Remove rule configure_ssh_crypto_policy from RHEL 9 and 10

products/rhel10/profiles/default.profile

@@ -43,3 +43,4 @@ selections:
     - partition_for_dev_shm
     - file_etc_security_opasswd
     - sshd_use_strong_macs
+    - configure_ssh_crypto_policy

products/rhel10/profiles/e8.profile

@@ -38,3 +38,4 @@ selections:
     - '!package_rsh_removed'
     - '!package_rsh-server_removed'
     - '!security_patches_up_to_date'
+    - '!configure_ssh_crypto_policy'

products/rhel10/profiles/hipaa.profile

@@ -67,3 +67,4 @@ selections:
     - '!service_rlogin_disabled'
     - '!service_rsh_disabled'
     - '!service_rexec_disabled'
+    - '!configure_ssh_crypto_policy'

products/rhel10/profiles/ism_o.profile

@@ -61,3 +61,4 @@ selections:
     - '!package_xinetd_removed'
     - '!service_xinetd_disabled'
     - '!ensure_oracle_gpgkey_installed'
+    - '!configure_ssh_crypto_policy'

products/rhel10/profiles/ism_o_secret.profile

@@ -63,3 +63,4 @@ selections:
     - '!package_xinetd_removed'
     - '!service_xinetd_disabled'
     - '!ensure_oracle_gpgkey_installed'
+    - '!configure_ssh_crypto_policy'

products/rhel10/profiles/ism_o_top_secret.profile

@@ -61,3 +61,4 @@ selections:
     - '!package_xinetd_removed'
     - '!service_xinetd_disabled'
     - '!ensure_oracle_gpgkey_installed'
+    - '!configure_ssh_crypto_policy'

products/rhel10/profiles/ospp.profile

@@ -27,3 +27,4 @@ selections:
     - '!package_scap-security-guide_installed'
     # Currently not working RHEL 10, changes are being made to FIPS mode. Investigation is recommended.
     - '!enable_dracut_fips_module'
+    - '!configure_ssh_crypto_policy'

products/rhel10/profiles/pci-dss.profile

@@ -84,3 +84,4 @@ selections:
     - '!sshd_use_approved_ciphers'
     - '!security_patches_up_to_date'
     - '!kernel_module_dccp_disabled'
+    - '!configure_ssh_crypto_policy'

products/rhel9/controls/ccn_rhel9.yml

@@ -321,7 +321,7 @@ controls:
           - advanced
       status: automated
       rules:
-          - configure_ssh_crypto_policy
+          - configure_crypto_policy
 
     - id: A.5.SEC-RHEL7
       title: Network Session Inactivity is Controlled
@@ -650,7 +650,7 @@ controls:
       notes: |-
           It overlaps the rule in A.5.SEC-RHEL6 requirement
       related_rules:
-          - configure_ssh_crypto_policy
+          - configure_crypto_policy
 
     - id: A.11.SEC-RHEL7
       title: GUI Idle Time is Limited

products/rhel9/controls/cis_rhel9.yml

@@ -560,9 +560,11 @@ controls:
       levels:
           - l1_server
           - l1_workstation
-      status: automated
-      rules:
-          - configure_ssh_crypto_policy
+      status: not applicable
+      notes: |-
+          The variable CRYPTO_POLICY required by this CIS requirement is no longer honored by sshd on any RHEL 9 system.
+          This requirement will be removed from CIS Benchmark in future releases,
+          see https://workbench.cisecurity.org/tickets/26215.
 
     - id: 1.6.3
       title: Ensure system wide crypto policy disables sha1 hash and signature support (Automated)

products/rhel9/profiles/default.profile

@@ -588,3 +588,4 @@ selections:
     - audit_rules_etc_cron_d
     - audit_rules_var_spool_cron
     - audit_rules_login_events_tallylog
+    - configure_ssh_crypto_policy

products/rhel9/profiles/e8.profile

@@ -32,3 +32,4 @@ selections:
     # Following rules are not applicable to RHEL
     - '!package_talk_removed'
     - '!package_talk-server_removed'
+    - '!configure_ssh_crypto_policy'

products/rhel9/profiles/hipaa.profile

@@ -92,3 +92,4 @@ selections:
     - "!sshd_use_approved_macs"
     - "!sshd_use_priv_separation"
     - "!package_sequoia-sq_installed"
+    - '!configure_ssh_crypto_policy'

