diff --git a/SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5772.patch b/SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5772.patch
new file mode 100644
index 0000000..77a9e01
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5772.patch
@@ -0,0 +1,383 @@
+From 91c7ff65572b51b52eaf14f3b147b118dc85cc9f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
+Date: Tue, 19 May 2020 15:49:34 +0200
+Subject: [PATCH 1/5] Made the rule sshd_rekey_limit parametrized.
+
+Introduce the rekey_limit_size and rekey_limit_time XCCDF values
+to make the rule more flexible.
+---
+ .../sshd_rekey_limit/bash/shared.sh | 9 ++++
+ .../sshd_rekey_limit/oval/shared.xml | 43 +++++++++++++++++++
+ .../ssh/ssh_server/sshd_rekey_limit/rule.yml | 12 +-----
+ .../sshd_rekey_limit/tests/bad_size.fail.sh | 4 ++
+ .../sshd_rekey_limit/tests/bad_time.fail.sh | 4 ++
+ .../sshd_rekey_limit/tests/no_line.fail.sh | 3 ++
+ .../sshd_rekey_limit/tests/ok.pass.sh | 4 ++
+ .../ssh/ssh_server/var_rekey_limit_size.var | 14 ++++++
+ .../ssh/ssh_server/var_rekey_limit_time.var | 14 ++++++
+ rhel8/profiles/ospp.profile | 2 +
+ 10 files changed, 99 insertions(+), 10 deletions(-)
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var
+
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
+new file mode 100644
+index 0000000000..2620c2d49e
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
+@@ -0,0 +1,9 @@
++# platform = multi_platform_all
++
++# Include source function library.
++. /usr/share/scap-security-guide/remediation_functions
++
++populate var_rekey_limit_size
++populate var_rekey_limit_time
++
++{{{ bash_sshd_config_set(parameter='RekeyLimit', value="$var_rekey_limit_size $var_rekey_limit_time") }}}
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
+new file mode 100644
+index 0000000000..57aa090948
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
+@@ -0,0 +1,43 @@
++{{% set filepath = "/etc/ssh/sshd_config" %}}
++{{% set parameter = "RekeyLimit" %}}
++
++
++<def-group>
++ <definition class="compliance" id="{{{ rule_id }}}" version="1">
++ <metadata>
++ <title>{{{ rule_title }}}</title>
++ {{{- oval_affected(products) }}}
++ <description>Ensure '{{{ RekeyLimit }}}' is configured with the correct value in '{{{ filepath }}}'</description>
++ </metadata>
++ <criteria comment="sshd is configured correctly or is not installed" operator="OR">
++ {{{- application_not_required_or_requirement_unset() }}}
++ {{{- application_required_or_requirement_unset() }}}
++ {{{- oval_line_in_file_criterion(filepath, "RekeyLimit") }}}
++ </criteria>
++ </criteria>
++ </definition>
++
++ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in the file" id="test_sshd_rekey_limit" version="1">
++ <ind:object object_ref="obj_sshd_rekey_limit"/>
++ </ind:textfilecontent54_test>
++
++ <ind:textfilecontent54_object id="obj_sshd_rekey_limit" version="1">
++ <ind:filepath>{{{ filepath }}}</ind:filepath>
++ <ind:pattern var_ref="sshd_line_regex" operation="pattern match"></ind:pattern>
++ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
++ </ind:textfilecontent54_object>
++
++ <local_variable id="sshd_line_regex" datatype="string" comment="The regex of the directive" version="1">
++ <concat>
++ <literal_component>^[\s]*RekeyLimit[\s]+</literal_component>
++ <variable_component var_ref="var_rekey_limit_size"/>
++ <literal_component>[\s]+</literal_component>
++ <variable_component var_ref="var_rekey_limit_time"/>
++ <literal_component>[\s]*$</literal_component>
++ </concat>
++ </local_variable>
++
++ <external_variable comment="Size component of the rekey limit" datatype="string" id="var_rekey_limit_size" version="1" />
++ <external_variable comment="Time component of the rekey limit" datatype="string" id="var_rekey_limit_time" version="1" />
++</def-group>
++
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
+index e11678faa0..4936a381f5 100644
+--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
+@@ -7,7 +7,7 @@ description: |-
+ the session key of the is renegotiated, both in terms of
+ amount of data that may be transmitted and the time
+ elapsed. To decrease the default limits, put line
+- <tt>RekeyLimit 512M 1h</tt> to file <tt>/etc/ssh/sshd_config</tt>.
++ <tt>RekeyLimit {{{ sub_var_value("var_rekey_limit_size") }}} {{{ sub_var_value("var_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/sshd_config</tt>.
+
+ rationale: |-
+ By decreasing the limit based on the amount of data and enabling
+@@ -30,12 +30,4 @@ ocil: |-
+ following command:
+ <pre>$ sudo grep RekeyLimit /etc/ssh/sshd_config</pre>
+ If configured properly, output should be
+- <pre>RekeyLimit 512M 1h</pre>
+-
+-template:
+- name: sshd_lineinfile
+- vars:
+- missing_parameter_pass: 'false'
+- parameter: RekeyLimit
+- rule_id: sshd_rekey_limit
+- value: 512M 1h
++ <pre>RekeyLimit {{{ sub_var_value("var_rekey_limit_size") }}} {{{ sub_var_value("var_rekey_limit_time") }}}</pre>
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh
+new file mode 100644
+index 0000000000..2ac0bbf350
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh
+@@ -0,0 +1,4 @@
++# platform = multi_platform_all
++
++sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
++echo "RekeyLimit 812M 1h" >> /etc/ssh/sshd_config
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh
+new file mode 100644
+index 0000000000..fec859fe05
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh
+@@ -0,0 +1,4 @@
++# platform = multi_platform_all
++
++sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
++echo "RekeyLimit 512M 2h" >> /etc/ssh/sshd_config
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh
+new file mode 100644
+index 0000000000..a6cd10163f
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh
+@@ -0,0 +1,3 @@
++# platform = multi_platform_all
++
++sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh
+new file mode 100644
+index 0000000000..a6a2ba7adf
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh
+@@ -0,0 +1,4 @@
++# platform = multi_platform_all
++
++sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
++echo "RekeyLimit 512M 1h" >> /etc/ssh/sshd_config
+diff --git a/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var
+new file mode 100644
+index 0000000000..16dc376508
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var
+@@ -0,0 +1,14 @@
++documentation_complete: true
++
++title: 'SSH RekeyLimit - size'
++
++description: 'Specify the size component of the rekey limit.'
++
++type: string
++
++operator: equals
++
++options:
++ sshd_default: "default"
++ default: "512M"
++ "512M": "512M"
+diff --git a/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var
+new file mode 100644
+index 0000000000..8801fbbf6f
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var
+@@ -0,0 +1,14 @@
++documentation_complete: true
++
++title: 'SSH RekeyLimit - size'
++
++description: 'Specify the size component of the rekey limit.'
++
++type: string
++
++operator: equals
++
++options:
++ sshd_default: "none"
++ default: "1h"
++ "1hour": "1h"
+diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
+index c672066050..a5223a187f 100644
+--- a/rhel8/profiles/ospp.profile
++++ b/rhel8/profiles/ospp.profile
+@@ -58,6 +58,8 @@ selections:
+ - sshd_set_keepalive
+ - sshd_enable_warning_banner
+ - sshd_rekey_limit
++ - var_rekey_limit_size=512M
++ - var_rekey_limit_time=1hour
+ - sshd_use_strong_rng
+ - openssl_use_strong_entropy
+
+
+From 85efae481db88792de138916c242fbbf0a7adeb1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
+Date: Tue, 19 May 2020 17:57:12 +0200
+Subject: [PATCH 2/5] Updated stable profile definitions.
