Blame SOURCES/scap-security-guide-0.1.58-rhel8_stig_08_010290-PR_7151.patch

76240a
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
76240a
index 194d7dfe2dc..b6c5e7f4b0d 100644
76240a
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
76240a
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
76240a
@@ -37,7 +37,7 @@ ocil: |-
76240a
     MACs are in use, run the following command:
76240a
     
$ sudo grep -i macs /etc/ssh/sshd_config
76240a
     The output should contain only following MACs (or a subset) in the exact order:
76240a
-    
hmac-sha2-512,hmac-sha2-256
76240a
+    
MACs {{{ xccdf_value("sshd_approved_macs") }}}
76240a
 
76240a
 warnings:
76240a
     - general: |-
76240a
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/ansible/shared.yml
76240a
new file mode 100644
76240a
index 00000000000..1c9dde77ee2
76240a
--- /dev/null
76240a
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/ansible/shared.yml
76240a
@@ -0,0 +1,16 @@
76240a
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
76240a
+# reboot = true
76240a
+# strategy = restrict
76240a
+# complexity = low
76240a
+# disruption = low
76240a
+{{{ ansible_instantiate_variables("sshd_approved_macs") }}}
76240a
+
76240a
+{{{ ansible_set_config_file(
76240a
+        msg='Configure SSH Daemon to Use FIPS 140-2 Validated MACs: openssh.config',
76240a
+        file='/etc/crypto-policies/back-ends/openssh.config',
76240a
+        parameter='MACs',
76240a
+        value="{{ sshd_approved_macs }}",
76240a
+        create='yes',
76240a
+        prefix_regex='^.*'
76240a
+    )
76240a
+}}}
76240a
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/bash/shared.sh
76240a
new file mode 100644
76240a
index 00000000000..b26992ce183
76240a
--- /dev/null
76240a
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/bash/shared.sh
76240a
@@ -0,0 +1,13 @@
76240a
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
76240a
+. /usr/share/scap-security-guide/remediation_functions
76240a
+{{{ bash_instantiate_variables("sshd_approved_macs") }}}
76240a
+
76240a
+{{{ set_config_file(
76240a
+        path="/etc/crypto-policies/back-ends/openssh.config",
76240a
+        parameter="MACs",
76240a
+        value="${sshd_approved_macs}",
76240a
+        create=true,
76240a
+        insensitive=false,
76240a
+        prefix_regex="^.*"
76240a
+	)
76240a
+}}}
76240a
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/oval/shared.xml
76240a
new file mode 100644
76240a
index 00000000000..5239af10612
76240a
--- /dev/null
76240a
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/oval/shared.xml
76240a
@@ -0,0 +1,35 @@
76240a
+{{%- set PATH = "/etc/crypto-policies/back-ends/openssh.config" -%}}
76240a
+<def-group>
76240a
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
76240a
+    {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.") }}}
76240a
+    <criteria operator="AND" comment="Test conditions - presence of the file plus.">
76240a
+      <criterion comment="Check that {{{ PATH }}} contains FIPS-approved SSHD MACs" test_ref="test_{{{ rule_id }}}" />
76240a
+    </criteria>
76240a
+  </definition>
76240a
+
76240a
+  
76240a
+  comment="test the value of MACs setting in the {{{ PATH }}} file"
76240a
+  id="test_{{{ rule_id }}}" version="1">
76240a
+    <ind:object object_ref="obj_{{{ rule_id }}}" />
76240a
+    <ind:state state_ref="ste_{{{ rule_id }}}" />
76240a
+  </ind:textfilecontent54_test>
76240a
+
76240a
+  <ind:textfilecontent54_object id="obj_{{{ rule_id }}}" version="1">
76240a
+    <ind:filepath>{{{ PATH }}}</ind:filepath>
76240a
+    <ind:pattern operation="pattern match">^MACs.*$</ind:pattern>
76240a
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
76240a
+  </ind:textfilecontent54_object>
76240a
+
76240a
+  <ind:textfilecontent54_state id="ste_{{{ rule_id }}}" version="1">
