Blob Blame History Raw
From 7da420a853591a6e994439a9ada2b88d6793e3e7 Mon Sep 17 00:00:00 2001
From: Carlos Matos <cmatos@redhat.com>
Date: Tue, 29 Jun 2021 14:00:14 -0400
Subject: [PATCH 1/5] New rules for RHEL-08-010291

---
 .../services/ssh/sshd_approved_ciphers.var    |  2 +-
 .../ansible/shared.yml                        | 16 +++++
 .../bash/shared.sh                            | 13 ++++
 .../oval/shared.xml                           | 35 +++++++++++
 .../rule.yml                                  | 62 +++++++++++++++++++
 .../tests/stig_correct.pass.sh                | 15 +++++
 .../tests/stig_correct_commented.fail.sh      | 15 +++++
 ...ct_followed_by_incorrect_commented.pass.sh | 18 ++++++
 .../tests/stig_empty_file.fail.sh             | 10 +++
 .../tests/stig_empty_policy.fail.sh           | 14 +++++
 ...rect_followed_by_correct_commented.fail.sh | 19 ++++++
 .../tests/stig_incorrect_policy.fail.sh       | 15 +++++
 .../tests/stig_missing_file.fail.sh           | 11 ++++
 .../ansible/shared.yml                        | 45 ++++++++++++++
 .../bash/shared.sh                            | 25 ++++++++
 .../oval/shared.xml                           | 35 +++++++++++
 .../rule.yml                                  | 62 +++++++++++++++++++
 .../tests/rhel8_stig_correct.pass.sh          | 17 +++++
 .../tests/rhel8_stig_empty_policy.fail.sh     |  7 +++
 .../tests/rhel8_stig_incorrect_policy.fail.sh | 14 +++++
 .../tests/rhel8_stig_missing_file.fail.sh     | 11 ++++
 products/rhel8/profiles/stig.profile          |  6 ++
 .../data/profile_stability/rhel8/stig.profile |  3 +
 .../profile_stability/rhel8/stig_gui.profile  |  3 +
 24 files changed, 472 insertions(+), 1 deletion(-)
 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml
 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/bash/shared.sh
 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml
 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml
 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct.pass.sh
 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh
 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh
 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh
 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh
 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh
 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh
 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh
 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml
 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh
 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh
 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh
 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh
 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh

diff --git a/linux_os/guide/services/ssh/sshd_approved_ciphers.var b/linux_os/guide/services/ssh/sshd_approved_ciphers.var
index 46891daa619..a240bbbfaef 100644
--- a/linux_os/guide/services/ssh/sshd_approved_ciphers.var
+++ b/linux_os/guide/services/ssh/sshd_approved_ciphers.var
@@ -11,6 +11,6 @@ operator: equals
 interactive: false
 
