diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml

index 194d7dfe2dc..b6c5e7f4b0d 100644

--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml

@@ -37,7 +37,7 @@ ocil: |-

     MACs are in use, run the following command:

     
$ sudo grep -i macs /etc/ssh/sshd_config

     The output should contain only following MACs (or a subset) in the exact order:

-    
hmac-sha2-512,hmac-sha2-256

+    
MACs {{{ xccdf_value("sshd_approved_macs") }}}

 warnings:

     - general: |-

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/ansible/shared.yml

new file mode 100644

index 00000000000..1c9dde77ee2

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/ansible/shared.yml

@@ -0,0 +1,16 @@

+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora

+# reboot = true

+# strategy = restrict

+# complexity = low

+# disruption = low

+{{{ ansible_instantiate_variables("sshd_approved_macs") }}}

+

+{{{ ansible_set_config_file(

+        msg='Configure SSH Daemon to Use FIPS 140-2 Validated MACs: openssh.config',

+        file='/etc/crypto-policies/back-ends/openssh.config',

+        parameter='MACs',

+        value="{{ sshd_approved_macs }}",

+        create='yes',

+        prefix_regex='^.*'

+    )

+}}}

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/bash/shared.sh

new file mode 100644

index 00000000000..b26992ce183

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/bash/shared.sh

@@ -0,0 +1,13 @@

+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora

+. /usr/share/scap-security-guide/remediation_functions

+{{{ bash_instantiate_variables("sshd_approved_macs") }}}

+

+{{{ set_config_file(

+        path="/etc/crypto-policies/back-ends/openssh.config",

+        parameter="MACs",

+        value="${sshd_approved_macs}",

+        create=true,

+        insensitive=false,

+        prefix_regex="^.*"

+	)

+}}}

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/oval/shared.xml

new file mode 100644

index 00000000000..5239af10612

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/oval/shared.xml

@@ -0,0 +1,35 @@

+{{%- set PATH = "/etc/crypto-policies/back-ends/openssh.config" -%}}

+<def-group>

+  <definition class="compliance" id="{{{ rule_id }}}" version="1">

+    {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.") }}}

+    <criteria operator="AND" comment="Test conditions - presence of the file plus.">

+      <criterion comment="Check that {{{ PATH }}} contains FIPS-approved SSHD MACs" test_ref="test_{{{ rule_id }}}" />

+    </criteria>

+  </definition>

+

+  

+  comment="test the value of MACs setting in the {{{ PATH }}} file"

+  id="test_{{{ rule_id }}}" version="1">

+    <ind:object object_ref="obj_{{{ rule_id }}}" />

+    <ind:state state_ref="ste_{{{ rule_id }}}" />

+  </ind:textfilecontent54_test>

+

+  <ind:textfilecontent54_object id="obj_{{{ rule_id }}}" version="1">

+    <ind:filepath>{{{ PATH }}}</ind:filepath>

+    <ind:pattern operation="pattern match">^MACs.*$</ind:pattern>

+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>

+  </ind:textfilecontent54_object>

+

+  <ind:textfilecontent54_state id="ste_{{{ rule_id }}}" version="1">

+    <ind:text var_ref="sshd_macs_crypto" operation="equals"></ind:text>

+  </ind:textfilecontent54_state>

+

+  <local_variable id="sshd_macs_crypto" datatype="string" comment="The regex of the directive" version="1">

+    <concat>

+      <literal_component>MACs </literal_component>

+      <variable_component var_ref="sshd_approved_macs"/>

+    </concat>

+  </local_variable>

+

+  <external_variable comment="SSH Approved MACs by FIPS" datatype="string" id="sshd_approved_macs" version="1" />

+</def-group>

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml

new file mode 100644

index 00000000000..1aeb987db2d

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml

@@ -0,0 +1,60 @@

+documentation_complete: true

+

+prodtype: fedora,rhel8

+

+title: 'Configure SSH Client to Use FIPS 140-2 Validated MACs: openssh.config'

+

+description: |-

+    Crypto Policies provide a centralized control over crypto algorithms usage of many packages.