76240a
+    <ind:text var_ref="sshd_macs_crypto" operation="equals"></ind:text>
76240a
+  </ind:textfilecontent54_state>
76240a
+
76240a
+  <local_variable id="sshd_macs_crypto" datatype="string" comment="The regex of the directive" version="1">
76240a
+    <concat>
76240a
+      <literal_component>MACs </literal_component>
76240a
+      <variable_component var_ref="sshd_approved_macs"/>
76240a
+    </concat>
76240a
+  </local_variable>
76240a
+
76240a
+  <external_variable comment="SSH Approved MACs by FIPS" datatype="string" id="sshd_approved_macs" version="1" />
76240a
+</def-group>
76240a
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml
76240a
new file mode 100644
76240a
index 00000000000..1aeb987db2d
76240a
--- /dev/null
76240a
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml
76240a
@@ -0,0 +1,60 @@
76240a
+documentation_complete: true
76240a
+
76240a
+prodtype: fedora,rhel8
76240a
+
76240a
+title: 'Configure SSH Client to Use FIPS 140-2 Validated MACs: openssh.config'
76240a
+
76240a
+description: |-
76240a
+    Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
76240a
+    OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be
76240a
+    set up incorrectly.
76240a
+
76240a
+    To check that Crypto Policies settings are configured correctly, ensure that
76240a
+    <tt>/etc/crypto-policies/back-ends/openssh.config</tt> contains the following
76240a
+    line and is not commented out:
76240a
+    <tt>MACs hmac-sha2-512,hmac-sha2-256</tt>
76240a
+
76240a
+rationale: |-
76240a
+    Overriding the system crypto policy makes the behavior of the OpenSSH
76240a
+    client violate expectations, and makes system configuration more
76240a
+    fragmented.
76240a
+
76240a
+severity: medium
76240a
+
76240a
+identifiers:
76240a
+    cce@rhel8: CCE-85870-4
76240a
+
76240a
+references:
76240a
+    disa: CCI-001453
76240a
+    nist: AC-17(2)
76240a
+    srg: SRG-OS-000250-GPOS-00093
76240a
+    stigid@rhel8: RHEL-08-010290
76240a
+
76240a
+ocil_clause: 'Crypto Policy for OpenSSH client is not configured correctly'
76240a
+
76240a
+ocil: |-
76240a
+    To verify if the OpenSSH client uses defined MACs in the Crypto Policy, run:
76240a
+    
$ grep -i macs /etc/crypto-policies/back-ends/openssh.config
76240a
+    and verify that the line matches:
76240a
+    
MACs hmac-sha2-512,hmac-sha2-256
76240a
+
76240a
+warnings:
76240a
+    - general: |-
76240a
+        The system needs to be rebooted for these changes to take effect.
76240a
+    - regulatory: |-
76240a
+        System Crypto Modules must be provided by a vendor that undergoes
76240a
+        FIPS-140 certifications.
76240a
+        FIPS-140 is applicable to all Federal agencies that use
76240a
+        cryptographic-based security systems to protect sensitive information
76240a
+        in computer and telecommunication systems (including voice systems) as
76240a
+        defined in Section 5131 of the Information Technology Management Reform
76240a
+        Act of 1996, Public Law 104-106. This standard shall be used in
76240a
+        designing and implementing cryptographic modules that Federal
76240a
+        departments and agencies operate or are operated for them under
76240a
+        contract. See {{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}}
76240a
+        To meet this, the system has to have cryptographic software provided by
76240a
+        a vendor that has undergone this certification. This means providing
76240a
+        documentation, test results, design information, and independent third
76240a
+        party review by an accredited lab. While open source software is
76240a
+        capable of meeting this, it does not meet FIPS-140 unless the vendor
76240a
+        submits to this process.