 options:
-    stig: aes128-ctr,aes192-ctr,aes256-ctr
+    stig: aes256-ctr,aes192-ctr,aes128-ctr
     default: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
     cis_rhel7: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml
new file mode 100644
index 00000000000..badb5896cf2
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml
@@ -0,0 +1,16 @@
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
+{{{ ansible_instantiate_variables("sshd_approved_ciphers") }}}
+
+{{{ ansible_set_config_file(
+        msg='Configure SSH Daemon to Use FIPS 140-2 Validated MACs: openssh.config',
+        file='/etc/crypto-policies/back-ends/openssh.config',
+        parameter='Ciphers',
+        value="{{ sshd_approved_ciphers }}",
+        create='yes',
+        prefix_regex='^.*'
+    )
+}}}
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/bash/shared.sh
new file mode 100644
index 00000000000..cdc66a8aac6
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/bash/shared.sh
@@ -0,0 +1,13 @@
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
+. /usr/share/scap-security-guide/remediation_functions
+{{{ bash_instantiate_variables("sshd_approved_ciphers") }}}
+
+{{{ set_config_file(
+        path="/etc/crypto-policies/back-ends/openssh.config",
+        parameter="Ciphers",
+        value="${sshd_approved_ciphers}",
+        create=true,
+        insensitive=false,
+        prefix_regex="^.*"
+	)
+}}}
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml
new file mode 100644
index 00000000000..1879e77398b
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml
@@ -0,0 +1,35 @@
+{{%- set PATH = "/etc/crypto-policies/back-ends/openssh.config" -%}}
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+    {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.") }}}
+    <criteria operator="AND" comment="Test conditions - presence of the file plus.">
+      <criterion comment="Check that {{{ PATH }}} contains FIPS-approved SSHD Ciphers" test_ref="test_{{{ rule_id }}}" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all"
+  comment="test the value of Ciphers setting in the {{{ PATH }}} file"
+  id="test_{{{ rule_id }}}" version="1">
+    <ind:object object_ref="obj_{{{ rule_id }}}" />
+    <ind:state state_ref="ste_{{{ rule_id }}}" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_{{{ rule_id }}}" version="1">
+    <ind:filepath>{{{ PATH }}}</ind:filepath>
+    <ind:pattern operation="pattern match">^Ciphers.*$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_state id="ste_{{{ rule_id }}}" version="1">
+    <ind:text var_ref="sshd_ciphers_crypto" operation="equals"></ind:text>
+  </ind:textfilecontent54_state>
+
+  <local_variable id="sshd_ciphers_crypto" datatype="string" comment="The regex of the directive" version="1">
+    <concat>
+      <literal_component>Ciphers </literal_component>
+      <variable_component var_ref="sshd_approved_ciphers"/>
+    </concat>
+  </local_variable>
+
+  <external_variable comment="SSH Approved Ciphers by FIPS" datatype="string" id="sshd_approved_ciphers" version="1" />
+</def-group>
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml
new file mode 100644
index 00000000000..cd1553dbdb3
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml
@@ -0,0 +1,62 @@
+documentation_complete: true
+
+prodtype: fedora,rhel8
+
+title: 'Configure SSH Daemon to Use FIPS 140-2 Validated Ciphers: openssh.config'
+
+description: |-
+    Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
+    OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be
+    set up incorrectly.
+
+    To check that Crypto Policies settings for ciphers are configured correctly, ensure that
+    <tt>/etc/crypto-policies/back-ends/openssh.config</tt> contains the following
+    line and is not commented out:
+    <pre>Ciphers {{{ xccdf_value("sshd_approved_ciphers") }}}</pre>
+
+rationale: |-
+    Overriding the system crypto policy makes the behavior of the OpenSSH daemon
+    violate expectations, and makes system configuration more fragmented. By
+    specifying a cipher list with the order of ciphers being in a “strongest to
+    weakest” orientation, the system will automatically attempt to use the
+    strongest cipher for securing SSH connections.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-85870-4
+
+references:
+    nist: AC-17(2)
+    srg: SRG-OS-000250-GPOS-00093
+    disa: CCI-001453
+    stigid@rhel8: RHEL-08-010291
+
+ocil_clause: 'Crypto Policy for OpenSSH Server is not configured correctly'
+
+ocil: |-
+    To verify if the OpenSSH daemon uses defined Cipher suite in the Crypto Policy, run:
+    <pre>$ grep -i ciphers /etc/crypto-policies/back-ends/openssh.config</pre>
+    and verify that the line matches:
+    <pre>Ciphers {{{ xccdf_value("sshd_approved_ciphers") }}}</pre>
+
+warnings:
+    - general: |-
+        The system needs to be rebooted for these changes to take effect.
+    - regulatory: |-
+        System Crypto Modules must be provided by a vendor that undergoes
+        FIPS-140 certifications.
+        FIPS-140 is applicable to all Federal agencies that use
+        cryptographic-based security systems to protect sensitive information
+        in computer and telecommunication systems (including voice systems) as
+        defined in Section 5131 of the Information Technology Management Reform
+        Act of 1996, Public Law 104-106. This standard shall be used in
+        designing and implementing cryptographic modules that Federal
+        departments and agencies operate or are operated for them under
+        contract. See <b>{{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}}</b>
+        To meet this, the system has to have cryptographic software provided by
+        a vendor that has undergone this certification. This means providing
+        documentation, test results, design information, and independent third
+        party review by an accredited lab. While open source software is
+        capable of meeting this, it does not meet FIPS-140 unless the vendor
+        submits to this process.
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct.pass.sh
new file mode 100644
index 00000000000..0a27a7e0984
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct.pass.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr
+configfile=/etc/crypto-policies/back-ends/openssh.config