+    OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be

+    set up incorrectly.

+

+    To check that Crypto Policies settings are configured correctly, ensure that

+    <tt>/etc/crypto-policies/back-ends/openssh.config</tt> contains the following

+    line and is not commented out:

+    <tt>MACs hmac-sha2-512,hmac-sha2-256</tt>

+

+rationale: |-

+    Overriding the system crypto policy makes the behavior of the OpenSSH

+    client violate expectations, and makes system configuration more

+    fragmented.

+

+severity: medium

+

+identifiers:

+    cce@rhel8: CCE-85870-4

+

+references:

+    disa: CCI-001453

+    nist: AC-17(2)

+    srg: SRG-OS-000250-GPOS-00093

+    stigid@rhel8: RHEL-08-010290

+

+ocil_clause: 'Crypto Policy for OpenSSH client is not configured correctly'

+

+ocil: |-

+    To verify if the OpenSSH client uses defined MACs in the Crypto Policy, run:

+    
$ grep -i macs /etc/crypto-policies/back-ends/openssh.config

+    and verify that the line matches:

+    
MACs hmac-sha2-512,hmac-sha2-256

+

+warnings:

+    - general: |-

+        The system needs to be rebooted for these changes to take effect.

+    - regulatory: |-

+        System Crypto Modules must be provided by a vendor that undergoes

+        FIPS-140 certifications.

+        FIPS-140 is applicable to all Federal agencies that use

+        cryptographic-based security systems to protect sensitive information

+        in computer and telecommunication systems (including voice systems) as

+        defined in Section 5131 of the Information Technology Management Reform

+        Act of 1996, Public Law 104-106. This standard shall be used in

+        designing and implementing cryptographic modules that Federal

+        departments and agencies operate or are operated for them under

+        contract. See {{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}}

+        To meet this, the system has to have cryptographic software provided by

+        a vendor that has undergone this certification. This means providing

+        documentation, test results, design information, and independent third

+        party review by an accredited lab. While open source software is

+        capable of meeting this, it does not meet FIPS-140 unless the vendor

+        submits to this process.

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct.pass.sh

new file mode 100644

index 00000000000..5a4b6887cba

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct.pass.sh

@@ -0,0 +1,15 @@

+#!/bin/bash

+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8

+# profiles = xccdf_org.ssgproject.content_profile_stig

+

+sshd_approved_macs=hmac-sha2-512,hmac-sha2-256

+configfile=/etc/crypto-policies/back-ends/openssh.config

+

+# Ensure directory + file is there

+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends

+

+if [[ -f $configfile ]]; then

+    sed -i "s/^.*MACs.*$/MACs ${sshd_approved_macs}/" $configfile

+else

+    echo "MACs ${sshd_approved_macs}" > "$configfile"

+fi

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh

new file mode 100644

index 00000000000..e713d254f9c

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh

@@ -0,0 +1,15 @@

+#!/bin/bash

+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8

+# profiles = xccdf_org.ssgproject.content_profile_stig

+

+sshd_approved_macs=hmac-sha2-512,hmac-sha2-256

+configfile=/etc/crypto-policies/back-ends/openssh.config

+

+# Ensure directory + file is there

+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends

+

+if [[ -f $configfile ]]; then

+    sed -i "s/^.*MACs.*$/#MACs ${sshd_approved_macs}/" $configfile

+else

+    echo "#MACs ${sshd_approved_macs}" > "$configfile"

+fi

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh

new file mode 100644

index 00000000000..b8a63bec194

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh

@@ -0,0 +1,18 @@

+#!/bin/bash

+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8

+# profiles = xccdf_org.ssgproject.content_profile_stig

+

+sshd_approved_macs=hmac-sha2-512,hmac-sha2-256

+configfile=/etc/crypto-policies/back-ends/openssh.config

+

+# Ensure directory + file is there

+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends

+

+if [[ -f $configfile ]]; then

+    sed -i "s/^.*MACs.*$/MACs ${sshd_approved_macs}/" $configfile

+else

+    echo "MACs ${sshd_approved_macs}" > "$configfile"