76240a
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct.pass.sh
76240a
new file mode 100644
76240a
index 00000000000..5a4b6887cba
76240a
--- /dev/null
76240a
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct.pass.sh
76240a
@@ -0,0 +1,15 @@
76240a
+#!/bin/bash
76240a
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
76240a
+# profiles = xccdf_org.ssgproject.content_profile_stig
76240a
+
76240a
+sshd_approved_macs=hmac-sha2-512,hmac-sha2-256
76240a
+configfile=/etc/crypto-policies/back-ends/openssh.config
76240a
+
76240a
+# Ensure directory + file is there
76240a
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
76240a
+
76240a
+if [[ -f $configfile ]]; then
76240a
+    sed -i "s/^.*MACs.*$/MACs ${sshd_approved_macs}/" $configfile
76240a
+else
76240a
+    echo "MACs ${sshd_approved_macs}" > "$configfile"
76240a
+fi
76240a
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh
76240a
new file mode 100644
76240a
index 00000000000..e713d254f9c
76240a
--- /dev/null
76240a
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh
76240a
@@ -0,0 +1,15 @@
76240a
+#!/bin/bash
76240a
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
76240a
+# profiles = xccdf_org.ssgproject.content_profile_stig
76240a
+
76240a
+sshd_approved_macs=hmac-sha2-512,hmac-sha2-256
76240a
+configfile=/etc/crypto-policies/back-ends/openssh.config
76240a
+
76240a
+# Ensure directory + file is there
76240a
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
76240a
+
76240a
+if [[ -f $configfile ]]; then
76240a
+    sed -i "s/^.*MACs.*$/#MACs ${sshd_approved_macs}/" $configfile
76240a
+else
76240a
+    echo "#MACs ${sshd_approved_macs}" > "$configfile"
76240a
+fi
76240a
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh
76240a
new file mode 100644
76240a
index 00000000000..b8a63bec194
76240a
--- /dev/null
76240a
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh
76240a
@@ -0,0 +1,18 @@
76240a
+#!/bin/bash
76240a
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
76240a
+# profiles = xccdf_org.ssgproject.content_profile_stig
76240a
+
76240a
+sshd_approved_macs=hmac-sha2-512,hmac-sha2-256
76240a
+configfile=/etc/crypto-policies/back-ends/openssh.config
76240a
+
76240a
+# Ensure directory + file is there
76240a
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
76240a
+
76240a
+if [[ -f $configfile ]]; then
76240a
+    sed -i "s/^.*MACs.*$/MACs ${sshd_approved_macs}/" $configfile
76240a
+else
76240a
+    echo "MACs ${sshd_approved_macs}" > "$configfile"
76240a
+fi
76240a
+
76240a
+# follow up with incorrect
76240a
+echo "#MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512" >> $configfile
76240a
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh
76240a
new file mode 100644
76240a
index 00000000000..55ef3f58422
76240a
--- /dev/null
76240a
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh
76240a
@@ -0,0 +1,10 @@
76240a
+#!/bin/bash
76240a
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
76240a
+# profiles = xccdf_org.ssgproject.content_profile_stig
76240a
+
76240a
+configfile=/etc/crypto-policies/back-ends/openssh.config
76240a
+
76240a
+# Ensure directory + file is there
76240a
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
76240a
+
76240a
+echo "" > $configfile
76240a
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh
76240a
new file mode 100644
76240a
index 00000000000..9980a45681c
76240a
--- /dev/null
76240a
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh
76240a
@@ -0,0 +1,14 @@
76240a
+#!/bin/bash
76240a
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
76240a
+# profiles = xccdf_org.ssgproject.content_profile_stig
76240a
+
76240a
+configfile=/etc/crypto-policies/back-ends/openssh.config
76240a
+
76240a
+# Ensure directory + file is there
76240a
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
76240a
+
76240a