+
+---
+ tests/data/profile_stability/rhel8/ospp.profile | 2 ++
+ tests/data/profile_stability/rhel8/stig.profile | 3 ++-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
+index 23039c82b4..bdda39a903 100644
+--- a/tests/data/profile_stability/rhel8/ospp.profile
++++ b/tests/data/profile_stability/rhel8/ospp.profile
+@@ -214,6 +214,8 @@ selections:
+ - timer_dnf-automatic_enabled
+ - usbguard_allow_hid_and_hub
+ - var_sshd_set_keepalive=0
++- var_rekey_limit_size=512M
++- var_rekey_limit_time=1hour
+ - var_accounts_user_umask=027
+ - var_password_pam_difok=4
+ - var_password_pam_maxrepeat=3
+diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
+index cd31b73700..ebef541921 100644
+--- a/tests/data/profile_stability/rhel8/stig.profile
++++ b/tests/data/profile_stability/rhel8/stig.profile
+@@ -21,7 +21,6 @@ description: 'This profile contains configuration checks that align to the
+
+ - Red Hat Containers with a Red Hat Enterprise Linux 8 image'
+ documentation_complete: true
+-extends: ospp
+ selections:
+ - account_disable_post_pw_expiration
+ - account_temp_expire_date
+@@ -243,6 +242,8 @@ selections:
+ - timer_dnf-automatic_enabled
+ - usbguard_allow_hid_and_hub
+ - var_sshd_set_keepalive=0
++- var_rekey_limit_size=512M
++- var_rekey_limit_time=1hour
+ - var_accounts_user_umask=027
+ - var_password_pam_difok=4
+ - var_password_pam_maxrepeat=3
+
+From d75161c4f7232380a1b46aa8d99fa5d562503c80 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
+Date: Fri, 22 May 2020 11:43:36 +0200
+Subject: [PATCH 3/5] Improved how variables are handled in remediations.
+
+---
+ shared/macros-ansible.jinja | 14 ++++++++++++++
+ shared/macros-bash.jinja | 15 +++++++++++++++
+ 2 files changed, 29 insertions(+)
+
+diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
+index 56a3f5f3ec..6798a25d1f 100644
+--- a/shared/macros-ansible.jinja
++++ b/shared/macros-ansible.jinja
+@@ -1,3 +1,17 @@
++{{#
++Pass strings that correspond to XCCDF value names as arguments to this macro:
++ansible_instantiate_variables("varname1", "varname2")
++
++Then, assume that the task that follows can work with the variable by referencing it, e.g.
++value: "Setting={{ varname1 }}"
++
++#}}
++{{%- macro ansible_instantiate_variables() -%}}
++{{%- for name in varargs -%}}
++- (xccdf-var {{{ name }}})
++{{% endfor -%}}
++{{%- endmacro -%}}
++
+ {{#
+ A wrapper over the Ansible lineinfile module. This handles the most common
+ options for us. regex is optional and when blank, it won't be included in
+diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
+index 01b9e62e7b..3a94fe5dd8 100644
+--- a/shared/macros-bash.jinja
++++ b/shared/macros-bash.jinja
+@@ -1,5 +1,20 @@
+ {{# ##### High level macros ##### #}}
+
++{{#
++Pass strings that correspond to XCCDF value names as arguments to this macro:
++bash_instantiate_variables("varname1", "varname2")
++
++Then, assume that variables of that names are defined and contain the correct value, e.g.
++echo "Setting=$varname1" >> config_file
++
++#}}
++{{%- macro bash_instantiate_variables() -%}}
++{{%- for name in varargs -%}}
++populate {{{ name }}}
++{{# this line is intentionally left blank #}}
++{{% endfor -%}}
++{{%- endmacro -%}}
++
+ {{%- macro bash_shell_file_set(path, parameter, value, no_quotes=false) -%}}
+ {{% if no_quotes -%}}
+ {{% if "$" in value %}}
+
+From 912ce0a4ade9aa335c044314a6cc018f1ead1abe Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
+Date: Fri, 22 May 2020 11:44:08 +0200
+Subject: [PATCH 4/5] Fixed Bash and Ansible remediations.
+
+---
+ .../ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml | 8 ++++++++
+ .../ssh/ssh_server/sshd_rekey_limit/bash/shared.sh | 3 +--
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml
+
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml
+new file mode 100644
+index 0000000000..43a2d4521f
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml
+@@ -0,0 +1,8 @@
++# platform = multi_platform_all [0/453]
++# reboot = false
++# strategy = configure
++# complexity = low
++# disruption = low
++{{{ ansible_instantiate_variables("var_rekey_limit_size", "var_rekey_limit_time") }}}
++
++{{{ ansible_sshd_set(parameter="RekeyLimit", value="{{ var_rekey_limit_size}} {{var_rekey_limit_time}}") }}}
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
+index 2620c2d49e..0277f31392 100644
+--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
+@@ -3,7 +3,6 @@
+ # Include source function library.
+ . /usr/share/scap-security-guide/remediation_functions
+
+-populate var_rekey_limit_size
+-populate var_rekey_limit_time
++{{{ bash_instantiate_variables("var_rekey_limit_size", "var_rekey_limit_time") }}}
+
+ {{{ bash_sshd_config_set(parameter='RekeyLimit', value="$var_rekey_limit_size $var_rekey_limit_time") }}}
+
+From d0ac47945e14017e522d523267d3a4bfb5ecdf71 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
+Date: Fri, 22 May 2020 11:49:04 +0200
+Subject: [PATCH 5/5] Improved the OVAL according to the review feedback.
