhel10/profiles/ism_o.profile @@ -61,3 +61,4 @@ selections: - '!package_xinetd_removed' - '!service_xinetd_disabled' - '!ensure_oracle_gpgkey_installed' + - '!configure_ssh_crypto_policy' diff --git a/products/rhel10/profiles/ism_o_secret.profile b/products/rhel10/profiles/ism_o_secret.profile index c2c51ac1f9bf..9ced033943f7 100644 --- a/products/rhel10/profiles/ism_o_secret.profile +++ b/products/rhel10/profiles/ism_o_secret.profile @@ -63,3 +63,4 @@ selections: - '!package_xinetd_removed' - '!service_xinetd_disabled' - '!ensure_oracle_gpgkey_installed' + - '!configure_ssh_crypto_policy' diff --git a/products/rhel10/profiles/ism_o_top_secret.profile b/products/rhel10/profiles/ism_o_top_secret.profile index c6423efdecff..a2c5304b3b60 100644 --- a/products/rhel10/profiles/ism_o_top_secret.profile +++ b/products/rhel10/profiles/ism_o_top_secret.profile @@ -61,3 +61,4 @@ selections: - '!package_xinetd_removed' - '!service_xinetd_disabled' - '!ensure_oracle_gpgkey_installed' + - '!configure_ssh_crypto_policy' diff --git a/products/rhel10/profiles/ospp.profile b/products/rhel10/profiles/ospp.profile index 23e2baf806f0..7a27e4534707 100644 --- a/products/rhel10/profiles/ospp.profile +++ b/products/rhel10/profiles/ospp.profile @@ -27,3 +27,4 @@ selections: - '!package_scap-security-guide_installed' # Currently not working RHEL 10, changes are being made to FIPS mode. Investigation is recommended. - '!enable_dracut_fips_module' + - '!configure_ssh_crypto_policy' diff --git a/products/rhel10/profiles/pci-dss.profile b/products/rhel10/profiles/pci-dss.profile index ca135303e71b..db0c16987250 100644 --- a/products/rhel10/profiles/pci-dss.profile +++ b/products/rhel10/profiles/pci-dss.profile @@ -84,3 +84,4 @@ selections: - '!sshd_use_approved_ciphers' - '!security_patches_up_to_date' - '!kernel_module_dccp_disabled' + - '!configure_ssh_crypto_policy' diff --git a/products/rhel9/controls/ccn_rhel9.yml b/products/rhel9/controls/ccn_rhel9.yml index 3233252f5d00..2c622df10852 100644 --- a/products/rhel9/controls/ccn_rhel9.yml +++ b/products/rhel9/controls/ccn_rhel9.yml @@ -321,7 +321,7 @@ controls: - advanced status: automated rules: - - configure_ssh_crypto_policy + - configure_crypto_policy - id: A.5.SEC-RHEL7 title: Network Session Inactivity is Controlled @@ -650,7 +650,7 @@ controls: notes: |- It overlaps the rule in A.5.SEC-RHEL6 requirement related_rules: - - configure_ssh_crypto_policy + - configure_crypto_policy - id: A.11.SEC-RHEL7 title: GUI Idle Time is Limited diff --git a/products/rhel9/controls/cis_rhel9.yml b/products/rhel9/controls/cis_rhel9.yml index 517085dc3030..24478f95f775 100644 --- a/products/rhel9/controls/cis_rhel9.yml +++ b/products/rhel9/controls/cis_rhel9.yml @@ -560,9 +560,11 @@ controls: levels: - l1_server - l1_workstation - status: automated - rules: - - configure_ssh_crypto_policy + status: not applicable + notes: |- + The variable CRYPTO_POLICY required by this CIS requirement is no longer honored by sshd on any RHEL 9 system. + This requirement will be removed from CIS Benchmark in future releases, + see https://workbench.cisecurity.org/tickets/26215. - id: 1.6.3 title: Ensure system wide crypto policy disables sha1 hash and signature support (Automated) diff --git a/products/rhel9/profiles/default.profile b/products/rhel9/profiles/default.profile index 9b7709cd4068..3eef0daccff0 100644 --- a/products/rhel9/profiles/default.profile +++ b/products/rhel9/profiles/default.profile @@ -588,3 +588,4 @@ selections: - audit_rules_etc_cron_d - audit_rules_var_spool_cron - audit_rules_login_events_tallylog + - configure_ssh_crypto_policy diff --git a/products/rhel9/profiles/e8.profile b/products/rhel9/profiles/e8.profile index c1b5319205d4..ca0de6f135eb 100644 --- a/products/rhel9/profiles/e8.profile +++ b/products/rhel9/profiles/e8.profile @@ -32,3 +32,4 @@ selections: # Following rules are not applicable to RHEL - '!package_talk_removed' - '!package_talk-server_removed' + - '!configure_ssh_crypto_policy' diff --git a/products/rhel9/profiles/hipaa.profile b/products/rhel9/profiles/hipaa.profile index 0593ad33ab58..14b6bd693f79 100644 --- a/products/rhel9/profiles/hipaa.profile +++ b/products/rhel9/profiles/hipaa.profile @@ -92,3 +92,4 @@ selections: - "!sshd_use_approved_macs" - "!sshd_use_priv_separation" - "!package_sequoia-sq_installed" + - '!configure_ssh_crypto_policy' diff --git a/products/rhel9/profiles/ism_o.profile b/products/rhel9/profiles/ism_o.profile index 871c534c8c20..25abf69ea923 100644 --- a/products/rhel9/profiles/ism_o.profile +++ b/products/rhel9/profiles/ism_o.profile @@ -80,5 +80,6 @@ selections: - '!package_xinetd_removed' - '!service_xinetd_disabled' - '!ensure_oracle_gpgkey_installed' + - '!configure_ssh_crypto_policy' # This package is not available in RHEL 9 - '!package_sequoia-sq_installed' diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile index 3afe66d77f9a..4c6591a49be8 100644 --- a/products/rhel9/profiles/ospp.profile +++ b/products/rhel9/profiles/ospp.profile @@ -26,3 +26,4 @@ selections: - var_authselect_profile=minimal - '!package_dnf-plugin-subscription-manager_installed' - '!package_sequoia-sq_installed' + - '!configure_ssh_crypto_policy' diff --git a/products/rhel9/profiles/pci-dss.profile b/products/rhel9/profiles/pci-dss.profile index 22055285f8d2..1b19fbb2d2ef 100644 --- a/products/rhel9/profiles/pci-dss.profile +++ b/products/rhel9/profiles/pci-dss.profile @@ -74,3 +74,4 @@ selections: - '!audit_rules_mac_modification_etc_selinux' - '!audit_rules_dac_modification_fchmodat2' - '!package_sequoia-sq_installed' + - '!configure_ssh_crypto_policy' diff --git a/tests/data/profile_stability/rhel10/e8.profile b/tests/data/profile_stability/rhel10/e8.profile index 3403e873a09c..5591e0ee0714 100644 --- a/tests/data/profile_stability/rhel10/e8.profile +++ b/tests/data/profile_stability/rhel10/e8.profile @@ -30,7 +30,6 @@ auditd_log_format auditd_name_format auditd_write_logs configure_crypto_policy -configure_ssh_crypto_policy dir_perms_world_writable_sticky_bits dnf-automatic_security_updates_only ensure_gpgcheck_globally_activated diff --git a/tests/data/profile_stability/rhel10/hipaa.profile b/tests/data/profile_stability/rhel10/hipaa.profile index 8f155a64dd5d..7462ce6fe3db 100644 --- a/tests/data/profile_stability/rhel10/hipaa.profile +++ b/tests/data/profile_stability/rhel10/hipaa.profile @@ -91,7 +91,6 @@ auditd_data_retention_max_log_file_action auditd_data_retention_max_log_file_action_stig auditd_data_retention_space_left_action configure_crypto_policy -configure_ssh_crypto_policy dconf_db_up_to_date disable_ctrlaltdel_burstaction disable_ctrlaltdel_reboot diff --git a/tests/data/profile_stability/rhel10/ism_o.profile b/tests/data/profile_stability/rhel10/ism_o.profile index 0c9e1510efad..6e2e3b5d57fc 100644 --- a/tests/data/profile_stability/rhel10/ism_o.profile +++ b/tests/data/profile_stability/rhel10/ism_o.profile @@ -64,7 +64,6 @@ configure_crypto_policy configure_firewalld_ports configure_kerberos_crypto_policy configure_opensc_card_drivers -configure_ssh_crypto_policy dir_perms_world_writable_sticky_bits disable_host_auth dnf-automatic_apply_updates diff --git a/tests/data/profile_stability/rhel10/ism_o_secret.profile b/tests/data/profile_stability/rhel10/ism_o_secret.profile index 75c91e6c50b2..20654bfb087a 100644 --- a/tests/data/profile_stability/rhel10/ism_o_secret.profile +++ b/tests/data/profile_stability/rhel10/ism_o_secret.profile @@ -64,7 +64,6 @@ configure_crypto_policy configure_firewalld_ports configure_kerberos_crypto_policy configure_opensc_card_drivers -configure_ssh_crypto_policy dir_perms_world_writable_sticky_bits disable_host_auth dnf-automatic_apply_updates diff --git a/tests/data/profile_stability/rhel10/ism_o_top_secret.profile b/tests/data/profile_stability/rhel10/ism_o_top_secret.profile index fe0855f1f63a..5449f56570af 100644 --- a/tests/data/profile_stability/rhel10/ism_o_top_secret.profile +++ b/tests/data/profile_stability/rhel10/ism_o_top_secret.profile @@ -64,7 +64,6 @@ configure_crypto_policy configure_firewalld_ports configure_kerberos_crypto_policy configure_opensc_card_drivers -configure_ssh_crypto_policy dir_perms_world_writable_sticky_bits disable_host_auth dnf-automatic_apply_updates diff --git a/tests/data/profile_stability/rhel10/ospp.profile b/tests/data/profile_stability/rhel10/ospp.profile index 4e8be22afd63..9daf07115598 100644 --- a/tests/data/profile_stability/rhel10/ospp.profile +++ b/tests/data/profile_stability/rhel10/ospp.profile @@ -62,7 +62,6 @@ auditd_name_format chronyd_client_only configure_crypto_policy configure_openssl_crypto_policy -configure_ssh_crypto_policy configure_usbguard_auditbackend disable_ctrlaltdel_burstaction disable_ctrlaltdel_reboot diff --git a/tests/data/profile_stability/rhel10/pci-dss.profile b/tests/data/profile_stability/rhel10/pci-dss.profile index b89fbac1f5da..59838d7233f3 100644 --- a/tests/data/profile_stability/rhel10/pci-dss.profile +++ b/tests/data/profile_stability/rhel10/pci-dss.profile @@ -74,7 +74,6 @@ chronyd_run_as_chrony_user chronyd_specify_remote_server configure_crypto_policy configure_firewalld_ports -configure_ssh_crypto_policy coredump_disable_backtraces coredump_disable_storage dconf_db_up_to_date diff --git a/tests/data/profile_stability/rhel9/ccn_advanced.profile b/tests/data/profile_stability/rhel9/ccn_advanced.profile index 38452e57d9de..48e0df9e5a50 100644 --- a/tests/data/profile_stability/rhel9/ccn_advanced.profile +++ b/tests/data/profile_stability/rhel9/ccn_advanced.profile @@ -51,7 +51,6 @@ banner_etc_motd chronyd_run_as_chrony_user chronyd_specify_remote_server configure_crypto_policy -configure_ssh_crypto_policy dconf_db_up_to_date dconf_gnome_banner_enabled dconf_gnome_disable_automount diff --git a/tests/data/profile_stability/rhel9/ccn_basic.profile b/tests/data/profile_stability/rhel9/ccn_basic.profile index 67e6f4851f73..46991f170e43 100644 --- a/tests/data/profile_stability/rhel9/ccn_basic.profile +++ b/tests/data/profile_stability/rhel9/ccn_basic.profile @@ -37,7 +37,6 @@ banner_etc_issue banner_etc_issue_net banner_etc_motd configure_crypto_policy -configure_ssh_crypto_policy dconf_db_up_to_date dconf_gnome_banner_enabled dconf_gnome_login_banner_text diff --git a/tests/data/profile_stability/rhel9/ccn_intermediate.profile b/tests/data/profile_stability/rhel9/ccn_intermediate.profile index 318feaa06885..c75ff8b20c27 100644 --- a/tests/data/profile_stability/rhel9/ccn_intermediate.profile +++ b/tests/data/profile_stability/rhel9/ccn_intermediate.profile @@ -40,7 +40,6 @@ banner_etc_motd chronyd_run_as_chrony_user chronyd_specify_remote_server configure_crypto_policy -configure_ssh_crypto_policy dconf_db_up_to_date dconf_gnome_banner_enabled dconf_gnome_disable_automount diff --git a/tests/data/profile_stability/rhel9/cis.profile b/tests/data/profile_stability/rhel9/cis.profile index e7ba04ad19af..ba51336e39dd 100644 --- a/tests/data/profile_stability/rhel9/cis.profile +++ b/tests/data/profile_stability/rhel9/cis.profile @@ -113,7 +113,6 @@ chronyd_run_as_chrony_user chronyd_specify_remote_server cis_banner_text=cis configure_custom_crypto_policy_cis -configure_ssh_crypto_policy coredump_disable_backtraces coredump_disable_storage dconf_db_up_to_date diff --git a/tests/data/profile_stability/rhel9/cis_server_l1.profile b/tests/data/profile_stability/rhel9/cis_server_l1.profile index c8101f3586c9..f45794e90a3e 100644 --- a/tests/data/profile_stability/rhel9/cis_server_l1.profile +++ b/tests/data/profile_stability/rhel9/cis_server_l1.profile @@ -42,7 +42,6 @@ chronyd_run_as_chrony_user chronyd_specify_remote_server cis_banner_text=cis configure_custom_crypto_policy_cis -configure_ssh_crypto_policy coredump_disable_backtraces coredump_disable_storage dconf_db_up_to_date diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l1.profile