+fi

+

+# follow up with incorrect

+echo "#MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512" >> $configfile

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh

new file mode 100644

index 00000000000..55ef3f58422

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh

@@ -0,0 +1,10 @@

+#!/bin/bash

+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8

+# profiles = xccdf_org.ssgproject.content_profile_stig

+

+configfile=/etc/crypto-policies/back-ends/openssh.config

+

+# Ensure directory + file is there

+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends

+

+echo "" > $configfile

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh

new file mode 100644

index 00000000000..9980a45681c

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh

@@ -0,0 +1,14 @@

+#!/bin/bash

+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8

+# profiles = xccdf_org.ssgproject.content_profile_stig

+

+configfile=/etc/crypto-policies/back-ends/openssh.config

+

+# Ensure directory + file is there

+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends

+

+if [[ -f $configfile ]]; then

+    sed -i "s/^.*MACs.*$/MACs /" $configfile

+else

+    echo "MACs " > "$configfile"

+fi

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh

new file mode 100644

index 00000000000..d1303d60746

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh

@@ -0,0 +1,19 @@

+#!/bin/bash

+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8

+# profiles = xccdf_org.ssgproject.content_profile_stig

+

+sshd_approved_macs=hmac-sha2-512,hmac-sha2-256

+incorrect_sshd_approved_macs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512

+configfile=/etc/crypto-policies/back-ends/openssh.config

+

+# Ensure directory + file is there

+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends

+

+if [[ -f $configfile ]]; then

+    sed -i "s/^.*MACs.*$/MACs ${incorrect_sshd_approved_macs}/" $configfile

+else

+    echo "MACs ${incorrect_sshd_approved_macs}" > "$configfile"

+fi

+

+# follow up with correct value

+echo "MACs ${sshd_approved_macs}" >> $configfile

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh

new file mode 100644

index 00000000000..8b21af46896

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh

@@ -0,0 +1,14 @@

+#!/bin/bash

+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8

+# profiles = xccdf_org.ssgproject.content_profile_stig

+

+configfile=/etc/crypto-policies/back-ends/openssh.config

+

+# Ensure directory + file is there

+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends

+

+if [[ -f $configfile ]]; then

+    sed -i "s/^.*MACs.*$/MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512/" $configfile

+else

+    echo "MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512" > "$configfile"

+fi

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh

new file mode 100644

index 00000000000..2138caad319

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh

@@ -0,0 +1,11 @@

+#!/bin/bash

+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8

+# profiles = xccdf_org.ssgproject.content_profile_stig

+

+configfile=/etc/crypto-policies/back-ends/openssh.config

+

+# Ensure directory + file is there

+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends

+

+# If file exists, remove it

+test -f $configfile && rm -f $configfile

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/ansible/shared.yml

new file mode 100644

index 00000000000..5ed618586ae

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/ansible/shared.yml

@@ -0,0 +1,45 @@

+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora

+# reboot = true

+# strategy = restrict

+# complexity = low

+# disruption = low

+{{{ ansible_instantiate_variables("sshd_approved_macs") }}}

+

+- name: "{{{ rule_title }}}: Set facts"

+  set_fact:

+    path: /etc/crypto-policies/back-ends/opensshserver.config

+    correct_value: "-oMACs={{ sshd_approved_macs }}"

+

+- name: "{{{ rule_title }}}: Stat"

+  stat:

+    path: "{{ path }}"

+    follow: yes

+  register: opensshserver_file

+

+- name: "{{{ rule_title }}}: Create"

+  lineinfile:

+    path: "{{ path }}"

+    line: "CRYPTO_POLICY='{{ correct_value }}'"

+    create: yes

+  when: not opensshserver_file.stat.exists or opensshserver_file.stat.size <= correct_value|length

+

+- name: "{{{ rule_title }}}"

+  block:

+    - name: "Existing value check"

+      lineinfile:

+        path: "{{ path }}"

+        create: false

+        regexp: "{{ correct_value }}"

+        state: absent

+      check_mode: true

+      changed_when: false

+      register: opensshserver

+

+    - name: "Update/Correct value"

+      replace:

+        path: "{{ path }}"

+        regexp: (-oMACs=\S+)

+        replace: "{{ correct_value }}"

+      when: opensshserver.found is defined and opensshserver.found != 1

+

+  when: opensshserver_file.stat.exists and opensshserver_file.stat.size > correct_value|length

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/bash/shared.sh

new file mode 100644

index 00000000000..790a2951bab

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/bash/shared.sh

@@ -0,0 +1,31 @@

+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora

+. /usr/share/scap-security-guide/remediation_functions

+{{{ bash_instantiate_variables("sshd_approved_macs") }}}

+

+CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config

+correct_value="-oMACs=${sshd_approved_macs}"

+

+# Test if file exists

+test -f ${CONF_FILE} || touch ${CONF_FILE}

+

+# Ensure CRYPTO_POLICY is not commented out

+sed -i 's/#CRYPTO_POLICY=/CRYPTO_POLICY=/' ${CONF_FILE}

+

+grep -q "'${correct_value}'" ${CONF_FILE}

+

+if [[ $? -ne 0 ]]; then

+    # We need to get the existing value, using PCRE to maintain same regex

+    existing_value=$(grep -Po '(-oMACs=\S+)' ${CONF_FILE})

+

+    if [[ ! -z ${existing_value} ]]; then

+        # replace existing_value with correct_value

+        sed -i "s/${existing_value}/${correct_value}/g" ${CONF_FILE}

+    else

+        # ***NOTE*** #

+        # This probably means this file is not here or it's been modified

+        # unintentionally.

+        # ********** #

+        # echo correct_value to end

+        echo "CRYPTO_POLICY='${correct_value}'" >> ${CONF_FILE}

+    fi

+fi

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/oval/shared.xml

new file mode 100644

index 00000000000..18028157032

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/oval/shared.xml

@@ -0,0 +1,35 @@

+{{%- set PATH = "/etc/crypto-policies/back-ends/opensshserver.config" -%}}

+<def-group>

+  <definition class="compliance" id="{{{ rule_id }}}" version="1">

+    {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.") }}}

+    <criteria operator="AND" comment="Test conditions - presence of the file plus.">

+      <criterion comment="Check that {{{ PATH }}} contains FIPS-approved SSHD MACs" test_ref="test_{{{ rule_id }}}" />

+    </criteria>

+  </definition>

+

+  

+  comment="test the value of MACs setting in the {{{ PATH }}} file"

+  id="test_{{{ rule_id }}}" version="1">

+    <ind:object object_ref="obj_{{{ rule_id }}}" />

+    <ind:state state_ref="ste_{{{ rule_id }}}" />

+  </ind:textfilecontent54_test>

+

+  <ind:textfilecontent54_object id="obj_{{{ rule_id }}}" version="1">

+    <ind:filepath>{{{ PATH }}}</ind:filepath>

+    <ind:pattern operation="pattern match">^(?!#).*(-oMACs=\S+).+$</ind:pattern>

+    <ind:instance operation="equals" datatype="int">1</ind:instance>

+  </ind:textfilecontent54_object>

+

+  <ind:textfilecontent54_state id="ste_{{{ rule_id }}}" version="1">

+    <ind:subexpression var_ref="sshd_macs_crypto_opensshserver" operation="equals" />

+  </ind:textfilecontent54_state>

+

+  <local_variable id="sshd_macs_crypto_opensshserver" datatype="string" comment="The regex of the directive" version="1">

+    <concat>

+      <literal_component>-oMACs=</literal_component>

+      <variable_component var_ref="sshd_approved_macs"/>

+    </concat>

+  </local_variable>

+

+  <external_variable comment="SSH Approved MACs by FIPS" datatype="string" id="sshd_approved_macs" version="1" />

+</def-group>

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/rule.yml

new file mode 100644

index 00000000000..0fd107a1bbe

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/rule.yml

@@ -0,0 +1,60 @@

+documentation_complete: true

+

+prodtype: rhel8

+

+title: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config'

+

+description: |-

+    Crypto Policies provide a centralized control over crypto algorithms usage of many packages.