+if [[ -f $configfile ]]; then
76240a
+    sed -i "s/^.*MACs.*$/MACs /" $configfile
76240a
+else
76240a
+    echo "MACs " > "$configfile"
76240a
+fi
76240a
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh
76240a
new file mode 100644
76240a
index 00000000000..d1303d60746
76240a
--- /dev/null
76240a
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh
76240a
@@ -0,0 +1,19 @@
76240a
+#!/bin/bash
76240a
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
76240a
+# profiles = xccdf_org.ssgproject.content_profile_stig
76240a
+
76240a
+sshd_approved_macs=hmac-sha2-512,hmac-sha2-256
76240a
+incorrect_sshd_approved_macs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
76240a
+configfile=/etc/crypto-policies/back-ends/openssh.config
76240a
+
76240a
+# Ensure directory + file is there
76240a
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
76240a
+
76240a
+if [[ -f $configfile ]]; then
76240a
+    sed -i "s/^.*MACs.*$/MACs ${incorrect_sshd_approved_macs}/" $configfile
76240a
+else
76240a
+    echo "MACs ${incorrect_sshd_approved_macs}" > "$configfile"
76240a
+fi
76240a
+
76240a
+# follow up with correct value
76240a
+echo "MACs ${sshd_approved_macs}" >> $configfile
76240a
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh
76240a
new file mode 100644
76240a
index 00000000000..8b21af46896
76240a
--- /dev/null
76240a
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh
76240a
@@ -0,0 +1,14 @@
76240a
+#!/bin/bash
76240a
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
76240a
+# profiles = xccdf_org.ssgproject.content_profile_stig
76240a
+
76240a
+configfile=/etc/crypto-policies/back-ends/openssh.config
76240a
+
76240a
+# Ensure directory + file is there
76240a
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
76240a
+
76240a
+if [[ -f $configfile ]]; then
76240a
+    sed -i "s/^.*MACs.*$/MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512/" $configfile
76240a
+else
76240a
+    echo "MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512" > "$configfile"
76240a
+fi
76240a
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh
76240a
new file mode 100644
76240a
index 00000000000..2138caad319
76240a
--- /dev/null
76240a
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh
76240a
@@ -0,0 +1,11 @@
76240a
+#!/bin/bash
76240a
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
76240a
+# profiles = xccdf_org.ssgproject.content_profile_stig
76240a
+
76240a
+configfile=/etc/crypto-policies/back-ends/openssh.config
76240a
+
76240a
+# Ensure directory + file is there
76240a
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
76240a
+
76240a
+# If file exists, remove it
76240a
+test -f $configfile && rm -f $configfile
76240a
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/ansible/shared.yml
76240a
new file mode 100644
76240a
index 00000000000..5ed618586ae
76240a
--- /dev/null
76240a
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/ansible/shared.yml
76240a
@@ -0,0 +1,45 @@
76240a
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
76240a
+# reboot = true
76240a
+# strategy = restrict
76240a
+# complexity = low
76240a
+# disruption = low
76240a
+{{{ ansible_instantiate_variables("sshd_approved_macs") }}}
76240a
+
76240a
+- name: "{{{ rule_title }}}: Set facts"
76240a
+  set_fact:
76240a
+    path: /etc/crypto-policies/back-ends/opensshserver.config
76240a
+    correct_value: "-oMACs={{ sshd_approved_macs }}"
76240a
+
76240a
+- name: "{{{ rule_title }}}: Stat"
76240a
+  stat:
76240a
+    path: "{{ path }}"
76240a
+    follow: yes
76240a
+  register: opensshserver_file
76240a
+
76240a
+- name: "{{{ rule_title }}}: Create"
76240a
+  lineinfile:
76240a
+    path: "{{ path }}"
76240a
+    line: "CRYPTO_POLICY='{{ correct_value }}'"
76240a
+    create: yes
76240a
+  when: not opensshserver_file.stat.exists or opensshserver_file.stat.size <= correct_value|length