+
+---
+ .../services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
+index 57aa090948..47796e5332 100644
+--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
+@@ -1,5 +1,4 @@
+-{{% set filepath = "/etc/ssh/sshd_config" %}}
+-{{% set parameter = "RekeyLimit" %}}
++{{% set filepath = "/etc/ssh/sshd_config" -%}}
+
+
+ <def-group>
+@@ -7,7 +6,7 @@
+ <metadata>
+ <title>{{{ rule_title }}}</title>
+ {{{- oval_affected(products) }}}
+- <description>Ensure '{{{ RekeyLimit }}}' is configured with the correct value in '{{{ filepath }}}'</description>
++ <description>Ensure 'RekeyLimit' is configured with the correct value in '{{{ filepath }}}'</description>
+ </metadata>
+ <criteria comment="sshd is configured correctly or is not installed" operator="OR">
+ {{{- application_not_required_or_requirement_unset() }}}
diff --git a/SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5782.patch b/SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5782.patch
new file mode 100644
index 0000000..2b758fb
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5782.patch
@@ -0,0 +1,102 @@
+From 279b1d8b585d3521d4910ec8aa69583f9b7031ac Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Mon, 25 May 2020 10:51:24 +0200
+Subject: [PATCH 1/3] change rekey limit to 1G 1h in rhel8 ospp
+
+---
+ .../guide/services/ssh/ssh_server/var_rekey_limit_size.var | 1 +
+ rhel8/profiles/ospp.profile | 2 +-
+ rhel8/profiles/stig.profile | 3 +++
+ 3 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var
+index 16dc376508..395a087a68 100644
+--- a/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var
++++ b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var
+@@ -12,3 +12,4 @@ options:
+ sshd_default: "default"
+ default: "512M"
+ "512M": "512M"
++ "1G": "1G"
+diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
+index a5223a187f..0dca8350f9 100644
+--- a/rhel8/profiles/ospp.profile
++++ b/rhel8/profiles/ospp.profile
+@@ -58,7 +58,7 @@ selections:
+ - sshd_set_keepalive
+ - sshd_enable_warning_banner
+ - sshd_rekey_limit
+- - var_rekey_limit_size=512M
++ - var_rekey_limit_size=1G
+ - var_rekey_limit_time=1hour
+ - sshd_use_strong_rng
+ - openssl_use_strong_entropy
+diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
+index 2bb81cf9dc..a156857647 100644
+--- a/rhel8/profiles/stig.profile
++++ b/rhel8/profiles/stig.profile
+@@ -44,3 +44,6 @@ selections:
+ - package_rsyslog-gnutls_installed
+ - rsyslog_remote_tls
+ - rsyslog_remote_tls_cacert
++ - sshd_rekey_limit
++ - var_rekey_limit_size=512M
++ - var_rekey_limit_time=1hour
+
+From d8ce7bb5f47665e40b6ec2c47e565bb7c46164a9 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Mon, 25 May 2020 10:51:54 +0200
+Subject: [PATCH 2/3] update stable ospp profile
+
+---
+ tests/data/profile_stability/rhel8/ospp.profile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
+index bdda39a903..25f7922bf3 100644
+--- a/tests/data/profile_stability/rhel8/ospp.profile
++++ b/tests/data/profile_stability/rhel8/ospp.profile
+@@ -214,7 +214,7 @@ selections:
+ - timer_dnf-automatic_enabled
+ - usbguard_allow_hid_and_hub
+ - var_sshd_set_keepalive=0
+-- var_rekey_limit_size=512M
++- var_rekey_limit_size=1G
+ - var_rekey_limit_time=1hour
+ - var_accounts_user_umask=027
+ - var_password_pam_difok=4
+
+From 6623ece14b6534164a3b953fd43111cae4a3eeea Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Thu, 28 May 2020 09:30:58 +0200
+Subject: [PATCH 3/3] propagate change also into stig profile
+
+---
+ rhel8/profiles/stig.profile | 3 ---
+ tests/data/profile_stability/rhel8/stig.profile | 2 +-
+ 2 files changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
+index a156857647..2bb81cf9dc 100644
+--- a/rhel8/profiles/stig.profile
++++ b/rhel8/profiles/stig.profile
+@@ -44,6 +44,3 @@ selections:
+ - package_rsyslog-gnutls_installed
+ - rsyslog_remote_tls
+ - rsyslog_remote_tls_cacert
+- - sshd_rekey_limit
+- - var_rekey_limit_size=512M
+- - var_rekey_limit_time=1hour
+diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
+index ebef541921..6c4270925f 100644
+--- a/tests/data/profile_stability/rhel8/stig.profile
++++ b/tests/data/profile_stability/rhel8/stig.profile
+@@ -242,7 +242,7 @@ selections:
+ - timer_dnf-automatic_enabled
+ - usbguard_allow_hid_and_hub
+ - var_sshd_set_keepalive=0
+-- var_rekey_limit_size=512M
++- var_rekey_limit_size=1G
+ - var_rekey_limit_time=1hour
+ - var_accounts_user_umask=027
+ - var_password_pam_difok=4
diff --git a/SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5788.patch b/SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5788.patch
new file mode 100644
index 0000000..8ebfb97
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5788.patch
@@ -0,0 +1,798 @@
+From 604f70aa2d0cce64aed5d699178394523969ba37 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Wed, 27 May 2020 14:34:50 +0200
+Subject: [PATCH 01/11] add rule, variables, check, remediations
+
+---
+ .../ssh_client_rekey_limit/ansible/shared.yml | 8 ++++
+ .../ssh_client_rekey_limit/bash/shared.sh | 8 ++++
+ .../ssh_client_rekey_limit/oval/shared.xml | 39 +++++++++++++++++++
+ .../crypto/ssh_client_rekey_limit/rule.yml | 34 ++++++++++++++++
+ .../var_ssh_client_rekey_limit_size.var | 15 +++++++
+ .../var_ssh_client_rekey_limit_time.var | 14 +++++++
+ shared/references/cce-redhat-avail.txt | 1 -
+ 7 files changed, 118 insertions(+), 1 deletion(-)
+ create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
+ create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
+ create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
+ create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
+ create mode 100644 linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
+ create mode 100644 linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
+
+diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
+new file mode 100644
+index 0000000000..6d2bcbbd44
+--- /dev/null
++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
+@@ -0,0 +1,8 @@
++# platform = multi_platform_all [0/453]
++# reboot = false
++# strategy = configure
++# complexity = low
++# disruption = low
++{{{ ansible_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}}
++
++{{{ ansible_lineinfile(msg='Ensure that rekey limit is set to {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }} in /etc/ssh/ssh_config.d/02-rekey-limit.conf', path='/etc/ssh/ssh_config.d/02-rekey-limit.conf', regex='^\s*RekeyLimit.*$', new_line='RekeyLimit {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }}', create='yes', state='present') }}}
+diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
+new file mode 100644
+index 0000000000..43d0971ffc
+--- /dev/null
++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
+@@ -0,0 +1,8 @@
++# platform = multi_platform_all
++
++# Include source function library.
++. /usr/share/scap-security-guide/remediation_functions
++
++{{{ bash_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}}
++
++{{{ set_config_file(path="/etc/ssh/ssh_config.d/02-rekey-limit.conf", parameter="RekeyLimit", value='$var_ssh_client_rekey_limit_size $var_ssh_client_rekey_limit_time', create=true, insert_before="", insert_after="", insensitive=false, separator=" ", separator_regex="\s\+", prefix_regex="^\s*") }}}
+diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
+new file mode 100644
+index 0000000000..2412763e3f
+--- /dev/null
++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
+@@ -0,0 +1,39 @@
++{{% set filepath = "/etc/ssh/ssh_config.d/02-rekey-limit.conf" -%}}
++
++
++<def-group>
++ <definition class="compliance" id="{{{ rule_id }}}" version="1">
++ <metadata>
++ <title>{{{ rule_title }}}</title>
++ {{{- oval_affected(products) }}}
++ <description>Ensure 'RekeyLimit' is configured with the correct value in '{{{ filepath }}}'</description>
++ </metadata>
++ <criteria comment="RekeyLimit is correctly configured for ssh client">
++ {{{- oval_line_in_file_criterion(filepath, "RekeyLimit") }}}
++ </criteria>
++ </definition>
++
++ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in the file" id="test_ssh_client_rekey_limit" version="1">
++ <ind:object object_ref="obj_ssh_client_rekey_limit"/>
++ </ind:textfilecontent54_test>
++
++ <ind:textfilecontent54_object id="obj_ssh_client_rekey_limit" version="1">
++ <ind:filepath>{{{ filepath }}}</ind:filepath>
++ <ind:pattern var_ref="ssh_client_line_regex" operation="pattern match"></ind:pattern>
++ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
++ </ind:textfilecontent54_object>
++
++ <local_variable id="ssh_client_line_regex" datatype="string" comment="The regex of the directive" version="1">
++ <concat>
++ <literal_component>^[\s]*RekeyLimit[\s]+</literal_component>
++ <variable_component var_ref="var_ssh_client_rekey_limit_size"/>
++ <literal_component>[\s]+</literal_component>
++ <variable_component var_ref="var_ssh_client_rekey_limit_time"/>
++ <literal_component>[\s]*$</literal_component>
++ </concat>
++ </local_variable>
++
++ <external_variable comment="Size component of the rekey limit" datatype="string" id="var_ssh_client_rekey_limit_size" version="1" />
++ <external_variable comment="Time component of the rekey limit" datatype="string" id="var_ssh_client_rekey_limit_time" version="1" />
++</def-group>
++
+diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
+new file mode 100644
+index 0000000000..a1b85b0ee5
+--- /dev/null
++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
+@@ -0,0 +1,34 @@
++documentation_complete: true
++
++prodtype: rhel8
++
++title: 'Configure session renegotiation for SSH client'
++
++description: |-
++ The <tt>RekeyLimit</tt> parameter specifies how often
++ the session key is renegotiated, both in terms of
++ amount of data that may be transmitted and the time
++ elapsed. To decrease the default limits, put line
++ <tt>RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/ssh_config.d/02-rekey-limit.conf</tt>.