+    OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be

+    set up incorrectly.

+

+    To check that Crypto Policies settings are configured correctly, ensure that

+    <tt>/etc/crypto-policies/back-ends/opensshserver.config</tt> contains the following

+    text and is not commented out:

+    <tt>-oMACS=hmac-sha2-512,hmac-sha2-256</tt>

+

+rationale: |-

+    Overriding the system crypto policy makes the behavior of the OpenSSH

+    server violate expectations, and makes system configuration more

+    fragmented.

+

+severity: medium

+

+identifiers:

+    cce@rhel8: CCE-85899-3

+

+references:

+    disa: CCI-001453

+    nist: AC-17(2)

+    srg: SRG-OS-000250-GPOS-00093

+    stigid@rhel8: RHEL-08-010290

+

+ocil_clause: 'Crypto Policy for OpenSSH Server is not configured correctly'

+

+ocil: |-

+    To verify if the OpenSSH server uses defined MACs in the Crypto Policy, run:

+    
$ grep -Po '(-oMACs=\S+)' /etc/crypto-policies/back-ends/opensshserver.config

+    and verify that the line matches:

+    
-oMACS=hmac-sha2-512,hmac-sha2-256

+

+warnings:

+    - general: |-

+        The system needs to be rebooted for these changes to take effect.

+    - regulatory: |-

+        System Crypto Modules must be provided by a vendor that undergoes

+        FIPS-140 certifications.

+        FIPS-140 is applicable to all Federal agencies that use

+        cryptographic-based security systems to protect sensitive information

+        in computer and telecommunication systems (including voice systems) as

+        defined in Section 5131 of the Information Technology Management Reform

+        Act of 1996, Public Law 104-106. This standard shall be used in

+        designing and implementing cryptographic modules that Federal

+        departments and agencies operate or are operated for them under

+        contract. See {{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}}

+        To meet this, the system has to have cryptographic software provided by

+        a vendor that has undergone this certification. This means providing

+        documentation, test results, design information, and independent third

+        party review by an accredited lab. While open source software is

+        capable of meeting this, it does not meet FIPS-140 unless the vendor

+        submits to this process.

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh

new file mode 100644

index 00000000000..14da92218dc

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh

@@ -0,0 +1,17 @@

+#!/bin/bash

+# platform = Red Hat Enterprise Linux 8

+# profiles = xccdf_org.ssgproject.content_profile_stig

+

+sshd_approved_macs=hmac-sha2-512,hmac-sha2-256

+configfile=/etc/crypto-policies/back-ends/opensshserver.config

+correct_value="-oMACs=${sshd_approved_macs}"

+

+# Ensure directory + file is there

+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends

+

+# Proceed when file exists

+if [[ -f $configfile ]]; then

+    sed -i -r "s/-oMACs=\S+/${correct_value}/" $configfile

+else

+    echo "${correct_value}" > "$configfile"

+fi

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh

new file mode 100644

index 00000000000..3dde1479296

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh

@@ -0,0 +1,7 @@

+#!/bin/bash

+# platform = Red Hat Enterprise Linux 8

+# profiles = xccdf_org.ssgproject.content_profile_stig

+

+configfile=/etc/crypto-policies/back-ends/opensshserver.config

+

+echo "" > "$configfile"

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh

new file mode 100644

index 00000000000..a50a0fc02bf

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh

@@ -0,0 +1,14 @@

+#!/bin/bash

+# platform = Red Hat Enterprise Linux 8

+# profiles = xccdf_org.ssgproject.content_profile_stig

+

+configfile=/etc/crypto-policies/back-ends/opensshserver.config

+

+# Ensure directory + file is there

+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends

+

+if [[ -f $configfile ]]; then

+    sed -i -r "s/-oMACs=\S+/-oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com/" $configfile

+else

+    echo "-oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com" > "$configfile"