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+if [[ -f $configfile ]]; then
+    sed -i "s/^.*Ciphers.*$/Ciphers ${sshd_approved_ciphers}/" $configfile
+else
+    echo "Ciphers ${sshd_approved_ciphers}" > "$configfile"
+fi
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh
new file mode 100644
index 00000000000..5cadd95ba38
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr
+configfile=/etc/crypto-policies/back-ends/openssh.config
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+if [[ -f $configfile ]]; then
+    sed -i "s/^.*Ciphers.*$/#Ciphers ${sshd_approved_ciphers}/" $configfile
+else
+    echo "#Ciphers ${sshd_approved_ciphers}" > "$configfile"
+fi
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh
new file mode 100644
index 00000000000..26220063757
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr
+configfile=/etc/crypto-policies/back-ends/openssh.config
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+if [[ -f $configfile ]]; then
+    sed -i "s/^.*Ciphers.*$/Ciphers ${sshd_approved_ciphers}/" $configfile
+else
+    echo "Ciphers ${sshd_approved_ciphers}" > "$configfile"
+fi
+
+# follow up with incorrect
+echo "#Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr" >> $configfile
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh
new file mode 100644
index 00000000000..55ef3f58422
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+configfile=/etc/crypto-policies/back-ends/openssh.config
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+echo "" > $configfile
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh
new file mode 100644
index 00000000000..7105441ad80
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+configfile=/etc/crypto-policies/back-ends/openssh.config
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+if [[ -f $configfile ]]; then
+    sed -i "s/^.*Ciphers.*$/Ciphers /" $configfile
+else
+    echo "Ciphers " > "$configfile"
+fi
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh
new file mode 100644
index 00000000000..195f5e8d8ed
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr
+incorrect_sshd_approved_ciphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr
+configfile=/etc/crypto-policies/back-ends/openssh.config
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+if [[ -f $configfile ]]; then
+    sed -i "s/^.*Ciphers.*$/Ciphers ${incorrect_sshd_approved_ciphers}/" $configfile
+else
+    echo "Ciphers ${incorrect_sshd_approved_ciphers}" > "$configfile"
+fi
+
+# follow up with correct value
+echo "Ciphers ${sshd_approved_ciphers}" >> $configfile
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh
new file mode 100644
index 00000000000..92bd4ed9c5a
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+incorrect_sshd_approved_ciphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc
+configfile=/etc/crypto-policies/back-ends/openssh.config
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+if [[ -f $configfile ]]; then
+    sed -i "s/^.*Ciphers.*$/Ciphers ${incorrect_sshd_approved_ciphers}/" $configfile
+else
+    echo "Ciphers ${incorrect_sshd_approved_ciphers}" > "$configfile"
+fi
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh
new file mode 100644
index 00000000000..2138caad319
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+configfile=/etc/crypto-policies/back-ends/openssh.config
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+# If file exists, remove it
+test -f $configfile && rm -f $configfile
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml
new file mode 100644
index 00000000000..7532ba51639
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml
@@ -0,0 +1,45 @@
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
+{{{ ansible_instantiate_variables("sshd_approved_ciphers") }}}
+
+- name: "{{{ rule_title }}}: Set facts"
+  set_fact:
+    path: /etc/crypto-policies/back-ends/opensshserver.config
+    correct_value: "-oCiphers={{ sshd_approved_ciphers }}"
+
+- name: "{{{ rule_title }}}: Stat"
+  stat:
+    path: "{{ path }}"
+    follow: yes
+  register: opensshserver_file
+
+- name: "{{{ rule_title }}}: Create"
+  lineinfile:
+    path: "{{ path }}"
+    line: "{{ correct_value }}"
+    create: yes
+  when: not opensshserver_file.stat.exists or opensshserver_file.stat.size <= correct_value|length
+
+- name: "{{{ rule_title }}}"
+  block:
+    - name: "Existing value check"
+      lineinfile:
+        path: "{{ path }}"
+        create: false
+        regexp: "{{ correct_value }}"
+        state: absent
+      check_mode: true
+      changed_when: false
+      register: opensshserver
+
+    - name: "Update/Correct value"
+      replace:
+        path: "{{ path }}"
+        regexp: (-oCiphers=\S+)
+        replace: "{{ correct_value }}"
+      when: opensshserver.found is defined and opensshserver.found != 1
+
+  when: opensshserver_file.stat.exists and opensshserver_file.stat.size > correct_value|length
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh
new file mode 100644
index 00000000000..1bc022f93b6
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh
@@ -0,0 +1,25 @@
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
+. /usr/share/scap-security-guide/remediation_functions
+{{{ bash_instantiate_variables("sshd_approved_ciphers") }}}
+
+CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config
+correct_value="-oCiphers=${sshd_approved_ciphers}"
+
+grep -q ${correct_value} ${CONF_FILE}
+
+if [[ $? -ne 0 ]]; then
+    # We need to get the existing value, using PCRE to maintain same regex
+    existing_value=$(grep -Po '(-oCiphers=\S+)' ${CONF_FILE})
+
+    if [[ ! -z ${existing_value} ]]; then
+        # replace existing_value with correct_value
+        sed -i "s/${existing_value}/${correct_value}/g" ${CONF_FILE}
+    else
+        # ***NOTE*** #
+        # This probably means this file is not here or it's been modified
+        # unintentionally.
+        # ********** #
+        # echo correct_value to end
+        echo ${correct_value} >> ${CONF_FILE}
+    fi
+fi
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
new file mode 100644
index 00000000000..92ad7ce3d3f
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
@@ -0,0 +1,35 @@
+{{%- set PATH = "/etc/crypto-policies/back-ends/opensshserver.config" -%}}