++
++rationale: |-
++ By decreasing the limit based on the amount of data and enabling
++ time-based limit, effects of potential attacks against
++ encryption keys are limited.
++
++severity: medium
++
++identifiers:
++ cce@rhel8: 82880-6
++
++references:
++ ospp: FCS_SSHS_EXT.1
++
++ocil_clause: 'it is commented out or is not set'
++
++ocil: |-
++ To check if RekeyLimit is set correctly, run the
++ following command:
++ <pre>$ sudo grep RekeyLimit /etc/ssh/ssh_config.d/02-rekey-limit.conf</pre>
++ If configured properly, output should be
++ <pre>RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}}</pre>
+diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
+new file mode 100644
+index 0000000000..bcf051fd97
+--- /dev/null
++++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
+@@ -0,0 +1,15 @@
++documentation_complete: true
++
++title: 'SSH client RekeyLimit - size'
++
++description: 'Specify the size component of the rekey limit.'
++
++type: string
++
++operator: equals
++
++options:
++ ssh_client_default: "default"
++ default: "512M"
++ "512M": "512M"
++ "1G": "1G"
+diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
+new file mode 100644
+index 0000000000..31c76f9ab5
+--- /dev/null
++++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
+@@ -0,0 +1,14 @@
++documentation_complete: true
++
++title: 'SSH client RekeyLimit - size'
++
++description: 'Specify the size component of the rekey limit.'
++
++type: string
++
++operator: equals
++
++options:
++ ssh_client_default: "none"
++ default: "1h"
++ "1hour": "1h"
+diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
+index 45d03a2c1d..e060d2fb1c 100644
+--- a/shared/references/cce-redhat-avail.txt
++++ b/shared/references/cce-redhat-avail.txt
+@@ -1,4 +1,3 @@
+-CCE-82880-6
+ CCE-82882-2
+ CCE-82883-0
+ CCE-82888-9
+
+From a0d54462b9a1e65de3598d7fc262f61a8e3a06ea Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Wed, 27 May 2020 14:35:24 +0200
+Subject: [PATCH 02/11] add tests
+
+---
+ .../crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh | 4 ++++
+ .../crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh | 4 ++++
+ .../crypto/ssh_client_rekey_limit/tests/no_line.fail.sh | 3 +++
+ .../integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh | 4 ++++
+ 4 files changed, 15 insertions(+)
+ create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
+ create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
+ create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
+ create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
+
+diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
+new file mode 100644
+index 0000000000..2ac0bbf350
+--- /dev/null
++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
+@@ -0,0 +1,4 @@
++# platform = multi_platform_all
++
++sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
++echo "RekeyLimit 812M 1h" >> /etc/ssh/sshd_config
+diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
+new file mode 100644
+index 0000000000..fec859fe05
+--- /dev/null
++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
+@@ -0,0 +1,4 @@
++# platform = multi_platform_all
++
++sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
++echo "RekeyLimit 512M 2h" >> /etc/ssh/sshd_config
+diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
+new file mode 100644
+index 0000000000..a6cd10163f
+--- /dev/null
++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
+@@ -0,0 +1,3 @@
++# platform = multi_platform_all
++
++sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
+diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
+new file mode 100644
+index 0000000000..a6a2ba7adf
+--- /dev/null
++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
+@@ -0,0 +1,4 @@
++# platform = multi_platform_all
++
++sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
++echo "RekeyLimit 512M 1h" >> /etc/ssh/sshd_config
+
+From 6ce9e9d55eab07f1c2a3a8d0b28f104d0b5992da Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Wed, 27 May 2020 14:35:43 +0200
+Subject: [PATCH 03/11] add rule to rhel8 ospp, update stable profiles
+
+---
+ rhel8/profiles/ospp.profile | 5 +++++
+ tests/data/profile_stability/rhel8/ospp.profile | 3 +++
+ tests/data/profile_stability/rhel8/stig.profile | 3 +++
+ 3 files changed, 11 insertions(+)
+
+diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
+index 0dca8350f9..07d32b814d 100644
+--- a/rhel8/profiles/ospp.profile
++++ b/rhel8/profiles/ospp.profile
+@@ -410,3 +410,8 @@ selections:
+
+ # Prevent Kerberos use by system daemons
+ - kerberos_disable_no_keytab
++
++ # set ssh client rekey limit
++ - ssh_client_rekey_limit
++ - var_ssh_client_rekey_limit_size=1G
++ - var_ssh_client_rekey_limit_time=1hour
+diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
+index 25f7922bf3..b0d7672c36 100644
+--- a/tests/data/profile_stability/rhel8/ospp.profile
++++ b/tests/data/profile_stability/rhel8/ospp.profile
+@@ -240,4 +240,7 @@ selections:
+ - grub2_vsyscall_argument.severity=info
+ - sysctl_user_max_user_namespaces.role=unscored
+ - sysctl_user_max_user_namespaces.severity=info
++- ssh_client_rekey_limit
++- var_ssh_client_rekey_limit_size=1G
++- var_ssh_client_rekey_limit_time=1hour
+ title: Protection Profile for General Purpose Operating Systems
+diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
+index 6c4270925f..330ecc7e1e 100644
+--- a/tests/data/profile_stability/rhel8/stig.profile
++++ b/tests/data/profile_stability/rhel8/stig.profile
+@@ -269,4 +269,7 @@ selections:
+ - grub2_vsyscall_argument.severity=info
+ - sysctl_user_max_user_namespaces.role=unscored
+ - sysctl_user_max_user_namespaces.severity=info
++- ssh_client_rekey_limit
++- var_ssh_client_rekey_limit_size=1G
++- var_ssh_client_rekey_limit_time=1hour
+ title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 8'
+
+From 763a79e337eecb24c640d1ac189edf02d20e53ad Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Thu, 28 May 2020 14:25:41 +0200
+Subject: [PATCH 04/11] improve description of variables
+
+---
+ .../crypto/var_ssh_client_rekey_limit_size.var | 10 ++++++++--
+ .../crypto/var_ssh_client_rekey_limit_time.var | 12 +++++++++---
+ 2 files changed, 17 insertions(+), 5 deletions(-)
+
+diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
+index bcf051fd97..4e20104cba 100644
+--- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
++++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
+@@ -2,14 +2,20 @@ documentation_complete: true
+
+ title: 'SSH client RekeyLimit - size'
+
+-description: 'Specify the size component of the rekey limit.'