76240a
+
76240a
+- name: "{{{ rule_title }}}"
76240a
+  block:
76240a
+    - name: "Existing value check"
76240a
+      lineinfile:
76240a
+        path: "{{ path }}"
76240a
+        create: false
76240a
+        regexp: "{{ correct_value }}"
76240a
+        state: absent
76240a
+      check_mode: true
76240a
+      changed_when: false
76240a
+      register: opensshserver
76240a
+
76240a
+    - name: "Update/Correct value"
76240a
+      replace:
76240a
+        path: "{{ path }}"
76240a
+        regexp: (-oMACs=\S+)
76240a
+        replace: "{{ correct_value }}"
76240a
+      when: opensshserver.found is defined and opensshserver.found != 1
76240a
+
76240a
+  when: opensshserver_file.stat.exists and opensshserver_file.stat.size > correct_value|length
76240a
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/bash/shared.sh
76240a
new file mode 100644
76240a
index 00000000000..790a2951bab
76240a
--- /dev/null
76240a
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/bash/shared.sh
76240a
@@ -0,0 +1,31 @@
76240a
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
76240a
+. /usr/share/scap-security-guide/remediation_functions
76240a
+{{{ bash_instantiate_variables("sshd_approved_macs") }}}
76240a
+
76240a
+CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config
76240a
+correct_value="-oMACs=${sshd_approved_macs}"
76240a
+
76240a
+# Test if file exists
76240a
+test -f ${CONF_FILE} || touch ${CONF_FILE}
76240a
+
76240a
+# Ensure CRYPTO_POLICY is not commented out
76240a
+sed -i 's/#CRYPTO_POLICY=/CRYPTO_POLICY=/' ${CONF_FILE}
76240a
+
76240a
+grep -q "'${correct_value}'" ${CONF_FILE}
76240a
+
76240a
+if [[ $? -ne 0 ]]; then
76240a
+    # We need to get the existing value, using PCRE to maintain same regex
76240a
+    existing_value=$(grep -Po '(-oMACs=\S+)' ${CONF_FILE})
76240a
+
76240a
+    if [[ ! -z ${existing_value} ]]; then
76240a
+        # replace existing_value with correct_value
76240a
+        sed -i "s/${existing_value}/${correct_value}/g" ${CONF_FILE}
76240a
+    else
76240a
+        # ***NOTE*** #
76240a
+        # This probably means this file is not here or it's been modified
76240a
+        # unintentionally.
76240a
+        # ********** #
76240a
+        # echo correct_value to end
76240a
+        echo "CRYPTO_POLICY='${correct_value}'" >> ${CONF_FILE}
76240a
+    fi
76240a
+fi
76240a
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/oval/shared.xml
76240a
new file mode 100644
76240a
index 00000000000..18028157032
76240a
--- /dev/null
76240a
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/oval/shared.xml
76240a
@@ -0,0 +1,35 @@
76240a
+{{%- set PATH = "/etc/crypto-policies/back-ends/opensshserver.config" -%}}
76240a
+<def-group>
76240a
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
76240a
+    {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.") }}}
76240a
+    <criteria operator="AND" comment="Test conditions - presence of the file plus.">
76240a
+      <criterion comment="Check that {{{ PATH }}} contains FIPS-approved SSHD MACs" test_ref="test_{{{ rule_id }}}" />
76240a
+    </criteria>
76240a
+  </definition>
76240a
+
76240a
+  
76240a
+  comment="test the value of MACs setting in the {{{ PATH }}} file"
76240a
+  id="test_{{{ rule_id }}}" version="1">
76240a
+    <ind:object object_ref="obj_{{{ rule_id }}}" />
76240a
+    <ind:state state_ref="ste_{{{ rule_id }}}" />
76240a
+  </ind:textfilecontent54_test>
76240a
+
76240a
+  <ind:textfilecontent54_object id="obj_{{{ rule_id }}}" version="1">
76240a
+    <ind:filepath>{{{ PATH }}}</ind:filepath>
76240a
+    <ind:pattern operation="pattern match">^(?!#).*(-oMACs=\S+).+$</ind:pattern>
76240a
+    <ind:instance operation="equals" datatype="int">1</ind:instance>
76240a
+  </ind:textfilecontent54_object>
76240a
+
76240a
+  <ind:textfilecontent54_state id="ste_{{{ rule_id }}}" version="1">