products/rhel9/profiles/ism_o.profile

@@ -80,5 +80,6 @@ selections:
     - '!package_xinetd_removed'
     - '!service_xinetd_disabled'
     - '!ensure_oracle_gpgkey_installed'
+    - '!configure_ssh_crypto_policy'
     # This package is not  available in RHEL 9
     - '!package_sequoia-sq_installed'

products/rhel9/profiles/ospp.profile

@@ -26,3 +26,4 @@ selections:
     - var_authselect_profile=minimal
     - '!package_dnf-plugin-subscription-manager_installed'
     - '!package_sequoia-sq_installed'
+    - '!configure_ssh_crypto_policy'

products/rhel9/profiles/pci-dss.profile

@@ -74,3 +74,4 @@ selections:
     - '!audit_rules_mac_modification_etc_selinux'
     - '!audit_rules_dac_modification_fchmodat2'
     - '!package_sequoia-sq_installed'
+    - '!configure_ssh_crypto_policy'

tests/data/profile_stability/rhel10/e8.profile

@@ -30,7 +30,6 @@ auditd_log_format
 auditd_name_format
 auditd_write_logs
 configure_crypto_policy
-configure_ssh_crypto_policy
 dir_perms_world_writable_sticky_bits
 dnf-automatic_security_updates_only
 ensure_gpgcheck_globally_activated

tests/data/profile_stability/rhel10/hipaa.profile

@@ -91,7 +91,6 @@ auditd_data_retention_max_log_file_action
 auditd_data_retention_max_log_file_action_stig
 auditd_data_retention_space_left_action
 configure_crypto_policy
-configure_ssh_crypto_policy
 dconf_db_up_to_date
 disable_ctrlaltdel_burstaction
 disable_ctrlaltdel_reboot

tests/data/profile_stability/rhel10/ism_o.profile

@@ -64,7 +64,6 @@ configure_crypto_policy
 configure_firewalld_ports
 configure_kerberos_crypto_policy
 configure_opensc_card_drivers
-configure_ssh_crypto_policy
 dir_perms_world_writable_sticky_bits
 disable_host_auth
 dnf-automatic_apply_updates

tests/data/profile_stability/rhel10/ism_o_secret.profile

@@ -64,7 +64,6 @@ configure_crypto_policy
 configure_firewalld_ports
 configure_kerberos_crypto_policy
 configure_opensc_card_drivers
-configure_ssh_crypto_policy
 dir_perms_world_writable_sticky_bits
 disable_host_auth
 dnf-automatic_apply_updates

tests/data/profile_stability/rhel10/ism_o_top_secret.profile

@@ -64,7 +64,6 @@ configure_crypto_policy
 configure_firewalld_ports
 configure_kerberos_crypto_policy
 configure_opensc_card_drivers
-configure_ssh_crypto_policy
 dir_perms_world_writable_sticky_bits
 disable_host_auth
 dnf-automatic_apply_updates

tests/data/profile_stability/rhel10/ospp.profile

@@ -62,7 +62,6 @@ auditd_name_format
 chronyd_client_only
 configure_crypto_policy
 configure_openssl_crypto_policy
-configure_ssh_crypto_policy
 configure_usbguard_auditbackend
 disable_ctrlaltdel_burstaction
 disable_ctrlaltdel_reboot

tests/data/profile_stability/rhel10/pci-dss.profile

@@ -74,7 +74,6 @@ chronyd_run_as_chrony_user
 chronyd_specify_remote_server
 configure_crypto_policy
 configure_firewalld_ports
-configure_ssh_crypto_policy
 coredump_disable_backtraces
 coredump_disable_storage
 dconf_db_up_to_date

tests/data/profile_stability/rhel9/ccn_advanced.profile

@@ -51,7 +51,6 @@ banner_etc_motd
 chronyd_run_as_chrony_user
 chronyd_specify_remote_server
 configure_crypto_policy
-configure_ssh_crypto_policy
 dconf_db_up_to_date
 dconf_gnome_banner_enabled
 dconf_gnome_disable_automount

tests/data/profile_stability/rhel9/ccn_basic.profile

@@ -37,7 +37,6 @@ banner_etc_issue
 banner_etc_issue_net
 banner_etc_motd
 configure_crypto_policy
-configure_ssh_crypto_policy
 dconf_db_up_to_date
 dconf_gnome_banner_enabled
 dconf_gnome_login_banner_text