++description: |-
++ Specify the size component of the rekey limit. This limit signifies amount
++ of data. After this amount of data is transferred through the connection,
++ the session key is renegotiated. The number is followed by K, M or G for
++ kilobytes, megabytes or gigabytes. Note that the RekeyLimit can be also
++ configured according to ellabsed time.
++
++interactive: true
+
+ type: string
+
+ operator: equals
+
+ options:
+- ssh_client_default: "default"
+ default: "512M"
+ "512M": "512M"
+ "1G": "1G"
+diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
+index 31c76f9ab5..6143a5448c 100644
+--- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
++++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
+@@ -1,14 +1,20 @@
+ documentation_complete: true
+
+-title: 'SSH client RekeyLimit - size'
++title: 'SSH client RekeyLimit - time'
+
+-description: 'Specify the size component of the rekey limit.'
++description: |-
++ Specify the time component of the rekey limit. This limit signifies amount
++ of data. The session key is renegotiated after the defined amount of time
++ passes. The number is followed by units such as H or M for hours or minutes.
++ Note that the RekeyLimit can be also configured according to amount of
++ transfered data.
++
++interactive: true
+
+ type: string
+
+ operator: equals
+
+ options:
+- ssh_client_default: "none"
+ default: "1h"
+ "1hour": "1h"
+
+From 0800fcaff037a1b012b75e59d6771f5e7763e1de Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Thu, 28 May 2020 14:26:12 +0200
+Subject: [PATCH 05/11] fix tests and ansible
+
+---
+ .../crypto/ssh_client_rekey_limit/ansible/shared.yml | 2 +-
+ .../crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh | 4 ++--
+ .../crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh | 4 ++--
+ .../crypto/ssh_client_rekey_limit/tests/no_line.fail.sh | 2 +-
+ .../integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh | 5 +++--
+ 5 files changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
+index 6d2bcbbd44..bb6544a0a0 100644
+--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
+@@ -1,4 +1,4 @@
+-# platform = multi_platform_all [0/453]
++# platform = multi_platform_all
+ # reboot = false
+ # strategy = configure
+ # complexity = low
+diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
+index 2ac0bbf350..22c465b08f 100644
+--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
+@@ -1,4 +1,4 @@
+ # platform = multi_platform_all
+
+-sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
+-echo "RekeyLimit 812M 1h" >> /etc/ssh/sshd_config
++
++echo "RekeyLimit 812M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
+diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
+index fec859fe05..0dc621b1da 100644
+--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
+@@ -1,4 +1,4 @@
+ # platform = multi_platform_all
+
+-sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
+-echo "RekeyLimit 512M 2h" >> /etc/ssh/sshd_config
++
++echo "RekeyLimit 512M 2h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
+diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
+index a6cd10163f..f6abf711da 100644
+--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
+@@ -1,3 +1,3 @@
+ # platform = multi_platform_all
+
+-sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
++echo "some line" > /etc/ssh/ssh_config.d/02-rekey-limit.conf
+diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
+index a6a2ba7adf..e64e4191bc 100644
+--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
+@@ -1,4 +1,5 @@
+ # platform = multi_platform_all
+
+-sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
+-echo "RekeyLimit 512M 1h" >> /etc/ssh/sshd_config
++
++rm -f /etc/ssh/ssh_config.d/02-rekey-limit.conf
++echo "RekeyLimit 1G 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
+
+From 9451e6d91c9975a3e9ecd4c627cbb0f9afce4c92 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Mon, 1 Jun 2020 14:29:47 +0200
+Subject: [PATCH 06/11] fix test to use default value, remove rule from stig
+
+---
+ .../integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh | 2 +-
+ rhel8/profiles/stig.profile | 1 +
+ tests/data/profile_stability/rhel8/stig.profile | 1 -
+ 3 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
+index e64e4191bc..89d7069687 100644
+--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
+@@ -2,4 +2,4 @@
+
+
+ rm -f /etc/ssh/ssh_config.d/02-rekey-limit.conf
+-echo "RekeyLimit 1G 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
++echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
+diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
+index 2bb81cf9dc..8f12852e26 100644
+--- a/rhel8/profiles/stig.profile
++++ b/rhel8/profiles/stig.profile
+@@ -44,3 +44,4 @@ selections:
+ - package_rsyslog-gnutls_installed
+ - rsyslog_remote_tls
+ - rsyslog_remote_tls_cacert
++ - "!ssh_client_rekey_limit"
+diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
+index 330ecc7e1e..9b164eb5c2 100644
+--- a/tests/data/profile_stability/rhel8/stig.profile
++++ b/tests/data/profile_stability/rhel8/stig.profile
+@@ -269,7 +269,6 @@ selections:
+ - grub2_vsyscall_argument.severity=info
+ - sysctl_user_max_user_namespaces.role=unscored
+ - sysctl_user_max_user_namespaces.severity=info
+-- ssh_client_rekey_limit
+ - var_ssh_client_rekey_limit_size=1G
+ - var_ssh_client_rekey_limit_time=1hour
+ title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 8'
+
+From bd47b1145f17c97de719c887db6146d5e7b59616 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Wed, 3 Jun 2020 12:38:19 +0200
+Subject: [PATCH 07/11] rewrite oval to check for multiple locations
+
+---
+ .../ssh_client_rekey_limit/oval/shared.xml | 42 ++++++++++++-------
+ 1 file changed, 26 insertions(+), 16 deletions(-)
+
+diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
+index 2412763e3f..41fa0497ae 100644
+--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
+@@ -1,28 +1,17 @@
+-{{% set filepath = "/etc/ssh/ssh_config.d/02-rekey-limit.conf" -%}}
+-
+
+ <def-group>
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
+ <metadata>
+ <title>{{{ rule_title }}}</title>
+ {{{- oval_affected(products) }}}
+- <description>Ensure 'RekeyLimit' is configured with the correct value in '{{{ filepath }}}'</description>
++ <description>Ensure 'RekeyLimit' is configured with the correct value in /etc/ssh/ssh_config and /etc/ssh/ssh_config.d/*.conf</description>
+ </metadata>
+- <criteria comment="RekeyLimit is correctly configured for ssh client">
+- {{{- oval_line_in_file_criterion(filepath, "RekeyLimit") }}}
++ <criteria comment="RekeyLimit is correctly configured for ssh client" operator="AND">
++ <criterion comment="check that RekeyLimit is not configured in /etc/ssh/ssh_config" test_ref="test_ssh_client_rekey_limit_main_config" negate="true" />
++ <criterion comment="check correct RekeyLimit configuration in /etc/ssh/ssh_config.d/*.conf" test_ref="test_ssh_client_rekey_limit_include_configs" />
+ </criteria>
+ </definition>
+
+- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in the file" id="test_ssh_client_rekey_limit" version="1">
+- <ind:object object_ref="obj_ssh_client_rekey_limit"/>
+- </ind:textfilecontent54_test>
+-
+- <ind:textfilecontent54_object id="obj_ssh_client_rekey_limit" version="1">
+- <ind:filepath>{{{ filepath }}}</ind:filepath>
+- <ind:pattern var_ref="ssh_client_line_regex" operation="pattern match"></ind:pattern>
+- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+- </ind:textfilecontent54_object>
+-
+ <local_variable id="ssh_client_line_regex" datatype="string" comment="The regex of the directive" version="1">
+ <concat>