76240a
+    <ind:subexpression var_ref="sshd_macs_crypto_opensshserver" operation="equals" />
76240a
+  </ind:textfilecontent54_state>
76240a
+
76240a
+  <local_variable id="sshd_macs_crypto_opensshserver" datatype="string" comment="The regex of the directive" version="1">
76240a
+    <concat>
76240a
+      <literal_component>-oMACs=</literal_component>
76240a
+      <variable_component var_ref="sshd_approved_macs"/>
76240a
+    </concat>
76240a
+  </local_variable>
76240a
+
76240a
+  <external_variable comment="SSH Approved MACs by FIPS" datatype="string" id="sshd_approved_macs" version="1" />
76240a
+</def-group>
76240a
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/rule.yml
76240a
new file mode 100644
76240a
index 00000000000..0fd107a1bbe
76240a
--- /dev/null
76240a
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/rule.yml
76240a
@@ -0,0 +1,60 @@
76240a
+documentation_complete: true
76240a
+
76240a
+prodtype: rhel8
76240a
+
76240a
+title: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config'
76240a
+
76240a
+description: |-
76240a
+    Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
76240a
+    OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be
76240a
+    set up incorrectly.
76240a
+
76240a
+    To check that Crypto Policies settings are configured correctly, ensure that
76240a
+    <tt>/etc/crypto-policies/back-ends/opensshserver.config</tt> contains the following
76240a
+    text and is not commented out:
76240a
+    <tt>-oMACS=hmac-sha2-512,hmac-sha2-256</tt>
76240a
+
76240a
+rationale: |-
76240a
+    Overriding the system crypto policy makes the behavior of the OpenSSH
76240a
+    server violate expectations, and makes system configuration more
76240a
+    fragmented.
76240a
+
76240a
+severity: medium
76240a
+
76240a
+identifiers:
76240a
+    cce@rhel8: CCE-85899-3
76240a
+
76240a
+references:
76240a
+    disa: CCI-001453
76240a
+    nist: AC-17(2)
76240a
+    srg: SRG-OS-000250-GPOS-00093
76240a
+    stigid@rhel8: RHEL-08-010290
76240a
+
76240a
+ocil_clause: 'Crypto Policy for OpenSSH Server is not configured correctly'
76240a
+
76240a
+ocil: |-
76240a
+    To verify if the OpenSSH server uses defined MACs in the Crypto Policy, run:
76240a
+    
$ grep -Po '(-oMACs=\S+)' /etc/crypto-policies/back-ends/opensshserver.config
76240a
+    and verify that the line matches:
76240a
+    
-oMACS=hmac-sha2-512,hmac-sha2-256
76240a
+
76240a
+warnings:
76240a
+    - general: |-
76240a
+        The system needs to be rebooted for these changes to take effect.
76240a
+    - regulatory: |-
76240a
+        System Crypto Modules must be provided by a vendor that undergoes
76240a
+        FIPS-140 certifications.
76240a
+        FIPS-140 is applicable to all Federal agencies that use
76240a
+        cryptographic-based security systems to protect sensitive information
76240a
+        in computer and telecommunication systems (including voice systems) as
76240a
+        defined in Section 5131 of the Information Technology Management Reform
76240a
+        Act of 1996, Public Law 104-106. This standard shall be used in
76240a
+        designing and implementing cryptographic modules that Federal
76240a
+        departments and agencies operate or are operated for them under
76240a
+        contract. See {{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}}
76240a
+        To meet this, the system has to have cryptographic software provided by
76240a
+        a vendor that has undergone this certification. This means providing
76240a
+        documentation, test results, design information, and independent third
76240a
+        party review by an accredited lab. While open source software is
76240a
+        capable of meeting this, it does not meet FIPS-140 unless the vendor
76240a
+        submits to this process.