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+    {{{ oval_metadata("Limit the Message Authentication Codes (Ciphers) to those which are FIPS-approved.") }}}
+    <criteria operator="AND" comment="Test conditions - presence of the file plus.">
+      <criterion comment="Check that {{{ PATH }}} contains FIPS-approved SSHD Ciphers" test_ref="test_{{{ rule_id }}}" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all"
+  comment="test the value of Ciphers setting in the {{{ PATH }}} file"
+  id="test_{{{ rule_id }}}" version="1">
+    <ind:object object_ref="obj_{{{ rule_id }}}" />
+    <ind:state state_ref="ste_{{{ rule_id }}}" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_{{{ rule_id }}}" version="1">
+    <ind:filepath>{{{ PATH }}}</ind:filepath>
+    <ind:pattern operation="pattern match">^.*(-oCiphers=\S+).*$</ind:pattern>
+    <ind:instance operation="equals" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_state id="ste_{{{ rule_id }}}" version="1">
+    <ind:subexpression var_ref="sshd_ciphers_crypto_opensshserver" operation="equals" />
+  </ind:textfilecontent54_state>
+
+  <local_variable id="sshd_ciphers_crypto_opensshserver" datatype="string" comment="The regex of the directive" version="1">
+    <concat>
+      <literal_component>-oCiphers=</literal_component>
+      <variable_component var_ref="sshd_approved_ciphers"/>
+    </concat>
+  </local_variable>
+
+  <external_variable comment="SSH Approved Ciphers by FIPS" datatype="string" id="sshd_approved_ciphers" version="1" />
+</def-group>
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
new file mode 100644
index 00000000000..877c6f38db0
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
@@ -0,0 +1,62 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Configure SSH Daemon to Use FIPS 140-2 Validated MACs: opensshserver.config'
+
+description: |-
+    Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
+    OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be
+    set up incorrectly.
+
+    To check that Crypto Policies settings for ciphers are configured correctly, ensure that
+    <tt>/etc/crypto-policies/back-ends/opensshserver.config</tt> contains the following
+    text and is not commented out:
+    <pre>-oCiphers={{{ xccdf_value("sshd_approved_ciphers") }}}</pre>
+
+rationale: |-
+    Overriding the system crypto policy makes the behavior of the OpenSSH daemon
+    violate expectations, and makes system configuration more fragmented. By
+    specifying a cipher list with the order of ciphers being in a “strongest to
+    weakest” orientation, the system will automatically attempt to use the
+    strongest cipher for securing SSH connections.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-85871-2
+
+references:
+    nist: AC-17(2)
+    srg: SRG-OS-000250-GPOS-00093
+    disa: CCI-001453
+    stigid@rhel8: RHEL-08-010290
+
+ocil_clause: 'Crypto Policy for OpenSSH Server is not configured correctly'
+
+ocil: |-
+    To verify if the OpenSSH daemon uses defined MACs in the Crypto Policy, run:
+    <pre>$ grep -Po '(-oCiphers=\S+)' /etc/crypto-policies/back-ends/opensshserver.config</pre>
+    and verify that the line matches:
+    <pre>-oCiphers={{{ xccdf_value("sshd_approved_ciphers") }}}</pre>
+
+warnings:
+    - general: |-
+        The system needs to be rebooted for these changes to take effect.
+    - regulatory: |-
+        System Crypto Modules must be provided by a vendor that undergoes
+        FIPS-140 certifications.
+        FIPS-140 is applicable to all Federal agencies that use
+        cryptographic-based security systems to protect sensitive information
+        in computer and telecommunication systems (including voice systems) as
+        defined in Section 5131 of the Information Technology Management Reform
+        Act of 1996, Public Law 104-106. This standard shall be used in
+        designing and implementing cryptographic modules that Federal
+        departments and agencies operate or are operated for them under
+        contract. See <b>{{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}}</b>
+        To meet this, the system has to have cryptographic software provided by
+        a vendor that has undergone this certification. This means providing
+        documentation, test results, design information, and independent third
+        party review by an accredited lab. While open source software is
+        capable of meeting this, it does not meet FIPS-140 unless the vendor
+        submits to this process.
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh
new file mode 100644
index 00000000000..1a8911d523c
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
+correct_value="-oCiphers=${sshd_approved_ciphers}"
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+# Proceed when file exists
+if [[ -f $configfile ]]; then
+    sed -i -r "s/-oCiphers=\S+/${correct_value}/" $configfile
+else
+    echo "${correct_value}" > "$configfile"
+fi
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh
new file mode 100644
index 00000000000..3dde1479296
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
+
+echo "" > "$configfile"
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh
new file mode 100644
index 00000000000..f97f54db502
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+if [[ -f $configfile ]]; then
+    sed -i -r "s/-oCiphers=\S+/-oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc/" $configfile
+else
+    echo "-oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc" > "$configfile"
+fi
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh
new file mode 100644
index 00000000000..11e596ced87
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+# If file exists, remove it
+test -f $configfile && rm -f $configfile
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 28b47cca487..a3783efafd6 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -50,7 +50,11 @@ selections:
     - var_password_pam_retry=3
     - var_password_pam_minlen=15
     - var_sshd_set_keepalive=0
+<<<<<<< HEAD
     - sshd_approved_macs=stig
+=======
+    - sshd_approved_ciphers=stig
+>>>>>>> 4d62df6b2 (New rules for RHEL-08-010291)
     - sshd_idle_timeout_value=10_minutes
     - var_accounts_passwords_pam_faillock_deny=3
     - var_accounts_passwords_pam_faillock_fail_interval=900
@@ -185,6 +189,8 @@ selections:
     - harden_sshd_macs_opensshserver_conf_crypto_policy
 