b/tests/data/profile_stability/rhel9/cis_workstation_l1.profile index 35e41ca4603d..f55102cc2a61 100644 --- a/tests/data/profile_stability/rhel9/cis_workstation_l1.profile +++ b/tests/data/profile_stability/rhel9/cis_workstation_l1.profile @@ -42,7 +42,6 @@ chronyd_run_as_chrony_user chronyd_specify_remote_server cis_banner_text=cis configure_custom_crypto_policy_cis -configure_ssh_crypto_policy coredump_disable_backtraces coredump_disable_storage dconf_db_up_to_date diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile index a9b64c307ab8..f1e16ae9b242 100644 --- a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile +++ b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile @@ -113,7 +113,6 @@ chronyd_run_as_chrony_user chronyd_specify_remote_server cis_banner_text=cis configure_custom_crypto_policy_cis -configure_ssh_crypto_policy coredump_disable_backtraces coredump_disable_storage dconf_db_up_to_date diff --git a/tests/data/profile_stability/rhel9/cui.profile b/tests/data/profile_stability/rhel9/cui.profile index 79ca2a416b3c..01636b8f22ed 100644 --- a/tests/data/profile_stability/rhel9/cui.profile +++ b/tests/data/profile_stability/rhel9/cui.profile @@ -62,7 +62,6 @@ auditd_name_format chronyd_client_only configure_crypto_policy configure_openssl_crypto_policy -configure_ssh_crypto_policy configure_usbguard_auditbackend disable_ctrlaltdel_burstaction disable_ctrlaltdel_reboot diff --git a/tests/data/profile_stability/rhel9/e8.profile b/tests/data/profile_stability/rhel9/e8.profile index 63d0ffa8cd5e..adc371f6fa65 100644 --- a/tests/data/profile_stability/rhel9/e8.profile +++ b/tests/data/profile_stability/rhel9/e8.profile @@ -30,7 +30,6 @@ auditd_log_format auditd_name_format auditd_write_logs configure_crypto_policy -configure_ssh_crypto_policy dir_perms_world_writable_sticky_bits dnf-automatic_security_updates_only enable_authselect diff --git a/tests/data/profile_stability/rhel9/hipaa.profile b/tests/data/profile_stability/rhel9/hipaa.profile index 1d6813b70e72..054de5d28e24 100644 --- a/tests/data/profile_stability/rhel9/hipaa.profile +++ b/tests/data/profile_stability/rhel9/hipaa.profile @@ -69,7 +69,6 @@ audit_rules_usergroup_modification_shadow auditd_audispd_syslog_plugin_activated auditd_data_retention_flush configure_crypto_policy -configure_ssh_crypto_policy dconf_db_up_to_date dconf_gnome_remote_access_credential_prompt dconf_gnome_remote_access_encryption diff --git a/tests/data/profile_stability/rhel9/ism_o.profile b/tests/data/profile_stability/rhel9/ism_o.profile index c6e28795f9f9..1d8390886b9d 100644 --- a/tests/data/profile_stability/rhel9/ism_o.profile +++ b/tests/data/profile_stability/rhel9/ism_o.profile @@ -47,7 +47,6 @@ auditd_write_logs chronyd_specify_remote_server configure_crypto_policy configure_firewalld_ports -configure_ssh_crypto_policy dir_perms_world_writable_sticky_bits disable_host_auth dnf-automatic_security_updates_only diff --git a/tests/data/profile_stability/rhel9/ospp.profile b/tests/data/profile_stability/rhel9/ospp.profile index c5118f70da86..3cc94350d32b 100644 --- a/tests/data/profile_stability/rhel9/ospp.profile +++ b/tests/data/profile_stability/rhel9/ospp.profile @@ -62,7 +62,6 @@ auditd_name_format chronyd_client_only configure_crypto_policy configure_openssl_crypto_policy -configure_ssh_crypto_policy configure_usbguard_auditbackend disable_ctrlaltdel_burstaction disable_ctrlaltdel_reboot diff --git a/tests/data/profile_stability/rhel9/pci-dss.profile b/tests/data/profile_stability/rhel9/pci-dss.profile index 4dca3c64a41c..e5a9965c2d24 100644 --- a/tests/data/profile_stability/rhel9/pci-dss.profile +++ b/tests/data/profile_stability/rhel9/pci-dss.profile @@ -72,7 +72,6 @@ chronyd_run_as_chrony_user chronyd_specify_remote_server configure_crypto_policy configure_firewalld_ports -configure_ssh_crypto_policy coredump_disable_backtraces coredump_disable_storage dconf_db_up_to_date