+fi

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh

new file mode 100644

index 00000000000..11e596ced87

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh

@@ -0,0 +1,11 @@

+#!/bin/bash

+# platform = Red Hat Enterprise Linux 8

+# profiles = xccdf_org.ssgproject.content_profile_stig

+

+configfile=/etc/crypto-policies/back-ends/opensshserver.config

+

+# Ensure directory + file is there

+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends

+

+# If file exists, remove it

+test -f $configfile && rm -f $configfile

diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile

index 6372d13cfc9..28b47cca487 100644

--- a/products/rhel8/profiles/stig.profile

+++ b/products/rhel8/profiles/stig.profile

@@ -50,6 +50,7 @@ selections:

     - var_password_pam_retry=3

     - var_password_pam_minlen=15

     - var_sshd_set_keepalive=0

+    - sshd_approved_macs=stig

     - sshd_idle_timeout_value=10_minutes

     - var_accounts_passwords_pam_faillock_deny=3

     - var_accounts_passwords_pam_faillock_fail_interval=900

@@ -174,11 +175,17 @@ selections:

     # RHEL-08-010260

     - file_groupowner_var_log

+    # *** SHARED *** #

     # RHEL-08-010290 && RHEL-08-010291

-    ### NOTE: This will get split out in future STIG releases, as well as we will break

-    ### these rules up to be more flexible in meeting the requirements.

+    # *** SHARED *** #

     - configure_ssh_crypto_policy

+    # RHEL-08-010290

+    - harden_sshd_macs_openssh_conf_crypto_policy

+    - harden_sshd_macs_opensshserver_conf_crypto_policy

+

+    # RHEL-08-010291

+

     # RHEL-08-010292

     - sshd_use_strong_rng

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt

index 24e81491683..036d34cea1d 100644

--- a/shared/references/cce-redhat-avail.txt

+++ b/shared/references/cce-redhat-avail.txt

@@ -10,7 +10,6 @@ CCE-85866-2

 CCE-85867-0

 CCE-85868-8

 CCE-85869-6

-CCE-85870-4

 CCE-85872-0

 CCE-85873-8

 CCE-85874-6

@@ -36,7 +35,6 @@ CCE-85895-1

 CCE-85896-9

 CCE-85897-7

 CCE-85898-5

-CCE-85899-3

 CCE-85900-9

 CCE-85901-7

 CCE-85902-5

diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile

index 32f1a24a7a4..393051a34ea 100644

--- a/tests/data/profile_stability/rhel8/stig.profile

+++ b/tests/data/profile_stability/rhel8/stig.profile

@@ -145,6 +145,8 @@ selections:

 - grub2_uefi_admin_username

 - grub2_uefi_password

 - grub2_vsyscall_argument

+- harden_sshd_macs_openssh_conf_crypto_policy

+- harden_sshd_macs_opensshserver_conf_crypto_policy

 - install_smartcard_packages

 - installed_OS_is_vendor_supported

 - kerberos_disable_no_keytab

@@ -325,6 +327,7 @@ selections:

 - var_password_pam_lcredit=1

 - var_password_pam_retry=3

 - var_sshd_set_keepalive=0

+- sshd_approved_macs=stig

 - sshd_idle_timeout_value=10_minutes

 - var_accounts_passwords_pam_faillock_deny=3

 - var_accounts_passwords_pam_faillock_fail_interval=900

diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile

index d6a27c67dc0..de82fb34518 100644

--- a/tests/data/profile_stability/rhel8/stig_gui.profile

+++ b/tests/data/profile_stability/rhel8/stig_gui.profile

@@ -156,6 +156,8 @@ selections:

 - grub2_uefi_admin_username

 - grub2_uefi_password

 - grub2_vsyscall_argument

+- harden_sshd_macs_openssh_conf_crypto_policy

+- harden_sshd_macs_opensshserver_conf_crypto_policy

 - install_smartcard_packages

 - installed_OS_is_vendor_supported

 - kerberos_disable_no_keytab

@@ -335,6 +337,7 @@ selections:

 - var_password_pam_lcredit=1

 - var_password_pam_retry=3

 - var_sshd_set_keepalive=0

+- sshd_approved_macs=stig

 - sshd_idle_timeout_value=10_minutes

 - var_accounts_passwords_pam_faillock_deny=3

 - var_accounts_passwords_pam_faillock_fail_interval=900