     # RHEL-08-010291
+    - harden_sshd_ciphers_openssh_conf_crypto_policy
+    - harden_sshd_ciphers_opensshserver_conf_crypto_policy
 
     # RHEL-08-010292
     - sshd_use_strong_rng
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 393051a34ea..05335cc38fb 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -147,6 +147,8 @@ selections:
 - grub2_vsyscall_argument
 - harden_sshd_macs_openssh_conf_crypto_policy
 - harden_sshd_macs_opensshserver_conf_crypto_policy
+- harden_sshd_ciphers_openssh_conf_crypto_policy
+- harden_sshd_ciphers_opensshserver_conf_crypto_policy
 - install_smartcard_packages
 - installed_OS_is_vendor_supported
 - kerberos_disable_no_keytab
@@ -328,6 +330,7 @@ selections:
 - var_password_pam_retry=3
 - var_sshd_set_keepalive=0
 - sshd_approved_macs=stig
+- sshd_approved_ciphers=stig
 - sshd_idle_timeout_value=10_minutes
 - var_accounts_passwords_pam_faillock_deny=3
 - var_accounts_passwords_pam_faillock_fail_interval=900
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index de82fb34518..a0adc835a0d 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -158,6 +158,8 @@ selections:
 - grub2_vsyscall_argument
 - harden_sshd_macs_openssh_conf_crypto_policy
 - harden_sshd_macs_opensshserver_conf_crypto_policy
+- harden_sshd_ciphers_openssh_conf_crypto_policy
+- harden_sshd_ciphers_opensshserver_conf_crypto_policy
 - install_smartcard_packages
 - installed_OS_is_vendor_supported
 - kerberos_disable_no_keytab
@@ -338,6 +340,7 @@ selections:
 - var_password_pam_retry=3
 - var_sshd_set_keepalive=0
 - sshd_approved_macs=stig
+- sshd_approved_ciphers=stig
 - sshd_idle_timeout_value=10_minutes
 - var_accounts_passwords_pam_faillock_deny=3
 - var_accounts_passwords_pam_faillock_fail_interval=900