76240a
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh
76240a
new file mode 100644
76240a
index 00000000000..14da92218dc
76240a
--- /dev/null
76240a
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh
76240a
@@ -0,0 +1,17 @@
76240a
+#!/bin/bash
76240a
+# platform = Red Hat Enterprise Linux 8
76240a
+# profiles = xccdf_org.ssgproject.content_profile_stig
76240a
+
76240a
+sshd_approved_macs=hmac-sha2-512,hmac-sha2-256
76240a
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
76240a
+correct_value="-oMACs=${sshd_approved_macs}"
76240a
+
76240a
+# Ensure directory + file is there
76240a
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
76240a
+
76240a
+# Proceed when file exists
76240a
+if [[ -f $configfile ]]; then
76240a
+    sed -i -r "s/-oMACs=\S+/${correct_value}/" $configfile
76240a
+else
76240a
+    echo "${correct_value}" > "$configfile"
76240a
+fi
76240a
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh
76240a
new file mode 100644
76240a
index 00000000000..3dde1479296
76240a
--- /dev/null
76240a
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh
76240a
@@ -0,0 +1,7 @@
76240a
+#!/bin/bash
76240a
+# platform = Red Hat Enterprise Linux 8
76240a
+# profiles = xccdf_org.ssgproject.content_profile_stig
76240a
+
76240a
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
76240a
+
76240a
+echo "" > "$configfile"
76240a
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh
76240a
new file mode 100644
76240a
index 00000000000..a50a0fc02bf
76240a
--- /dev/null
76240a
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh
76240a
@@ -0,0 +1,14 @@
76240a
+#!/bin/bash
76240a
+# platform = Red Hat Enterprise Linux 8
76240a
+# profiles = xccdf_org.ssgproject.content_profile_stig
76240a
+
76240a
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
76240a
+
76240a
+# Ensure directory + file is there
76240a
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
76240a
+
76240a
+if [[ -f $configfile ]]; then
76240a
+    sed -i -r "s/-oMACs=\S+/-oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com/" $configfile
76240a
+else
76240a
+    echo "-oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com" > "$configfile"
76240a
+fi
76240a
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh
76240a
new file mode 100644
76240a
index 00000000000..11e596ced87
76240a
--- /dev/null
76240a
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh
76240a
@@ -0,0 +1,11 @@
76240a
+#!/bin/bash
76240a
+# platform = Red Hat Enterprise Linux 8
76240a
+# profiles = xccdf_org.ssgproject.content_profile_stig
76240a
+
76240a
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
76240a
+
76240a
+# Ensure directory + file is there
76240a
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
76240a
+
76240a
+# If file exists, remove it
76240a
+test -f $configfile && rm -f $configfile
76240a
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
76240a
index 6372d13cfc9..28b47cca487 100644
76240a
--- a/products/rhel8/profiles/stig.profile
76240a
+++ b/products/rhel8/profiles/stig.profile
76240a
@@ -50,6 +50,7 @@ selections:
76240a
     - var_password_pam_retry=3
76240a
     - var_password_pam_minlen=15
76240a
     - var_sshd_set_keepalive=0
76240a
+    - sshd_approved_macs=stig
76240a
     - sshd_idle_timeout_value=10_minutes
76240a
     - var_accounts_passwords_pam_faillock_deny=3
76240a
     - var_accounts_passwords_pam_faillock_fail_interval=900
76240a
@@ -174,11 +175,17 @@ selections:
76240a
     # RHEL-08-010260
76240a
     - file_groupowner_var_log
76240a
 
76240a
+    # *** SHARED *** #
76240a
     # RHEL-08-010290 && RHEL-08-010291
76240a
-    ### NOTE: This will get split out in future STIG releases, as well as we will break
76240a
-    ### these rules up to be more flexible in meeting the requirements.