tests/data/profile_stability/rhel9/ccn_intermediate.profile

@@ -40,7 +40,6 @@ banner_etc_motd
 chronyd_run_as_chrony_user
 chronyd_specify_remote_server
 configure_crypto_policy
-configure_ssh_crypto_policy
 dconf_db_up_to_date
 dconf_gnome_banner_enabled
 dconf_gnome_disable_automount

tests/data/profile_stability/rhel9/cis.profile

@@ -113,7 +113,6 @@ chronyd_run_as_chrony_user
 chronyd_specify_remote_server
 cis_banner_text=cis
 configure_custom_crypto_policy_cis
-configure_ssh_crypto_policy
 coredump_disable_backtraces
 coredump_disable_storage
 dconf_db_up_to_date

tests/data/profile_stability/rhel9/cis_server_l1.profile

@@ -42,7 +42,6 @@ chronyd_run_as_chrony_user
 chronyd_specify_remote_server
 cis_banner_text=cis
 configure_custom_crypto_policy_cis
-configure_ssh_crypto_policy
 coredump_disable_backtraces
 coredump_disable_storage
 dconf_db_up_to_date

tests/data/profile_stability/rhel9/cis_workstation_l1.profile

@@ -42,7 +42,6 @@ chronyd_run_as_chrony_user
 chronyd_specify_remote_server
 cis_banner_text=cis
 configure_custom_crypto_policy_cis
-configure_ssh_crypto_policy
 coredump_disable_backtraces
 coredump_disable_storage
 dconf_db_up_to_date

tests/data/profile_stability/rhel9/cis_workstation_l2.profile

@@ -113,7 +113,6 @@ chronyd_run_as_chrony_user
 chronyd_specify_remote_server
 cis_banner_text=cis
 configure_custom_crypto_policy_cis
-configure_ssh_crypto_policy
 coredump_disable_backtraces
 coredump_disable_storage
 dconf_db_up_to_date

tests/data/profile_stability/rhel9/cui.profile

@@ -62,7 +62,6 @@ auditd_name_format
 chronyd_client_only
 configure_crypto_policy
 configure_openssl_crypto_policy
-configure_ssh_crypto_policy
 configure_usbguard_auditbackend
 disable_ctrlaltdel_burstaction
 disable_ctrlaltdel_reboot

tests/data/profile_stability/rhel9/e8.profile

@@ -30,7 +30,6 @@ auditd_log_format
 auditd_name_format
 auditd_write_logs
 configure_crypto_policy
-configure_ssh_crypto_policy
 dir_perms_world_writable_sticky_bits
 dnf-automatic_security_updates_only
 enable_authselect

tests/data/profile_stability/rhel9/hipaa.profile

@@ -69,7 +69,6 @@ audit_rules_usergroup_modification_shadow
 auditd_audispd_syslog_plugin_activated
 auditd_data_retention_flush
 configure_crypto_policy
-configure_ssh_crypto_policy
 dconf_db_up_to_date
 dconf_gnome_remote_access_credential_prompt
 dconf_gnome_remote_access_encryption

tests/data/profile_stability/rhel9/ism_o.profile

@@ -47,7 +47,6 @@ auditd_write_logs
 chronyd_specify_remote_server
 configure_crypto_policy
 configure_firewalld_ports
-configure_ssh_crypto_policy
 dir_perms_world_writable_sticky_bits
 disable_host_auth
 dnf-automatic_security_updates_only

tests/data/profile_stability/rhel9/ospp.profile

@@ -62,7 +62,6 @@ auditd_name_format
 chronyd_client_only
 configure_crypto_policy
 configure_openssl_crypto_policy
-configure_ssh_crypto_policy
 configure_usbguard_auditbackend
 disable_ctrlaltdel_burstaction
 disable_ctrlaltdel_reboot

tests/data/profile_stability/rhel9/pci-dss.profile

@@ -72,7 +72,6 @@ chronyd_run_as_chrony_user
 chronyd_specify_remote_server
 configure_crypto_policy
 configure_firewalld_ports
-configure_ssh_crypto_policy
 coredump_disable_backtraces
 coredump_disable_storage
 dconf_db_up_to_date