From c943e715615de1aa957d62d239e532f86ef0959e Mon Sep 17 00:00:00 2001
From: Carlos Matos <cmatos@redhat.com>
Date: Tue, 29 Jun 2021 14:04:49 -0400
Subject: [PATCH 2/5] replaced MACs with Ciphers

---
 .../ansible/shared.yml                                          | 2 +-
 .../oval/shared.xml                                             | 2 +-
 .../oval/shared.xml                                             | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml
index badb5896cf2..956a19f3025 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml
@@ -6,7 +6,7 @@
 {{{ ansible_instantiate_variables("sshd_approved_ciphers") }}}
 
 {{{ ansible_set_config_file(
-        msg='Configure SSH Daemon to Use FIPS 140-2 Validated MACs: openssh.config',
+        msg='Configure SSH Daemon to Use FIPS 140-2 Validated Ciphers: openssh.config',
         file='/etc/crypto-policies/back-ends/openssh.config',
         parameter='Ciphers',
         value="{{ sshd_approved_ciphers }}",
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml
index 1879e77398b..9b3b4f1995d 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml
@@ -1,7 +1,7 @@
 {{%- set PATH = "/etc/crypto-policies/back-ends/openssh.config" -%}}
 <def-group>
   <definition class="compliance" id="{{{ rule_id }}}" version="1">
-    {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.") }}}
+    {{{ oval_metadata("Limit the Ciphers to those which are FIPS-approved.") }}}
     <criteria operator="AND" comment="Test conditions - presence of the file plus.">
       <criterion comment="Check that {{{ PATH }}} contains FIPS-approved SSHD Ciphers" test_ref="test_{{{ rule_id }}}" />
     </criteria>
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
index 92ad7ce3d3f..3afbc1619a4 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
@@ -1,7 +1,7 @@
 {{%- set PATH = "/etc/crypto-policies/back-ends/opensshserver.config" -%}}
 <def-group>
   <definition class="compliance" id="{{{ rule_id }}}" version="1">
-    {{{ oval_metadata("Limit the Message Authentication Codes (Ciphers) to those which are FIPS-approved.") }}}
+    {{{ oval_metadata("Limit the Ciphers to those which are FIPS-approved.") }}}
     <criteria operator="AND" comment="Test conditions - presence of the file plus.">
       <criterion comment="Check that {{{ PATH }}} contains FIPS-approved SSHD Ciphers" test_ref="test_{{{ rule_id }}}" />
     </criteria>

From 26383895dfffc5e643295301c052ccd3d77cb906 Mon Sep 17 00:00:00 2001
From: Carlos Matos <cmatos@redhat.com>
Date: Mon, 19 Jul 2021 09:33:38 -0400
Subject: [PATCH 3/5] Fixed issue with oval not checking for commented out
 line, and updated remediations

---
 .../rule.yml                                           |  8 ++++----
 .../ansible/shared.yml                                 |  2 +-
 .../bash/shared.sh                                     | 10 ++++++++--
 .../oval/shared.xml                                    |  2 +-
 .../rule.yml                                           |  6 +++---
 5 files changed, 17 insertions(+), 11 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml
index cd1553dbdb3..d626ec6e260 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml
@@ -2,7 +2,7 @@ documentation_complete: true
 
 prodtype: fedora,rhel8
 
-title: 'Configure SSH Daemon to Use FIPS 140-2 Validated Ciphers: openssh.config'
+title: 'Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.config'
 
 description: |-
     Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -15,7 +15,7 @@ description: |-
     <pre>Ciphers {{{ xccdf_value("sshd_approved_ciphers") }}}</pre>
 
 rationale: |-
-    Overriding the system crypto policy makes the behavior of the OpenSSH daemon
+    Overriding the system crypto policy makes the behavior of the OpenSSH client
     violate expectations, and makes system configuration more fragmented. By
     specifying a cipher list with the order of ciphers being in a “strongest to
     weakest” orientation, the system will automatically attempt to use the
@@ -32,10 +32,10 @@ references:
     disa: CCI-001453
     stigid@rhel8: RHEL-08-010291
 
-ocil_clause: 'Crypto Policy for OpenSSH Server is not configured correctly'
+ocil_clause: 'Crypto Policy for OpenSSH client is not configured correctly'
 
 ocil: |-
-    To verify if the OpenSSH daemon uses defined Cipher suite in the Crypto Policy, run:
+    To verify if the OpenSSH client uses defined Cipher suite in the Crypto Policy, run:
     <pre>$ grep -i ciphers /etc/crypto-policies/back-ends/openssh.config</pre>
     and verify that the line matches:
     <pre>Ciphers {{{ xccdf_value("sshd_approved_ciphers") }}}</pre>
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml
index 7532ba51639..3e637f37e69 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml
@@ -19,7 +19,7 @@
 - name: "{{{ rule_title }}}: Create"
   lineinfile:
     path: "{{ path }}"
-    line: "{{ correct_value }}"
+    line: "CRYPTO_POLICY='{{ correct_value }}'"
     create: yes
   when: not opensshserver_file.stat.exists or opensshserver_file.stat.size <= correct_value|length
 