76240a
+    # *** SHARED *** #
76240a
     - configure_ssh_crypto_policy
76240a
 
76240a
+    # RHEL-08-010290
76240a
+    - harden_sshd_macs_openssh_conf_crypto_policy
76240a
+    - harden_sshd_macs_opensshserver_conf_crypto_policy
76240a
+
76240a
+    # RHEL-08-010291
76240a
+
76240a
     # RHEL-08-010292
76240a
     - sshd_use_strong_rng
76240a
 
76240a
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
76240a
index 24e81491683..036d34cea1d 100644
76240a
--- a/shared/references/cce-redhat-avail.txt
76240a
+++ b/shared/references/cce-redhat-avail.txt
76240a
@@ -10,7 +10,6 @@ CCE-85866-2
76240a
 CCE-85867-0
76240a
 CCE-85868-8
76240a
 CCE-85869-6
76240a
-CCE-85870-4
76240a
 CCE-85872-0
76240a
 CCE-85873-8
76240a
 CCE-85874-6
76240a
@@ -36,7 +35,6 @@ CCE-85895-1
76240a
 CCE-85896-9
76240a
 CCE-85897-7
76240a
 CCE-85898-5
76240a
-CCE-85899-3
76240a
 CCE-85900-9
76240a
 CCE-85901-7
76240a
 CCE-85902-5
76240a
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
76240a
index 32f1a24a7a4..393051a34ea 100644
76240a
--- a/tests/data/profile_stability/rhel8/stig.profile
76240a
+++ b/tests/data/profile_stability/rhel8/stig.profile
76240a
@@ -145,6 +145,8 @@ selections:
76240a
 - grub2_uefi_admin_username
76240a
 - grub2_uefi_password
76240a
 - grub2_vsyscall_argument
76240a
+- harden_sshd_macs_openssh_conf_crypto_policy
76240a
+- harden_sshd_macs_opensshserver_conf_crypto_policy
76240a
 - install_smartcard_packages
76240a
 - installed_OS_is_vendor_supported
76240a
 - kerberos_disable_no_keytab
76240a
@@ -325,6 +327,7 @@ selections:
76240a
 - var_password_pam_lcredit=1
76240a
 - var_password_pam_retry=3
76240a
 - var_sshd_set_keepalive=0
76240a
+- sshd_approved_macs=stig
76240a
 - sshd_idle_timeout_value=10_minutes
76240a
 - var_accounts_passwords_pam_faillock_deny=3
76240a
 - var_accounts_passwords_pam_faillock_fail_interval=900
76240a
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
76240a
index d6a27c67dc0..de82fb34518 100644
76240a
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
76240a
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
76240a
@@ -156,6 +156,8 @@ selections:
76240a
 - grub2_uefi_admin_username
76240a
 - grub2_uefi_password
76240a
 - grub2_vsyscall_argument
76240a
+- harden_sshd_macs_openssh_conf_crypto_policy
76240a
+- harden_sshd_macs_opensshserver_conf_crypto_policy
76240a
 - install_smartcard_packages
76240a
 - installed_OS_is_vendor_supported
76240a
 - kerberos_disable_no_keytab
76240a
@@ -335,6 +337,7 @@ selections:
76240a
 - var_password_pam_lcredit=1
76240a
 - var_password_pam_retry=3
76240a
 - var_sshd_set_keepalive=0
76240a
+- sshd_approved_macs=stig
76240a
 - sshd_idle_timeout_value=10_minutes
76240a
 - var_accounts_passwords_pam_faillock_deny=3
76240a
 - var_accounts_passwords_pam_faillock_fail_interval=900