+ <literal_component>^[\s]*RekeyLimit[\s]+</literal_component>
+@@ -35,5 +24,26 @@
+
+ <external_variable comment="Size component of the rekey limit" datatype="string" id="var_ssh_client_rekey_limit_size" version="1" />
+ <external_variable comment="Time component of the rekey limit" datatype="string" id="var_ssh_client_rekey_limit_time" version="1" />
+-</def-group>
+
++
++ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in /etc/ssh/ssh_config file" id="test_ssh_client_rekey_limit_main_config" version="1">
++ <ind:object object_ref="obj_ssh_client_rekey_limit_main_config"/>
++ </ind:textfilecontent54_test>
++
++ <ind:textfilecontent54_object id="obj_ssh_client_rekey_limit_main_config" version="1">
++ <ind:filepath>/etc/ssh/ssh_config</ind:filepath>
++ <ind:pattern operation="pattern match">^[\s]*RekeyLimit.*$</ind:pattern>
++ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
++ </ind:textfilecontent54_object>
++
++ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in /etc/ssh/ssh_config.d/*.conf" id="test_ssh_client_rekey_limit_include_configs" version="1">
++ <ind:object object_ref="obj_ssh_client_rekey_limit_include_configs"/>
++ </ind:textfilecontent54_test>
++
++ <ind:textfilecontent54_object id="obj_ssh_client_rekey_limit_include_configs" version="1">
++ <ind:filepath operation="pattern match">^/etc/ssh/ssh_config\.d/.*\.conf$</ind:filepath>
++ <ind:pattern var_ref="ssh_client_line_regex" operation="pattern match"></ind:pattern>
++ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
++ </ind:textfilecontent54_object>
++
++</def-group>
+
+From c090301ab1cf43a83994b654ccb2ab0b967d05b4 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Thu, 4 Jun 2020 08:24:54 +0200
+Subject: [PATCH 08/11] reqrite remediations
+
+---
+ .../ssh_client_rekey_limit/ansible/shared.yml | 16 ++++++++++++++++
+ .../crypto/ssh_client_rekey_limit/bash/shared.sh | 13 +++++++++++++
+ 2 files changed, 29 insertions(+)
+
+diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
+index bb6544a0a0..36de503806 100644
+--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
+@@ -5,4 +5,20 @@
+ # disruption = low
+ {{{ ansible_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}}
+
++{{{ ansible_lineinfile(msg='Ensure RekeyLimit is not configured in /etc/ssh/ssh_config', path='/etc/ssh/ssh_config', regex='^\s*RekeyLimit.*$', create='no', state='absent') }}}
++
++- name: Collect all include config files for ssh client which configure RekeyLimit
++ find:
++ paths: "/etc/ssh/ssh_config.d/"
++ contains: '^[\s]*RekeyLimit.*$'
++ patterns: "*.config"
++ register: ssh_config_include_files
++
++- name: Remove all occurences of RekeyLimit configuration from include config files of ssh client
++ lineinfile:
++ path: "{{ item }}"
++ regexp: '^[\s]*RekeyLimit.*$'
++ state: "absent"
++ loop: "{{ ssh_config_include_files.files }}"
++
+ {{{ ansible_lineinfile(msg='Ensure that rekey limit is set to {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }} in /etc/ssh/ssh_config.d/02-rekey-limit.conf', path='/etc/ssh/ssh_config.d/02-rekey-limit.conf', regex='^\s*RekeyLimit.*$', new_line='RekeyLimit {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }}', create='yes', state='present') }}}
+diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
+index 43d0971ffc..99f6f63c92 100644
+--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
+@@ -5,4 +5,17 @@
+
+ {{{ bash_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}}
+
++main_config="/etc/ssh/ssh_config"
++include_directory="/etc/ssh/ssh_config.d"
++
++if grep -q '^[\s]*RekeyLimit.*$' "$main_config"; then
++ sed -i '/^[\s]*RekeyLimit.*/d' "$main_config"
++fi
++
++for file in "$include_directory"/*.conf; do
++ if grep -q '^[\s]*RekeyLimit.*$' "$file"; then
++ sed -i '/^[\s]*RekeyLimit.*/d' "$file"
++ fi
++done
++
+ {{{ set_config_file(path="/etc/ssh/ssh_config.d/02-rekey-limit.conf", parameter="RekeyLimit", value='$var_ssh_client_rekey_limit_size $var_ssh_client_rekey_limit_time', create=true, insert_before="", insert_after="", insensitive=false, separator=" ", separator_regex="\s\+", prefix_regex="^\s*") }}}
+
+From 22b8cb067cfc9d6d48065233973d1dba223ef5a4 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Thu, 4 Jun 2020 08:25:14 +0200
+Subject: [PATCH 09/11] add more tests
+
+---
+ .../tests/bad_main_config_good_include_config.fail.sh | 4 ++++
+ .../ssh_client_rekey_limit/tests/line_in_main_config.fail.sh | 4 ++++
+ .../tests/ok_different_config_file.pass.sh | 3 +++
+ 3 files changed, 11 insertions(+)
+ create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
+ create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh
+ create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh
+
+diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
+new file mode 100644
+index 0000000000..90314712af
+--- /dev/null
++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
+@@ -0,0 +1,4 @@
++#!/bin/basdh
++
++echo "RekeyLimit 2G 1h" >> /etc/ssh/ssh_config
++echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
+diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh
+new file mode 100644
+index 0000000000..9ba20b0290
+--- /dev/null
++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh
+@@ -0,0 +1,4 @@
++#!/bin/bash
++
++rm -rf /etc/ssh/ssh_config.d/*
++echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config
+diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh
+new file mode 100644
+index 0000000000..f725f6936f
+--- /dev/null
++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh
+@@ -0,0 +1,3 @@
++#!/bin/bash
++
++echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/05-some-file.conf
+
+From 78904a0cc4461cc26786289095fd76e8ce15843e Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Thu, 4 Jun 2020 08:25:29 +0200
+Subject: [PATCH 10/11] extend description and ocil
+
+---
+ .../crypto/ssh_client_rekey_limit/rule.yml | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
+index a1b85b0ee5..76f5f84090 100644
+--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
+@@ -10,6 +10,12 @@ description: |-
+ amount of data that may be transmitted and the time
+ elapsed. To decrease the default limits, put line
+ <tt>RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/ssh_config.d/02-rekey-limit.conf</tt>.
++ Make sure that there is no other <tt>RekeyLimit</tt> configuration preceding
++ the <tt>include</tt> directive in the main config file
++ <tt>/etc/ssh/ssh_config</tt>. Check also other files in
++ <tt>/etc/ssh/ssh_config.d</tt> directory. Files are processed according to
++ their names. Make sure that there is no file processed before
++ <tt>02-rekey-limit.conf</tt> containing definition of <tt>RekeyLimit</tt>.
+
+ rationale: |-
+ By decreasing the limit based on the amount of data and enabling
+@@ -27,8 +33,11 @@ references:
+ ocil_clause: 'it is commented out or is not set'
+
+ ocil: |-
+- To check if RekeyLimit is set correctly, run the
+- following command:
+- <pre>$ sudo grep RekeyLimit /etc/ssh/ssh_config.d/02-rekey-limit.conf</pre>
+- If configured properly, output should be
+- <pre>RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}}</pre>
++ To check if RekeyLimit is set correctly, run the following command: <pre>$
++ sudo grep RekeyLimit /etc/ssh/ssh_config.d/*.conf</pre> If configured
++ properly, output should be <pre>/etc/ssh/ssh_config.d/02-rekey-limit.conf:
++ RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{
++ sub_var_value("var_ssh_client_rekey_limit_time") }}}</pre> Check also the
++ main configuration file with the following command: <pre>sudo grep
++ RekeyLimit /etc/ssh/ssh_config</pre> The command should not return any
++ output.