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh
index 1bc022f93b6..eaa4463caad 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh
@@ -5,7 +5,13 @@
 CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config
 correct_value="-oCiphers=${sshd_approved_ciphers}"
 
-grep -q ${correct_value} ${CONF_FILE}
+# Test if file exists
+test -f ${CONF_FILE} || touch ${CONF_FILE}
+
+# Ensure CRYPTO_POLICY is not commented out
+sed -i 's/#CRYPTO_POLICY=/CRYPTO_POLICY=/' ${CONF_FILE}
+
+grep -q "'${correct_value}'" ${CONF_FILE}
 
 if [[ $? -ne 0 ]]; then
     # We need to get the existing value, using PCRE to maintain same regex
@@ -20,6 +26,6 @@ if [[ $? -ne 0 ]]; then
         # unintentionally.
         # ********** #
         # echo correct_value to end
-        echo ${correct_value} >> ${CONF_FILE}
+        echo "CRYPTO_POLICY='${correct_value}'" >> ${CONF_FILE}
     fi
 fi
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
index 3afbc1619a4..53919eaae7f 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
@@ -16,7 +16,7 @@
 
   <ind:textfilecontent54_object id="obj_{{{ rule_id }}}" version="1">
     <ind:filepath>{{{ PATH }}}</ind:filepath>
-    <ind:pattern operation="pattern match">^.*(-oCiphers=\S+).*$</ind:pattern>
+    <ind:pattern operation="pattern match">^(?!#).*(-oCiphers=\S+).*$</ind:pattern>
     <ind:instance operation="equals" datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
index 877c6f38db0..0aac8e2038d 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
@@ -2,7 +2,7 @@ documentation_complete: true
 
 prodtype: rhel8
 
-title: 'Configure SSH Daemon to Use FIPS 140-2 Validated MACs: opensshserver.config'
+title: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config'
 
 description: |-
     Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -15,7 +15,7 @@ description: |-
     <pre>-oCiphers={{{ xccdf_value("sshd_approved_ciphers") }}}</pre>
 
 rationale: |-
-    Overriding the system crypto policy makes the behavior of the OpenSSH daemon
+    Overriding the system crypto policy makes the behavior of the OpenSSH server
     violate expectations, and makes system configuration more fragmented. By
     specifying a cipher list with the order of ciphers being in a “strongest to
     weakest” orientation, the system will automatically attempt to use the
@@ -35,7 +35,7 @@ references:
 ocil_clause: 'Crypto Policy for OpenSSH Server is not configured correctly'
 
 ocil: |-
-    To verify if the OpenSSH daemon uses defined MACs in the Crypto Policy, run:
+    To verify if the OpenSSH server uses defined MACs in the Crypto Policy, run:
     <pre>$ grep -Po '(-oCiphers=\S+)' /etc/crypto-policies/back-ends/opensshserver.config</pre>
     and verify that the line matches:
     <pre>-oCiphers={{{ xccdf_value("sshd_approved_ciphers") }}}</pre>

From 7967125f58de7e6843002d674fab90c4429452f3 Mon Sep 17 00:00:00 2001
From: Carlos Matos <cmatos@redhat.com>
Date: Mon, 19 Jul 2021 09:53:28 -0400
Subject: [PATCH 4/5] Replace MACs verbiage with ciphers

---
 .../rule.yml                                                  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
index 0aac8e2038d..81ee763831d 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
@@ -2,7 +2,7 @@ documentation_complete: true
 
 prodtype: rhel8
 
-title: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config'
+title: 'Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config'
 
 description: |-
     Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -35,7 +35,7 @@ references:
 ocil_clause: 'Crypto Policy for OpenSSH Server is not configured correctly'
 
 ocil: |-
-    To verify if the OpenSSH server uses defined MACs in the Crypto Policy, run:
+    To verify if the OpenSSH server uses defined ciphers in the Crypto Policy, run:
     <pre>$ grep -Po '(-oCiphers=\S+)' /etc/crypto-policies/back-ends/opensshserver.config</pre>
     and verify that the line matches:
     <pre>-oCiphers={{{ xccdf_value("sshd_approved_ciphers") }}}</pre>

From ab21f2d59db725f07b70e3e748ebc96c34e23b79 Mon Sep 17 00:00:00 2001
From: Carlos Matos <cmatos@redhat.com>
Date: Tue, 20 Jul 2021 09:01:50 -0400
Subject: [PATCH 5/5] Sorted refs, updated test scenario, fixed duplicate CCE