+
+From 854d5c9d1e1a44e97fe59aeaace687adcff620d5 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Mon, 8 Jun 2020 11:44:44 +0200
+Subject: [PATCH 11/11] fix typos and wording
+
+---
+ .../integrity/crypto/ssh_client_rekey_limit/rule.yml | 5 +++--
+ .../tests/bad_main_config_good_include_config.fail.sh | 2 +-
+ .../crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh | 1 +
+ .../crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh | 1 +
+ .../crypto/ssh_client_rekey_limit/tests/no_line.fail.sh | 1 +
+ .../crypto/ssh_client_rekey_limit/tests/ok.pass.sh | 1 +
+ .../integrity/crypto/var_ssh_client_rekey_limit_size.var | 2 +-
+ .../integrity/crypto/var_ssh_client_rekey_limit_time.var | 9 ++++-----
+ 8 files changed, 13 insertions(+), 9 deletions(-)
+
+diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
+index 76f5f84090..b054d9d221 100644
+--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
+@@ -14,8 +14,9 @@ description: |-
+ the <tt>include</tt> directive in the main config file
+ <tt>/etc/ssh/ssh_config</tt>. Check also other files in
+ <tt>/etc/ssh/ssh_config.d</tt> directory. Files are processed according to
+- their names. Make sure that there is no file processed before
+- <tt>02-rekey-limit.conf</tt> containing definition of <tt>RekeyLimit</tt>.
++ lexicographical order of file names. Make sure that there is no file
++ processed before <tt>02-rekey-limit.conf</tt> containing definition of
++ <tt>RekeyLimit</tt>.
+
+ rationale: |-
+ By decreasing the limit based on the amount of data and enabling
+diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
+index 90314712af..58befb0107 100644
+--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
+@@ -1,4 +1,4 @@
+-#!/bin/basdh
++#!/bin/bash
+
+ echo "RekeyLimit 2G 1h" >> /etc/ssh/ssh_config
+ echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
+diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
+index 22c465b08f..1803c26629 100644
+--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
+@@ -1,3 +1,4 @@
++#!/bin/bash
+ # platform = multi_platform_all
+
+
+diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
+index 0dc621b1da..2c9e839255 100644
+--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
+@@ -1,3 +1,4 @@
++#!/bin/bash
+ # platform = multi_platform_all
+
+
+diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
+index f6abf711da..7de108eafd 100644
+--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
+@@ -1,3 +1,4 @@
++#!/bin/bash
+ # platform = multi_platform_all
+
+ echo "some line" > /etc/ssh/ssh_config.d/02-rekey-limit.conf
+diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
+index 89d7069687..4c047ed179 100644
+--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
+@@ -1,3 +1,4 @@
++#!/bin/bash
+ # platform = multi_platform_all
+
+
+diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
+index 4e20104cba..c8dd8ef10e 100644
+--- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
++++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
+@@ -7,7 +7,7 @@ description: |-
+ of data. After this amount of data is transferred through the connection,
+ the session key is renegotiated. The number is followed by K, M or G for
+ kilobytes, megabytes or gigabytes. Note that the RekeyLimit can be also
+- configured according to ellabsed time.
++ configured according to elapsed time.
+
+ interactive: true
+
+diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
+index 6143a5448c..6223e8e38f 100644
+--- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
++++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
+@@ -3,11 +3,10 @@ documentation_complete: true
+ title: 'SSH client RekeyLimit - time'
+
+ description: |-
+- Specify the time component of the rekey limit. This limit signifies amount
+- of data. The session key is renegotiated after the defined amount of time
+- passes. The number is followed by units such as H or M for hours or minutes.
+- Note that the RekeyLimit can be also configured according to amount of
+- transfered data.
++ Specify the time component of the rekey limit. The session key is
++ renegotiated after the defined amount of time passes. The number is followed
++ by units such as H or M for hours or minutes. Note that the RekeyLimit can
++ be also configured according to amount of transfered data.
+
+ interactive: true
+
diff --git a/SOURCES/scap-security-guide-0.1.52-fix_hipaa_description.patch b/SOURCES/scap-security-guide-0.1.52-fix_hipaa_description.patch
new file mode 100644
index 0000000..801edff
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.52-fix_hipaa_description.patch
@@ -0,0 +1,43 @@
+From 5a5b3bdead44bd24fb138bd7b9785d4e0809ff4b Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Tue, 28 Jul 2020 13:22:58 +0200
+Subject: [PATCH 1/2] update wording for rhel7 profile
+
+---
+ rhel7/profiles/hipaa.profile | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/rhel7/profiles/hipaa.profile b/rhel7/profiles/hipaa.profile
+index 4310561323..000441de52 100644
+--- a/rhel7/profiles/hipaa.profile
++++ b/rhel7/profiles/hipaa.profile
+@@ -12,6 +12,7 @@ description: |-
+
+ This profile configures Red Hat Enterprise Linux 7 to the HIPAA Security
+ Rule identified for securing of electronic protected health information.
++ Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s).
+
+ selections:
+ - grub2_password
+
+From 0c5cc87c4f8aaed8eb199b77440ae0dc64658e4a Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Tue, 28 Jul 2020 13:23:18 +0200
+Subject: [PATCH 2/2] update wording for rhel8 profile
+
+---
+ rhel8/profiles/hipaa.profile | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/rhel8/profiles/hipaa.profile b/rhel8/profiles/hipaa.profile
+index 8d20f9019c..0cb7fbed1f 100644
+--- a/rhel8/profiles/hipaa.profile
++++ b/rhel8/profiles/hipaa.profile
+@@ -12,6 +12,7 @@ description: |-
+
+ This profile configures Red Hat Enterprise Linux 8 to the HIPAA Security
+ Rule identified for securing of electronic protected health information.
++ Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s).
+
+ selections:
+ - grub2_password
diff --git a/SOURCES/scap-security-guide-0.1.52-fix_scapval_call_PR_6005.patch b/SOURCES/scap-security-guide-0.1.52-fix_scapval_call_PR_6005.patch
new file mode 100644
index 0000000..36b46ee
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.52-fix_scapval_call_PR_6005.patch
@@ -0,0 +1,52 @@
+From 4c54b1cfb05961bde8248e03d27cabeca967e211 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Mon, 17 Aug 2020 10:59:15 +0200
+Subject: [PATCH] Remove SCAP-1.3 SCAPVAL workarounds
+
+These changes to the DS cause SRC-330 to fail in SCAPVAL-1.3.5.
+In SCAPVAL-1.3.5 was fixed and these false positive workarounds are not
+necessary anymore.
+---
+ tests/run_scapval.py | 26 --------------------------
+ 1 file changed, 26 deletions(-)
+
+diff --git a/tests/run_scapval.py b/tests/run_scapval.py
+index e1dd806ca1..bc2655b9fd 100755
+--- a/tests/run_scapval.py
++++ b/tests/run_scapval.py
+@@ -46,35 +46,9 @@ def process_results(result_path):
+ return ret_val
+
+
+-def workaround_datastream(datastream_path):
+- tree = ET.parse(datastream_path)
+- root = tree.getroot()
+- # group_id and user_id cannot be zero
+- # tracked at https://github.com/OVAL-Community/OVAL/issues/23
+- for group_id_element in root.findall(".//{%s}group_id" % oval_unix_ns):
+- if group_id_element.text is not None:
+- group_id_element.text = "-1"
+- for user_id_element in root.findall(".//{%s}user_id" % oval_unix_ns):
+- if user_id_element.text is not None:
+- user_id_element.text = "-1"
+- # OCIL checks for security_patches_up_to_date is causing fail
+- # of SRC-377, when requirement is about OVAL checks.