---
 .../harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml   | 4 ++--
 .../stig_incorrect_followed_by_correct_commented.fail.sh      | 2 +-
 .../rule.yml                                                  | 4 ++--
 products/rhel8/profiles/stig.profile                          | 3 ---
 shared/references/cce-redhat-avail.txt                        | 2 --
 tests/data/profile_stability/rhel8/stig.profile               | 4 ++--
 tests/data/profile_stability/rhel8/stig_gui.profile           | 4 ++--
 7 files changed, 9 insertions(+), 14 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml
index d626ec6e260..0aa310d9245 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml
@@ -24,12 +24,12 @@ rationale: |-
 severity: medium
 
 identifiers:
-    cce@rhel8: CCE-85870-4
+    cce@rhel8: CCE-85902-5
 
 references:
+    disa: CCI-001453
     nist: AC-17(2)
     srg: SRG-OS-000250-GPOS-00093
-    disa: CCI-001453
     stigid@rhel8: RHEL-08-010291
 
 ocil_clause: 'Crypto Policy for OpenSSH client is not configured correctly'
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh
index 195f5e8d8ed..6ad1f4fd0f3 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh
@@ -16,4 +16,4 @@ else
 fi
 
 # follow up with correct value
-echo "Ciphers ${sshd_approved_ciphers}" >> $configfile
+echo "#Ciphers ${sshd_approved_ciphers}" >> $configfile
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
index 81ee763831d..b56f2421f22 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
@@ -24,12 +24,12 @@ rationale: |-
 severity: medium
 
 identifiers:
-    cce@rhel8: CCE-85871-2
+    cce@rhel8: CCE-85897-7
 
 references:
+    disa: CCI-001453
     nist: AC-17(2)
     srg: SRG-OS-000250-GPOS-00093
-    disa: CCI-001453
     stigid@rhel8: RHEL-08-010290
 
 ocil_clause: 'Crypto Policy for OpenSSH Server is not configured correctly'
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index a3783efafd6..7270a8f91f2 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -50,11 +50,8 @@ selections:
     - var_password_pam_retry=3
     - var_password_pam_minlen=15
     - var_sshd_set_keepalive=0
-<<<<<<< HEAD
     - sshd_approved_macs=stig
-=======
     - sshd_approved_ciphers=stig
->>>>>>> 4d62df6b2 (New rules for RHEL-08-010291)
     - sshd_idle_timeout_value=10_minutes
     - var_accounts_passwords_pam_faillock_deny=3
     - var_accounts_passwords_pam_faillock_fail_interval=900
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 036d34cea1d..665f903ead4 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -33,11 +33,9 @@ CCE-85892-8
 CCE-85893-6
 CCE-85895-1
 CCE-85896-9
-CCE-85897-7
 CCE-85898-5
 CCE-85900-9
 CCE-85901-7
-CCE-85902-5
 CCE-85903-3
 CCE-85904-1
 CCE-85905-8
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 05335cc38fb..7d59cfff625 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -145,10 +145,10 @@ selections:
 - grub2_uefi_admin_username
 - grub2_uefi_password
 - grub2_vsyscall_argument
-- harden_sshd_macs_openssh_conf_crypto_policy
-- harden_sshd_macs_opensshserver_conf_crypto_policy
 - harden_sshd_ciphers_openssh_conf_crypto_policy
 - harden_sshd_ciphers_opensshserver_conf_crypto_policy
+- harden_sshd_macs_openssh_conf_crypto_policy
+- harden_sshd_macs_opensshserver_conf_crypto_policy
 - install_smartcard_packages
 - installed_OS_is_vendor_supported
 - kerberos_disable_no_keytab
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index a0adc835a0d..2c2daad6f6d 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -156,10 +156,10 @@ selections:
 - grub2_uefi_admin_username
 - grub2_uefi_password
 - grub2_vsyscall_argument
-- harden_sshd_macs_openssh_conf_crypto_policy
-- harden_sshd_macs_opensshserver_conf_crypto_policy
 - harden_sshd_ciphers_openssh_conf_crypto_policy
 - harden_sshd_ciphers_opensshserver_conf_crypto_policy
+- harden_sshd_macs_openssh_conf_crypto_policy
+- harden_sshd_macs_opensshserver_conf_crypto_policy
 - install_smartcard_packages
 - installed_OS_is_vendor_supported
 - kerberos_disable_no_keytab