+- rule_id = "xccdf_org.ssgproject.content_rule_security_patches_up_to_date"
+- for rule in root.findall(".//{%s}Rule[@id=\"%s\"]" % (xccdf_ns, rule_id)):
+- for check in rule.findall("{%s}check" % xccdf_ns):
+- system = check.get("system")
+- if system == "http://scap.nist.gov/schema/ocil/2":
+- rule.remove(check)
+- output_path = datastream_path + ".workaround.xml"
+- tree.write(output_path)
+- return output_path
+-
+-
+ def test_datastream(datastream_path, scapval_path, scap_version):
+ result_path = datastream_path + ".result.xml"
+ report_path = datastream_path + ".report.html"
+- if scap_version == "1.3":
+- datastream_path = workaround_datastream(datastream_path)
+ scapval_command = [
+ "java",
+ "-Xmx1024m",
diff --git a/SOURCES/scap-security-guide-0.1.52-ospp_missing_ssh_PR_6007.patch b/SOURCES/scap-security-guide-0.1.52-ospp_missing_ssh_PR_6007.patch
new file mode 100644
index 0000000..88f8237
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.52-ospp_missing_ssh_PR_6007.patch
@@ -0,0 +1,48 @@
+From eb3a18cea5776038d0aeef0299083fcd282a0177 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
+Date: Mon, 17 Aug 2020 15:56:40 +0200
+Subject: [PATCH] Add a missing Crypto Policy rule to OSPP.
+
+The rule fell out by mistake, this addition complements #4682
+---
+ rhel8/profiles/ospp.profile | 1 +
+ tests/data/profile_stability/rhel8/ospp.profile | 1 +
+ tests/data/profile_stability/rhel8/stig.profile | 5 +++--
+ 3 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
+index 5b5b5b711a..a651885eef 100644
+--- a/rhel8/profiles/ospp.profile
++++ b/rhel8/profiles/ospp.profile
+@@ -235,6 +235,7 @@ selections:
+ - enable_fips_mode
+ - var_system_crypto_policy=fips_ospp
+ - configure_crypto_policy
++ - configure_ssh_crypto_policy
+ - configure_bind_crypto_policy
+ - configure_openssl_crypto_policy
+ - configure_libreswan_crypto_policy
+diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
+index 5aa3592496..13c4e6b08d 100644
+--- a/tests/data/profile_stability/rhel8/ospp.profile
++++ b/tests/data/profile_stability/rhel8/ospp.profile
+@@ -62,6 +62,7 @@ selections:
+ - configure_kerberos_crypto_policy
+ - configure_libreswan_crypto_policy
+ - configure_openssl_crypto_policy
++- configure_ssh_crypto_policy
+ - configure_tmux_lock_after_time
+ - configure_tmux_lock_command
+ - configure_usbguard_auditbackend
+diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
+index 9b164eb5c2..c7fe02169a 100644
+--- a/tests/data/profile_stability/rhel8/stig.profile
++++ b/tests/data/profile_stability/rhel8/stig.profile
+@@ -77,6 +77,7 @@ selections:
+ - configure_kerberos_crypto_policy
+ - configure_libreswan_crypto_policy
+ - configure_openssl_crypto_policy
++- configure_ssh_crypto_policy
+ - configure_tmux_lock_after_time
+ - configure_tmux_lock_command
+ - configure_usbguard_auditbackend
diff --git a/SOURCES/scap-security-guide-0.1.52-ospp_missing_ssh_srg-PR_6008.patch b/SOURCES/scap-security-guide-0.1.52-ospp_missing_ssh_srg-PR_6008.patch
new file mode 100644
index 0000000..c469fe6
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.52-ospp_missing_ssh_srg-PR_6008.patch
@@ -0,0 +1,22 @@
+From 87e62e90df9995de6aca436e9242c0ac4d72e136 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
+Date: Tue, 18 Aug 2020 13:55:12 +0200
+Subject: [PATCH] Added SRG to configure_ssh_crypto_policy
+
+https://www.stigviewer.com/stig/general_purpose_operating_system_srg/2016-04-25/finding/V-56935
+---
+ .../integrity/crypto/configure_ssh_crypto_policy/rule.yml | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
+index e2dd99dbb5..51788a3226 100644
+--- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
++++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
+@@ -24,6 +24,7 @@ identifiers:
+ references:
+ nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13
+ cis@rhel8: 5.2.20
++ srg: SRG-OS-000250-GPOS-00093
+
+ ocil_clause: 'the CRYPTO_POLICY variable is not set or is commented in the /etc/sysconfig/sshd'
+
diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec
index d073a0c..7cd18e6 100644
--- a/SPECS/scap-security-guide.spec
+++ b/SPECS/scap-security-guide.spec
@@ -1,6 +1,6 @@
Name: scap-security-guide
Version: 0.1.50
-Release: 8%{?dist}
+Release: 10%{?dist}
Summary: Security guidance and baselines in SCAP formats
Group: Applications/System
License: BSD
@@ -23,6 +23,14 @@ Patch11: scap-security-guide-0.1.51-create_macro_selinux_remediation_PR_5785.pa
Patch12: scap-security-guide-0.1.51-fix_rsyslog_rules_PR_5763.patch
Patch13: scap-security-guide-0.1.51-openssl_crypto_PR_5885.patch
Patch14: scap-security-guide-0.1.52-harden-openssl-crypto-policy_PR_5925.patch
+Patch15: scap-security-guide-0.1.52-fix_hipaa_description.patch
+Patch16: scap-security-guide-0.1.52-fix_scapval_call_PR_6005.patch
+Patch17: scap-security-guide-0.1.52-ospp_missing_ssh_PR_6007.patch
+Patch18: scap-security-guide-0.1.52-ospp_missing_ssh_srg-PR_6008.patch
+Patch19: scap-security-guide-0.1.51-parametrize-ssh-PR5772.patch
+Patch20: scap-security-guide-0.1.51-parametrize-ssh-PR5782.patch
+Patch21: scap-security-guide-0.1.51-parametrize-ssh-PR5788.patch
+
BuildArch: noarch
# To get python3 inside the buildroot require its path explicitly in BuildRequires
@@ -71,6 +79,13 @@ present in %{name} package.
%patch12 -p1
%patch13 -p1
%patch14 -p1
+%patch15 -p1
+%patch16 -p1
+%patch17 -p1
+%patch18 -p1
+%patch19 -p1
+%patch20 -p1
+%patch21 -p1
mkdir build
%build
@@ -105,6 +120,15 @@ cd build
%doc %{_docdir}/%{name}/tables/*.html
%changelog
+* Mon Aug 17 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-10
+- Update the scapval invocation (RHBZ#1815007)
+- Re-added the SSH Crypto Policy rule to OSPP, and added an SRG to the rule (RHBZ#1815007)
+- Change the spec file macro invocation from patch to Patch
+- Fix the rekey limit in ssh/sshd rules (RHBZ#1813066)
+
+* Wed Aug 05 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.50-9
+- fix description of HIPAA profile (RHBZ#1867559)
+
* Fri Jul 17 2020 Watson Sato <wsato@redhat.com> - 0.1.50-8
- Add rule to harden OpenSSL crypto-policy (RHBZ#1852928)
- Remove CCM from TLS Ciphersuites