diff --git a/linux_os/guide/services/ssh/ssh_client/group.yml b/linux_os/guide/services/ssh/ssh_client/group.yml
new file mode 100644
index 0000000000..62ead28ee1
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_client/group.yml
@@ -0,0 +1,11 @@
+documentation_complete: true
+
+title: 'Configure OpenSSH Client if Necessary'
+
+description: |-
+ The following configuration changes apply to the SSH client. They can
+ improve security parameters relwevant to the client user, e.g. increasing
+ entropy while generating initialization vectors. Note that these changes
+ influence only the default SSH client configuration. Changes in this group
+ can be overridden by the client user by modifying files within the
+ ~/.ssh
directory or by supplying parameters on the command line.
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/ansible/shared.yml
new file mode 100644
index 0000000000..a9f579ae04
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/ansible/shared.yml
@@ -0,0 +1,19 @@
+# platform = Red Hat Enterprise Linux 8
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+
+- name: "Ensure that correct variable is exported in /etc/profile.d/cc-ssh-strong-rng.csh"
+ lineinfile:
+ path: /etc/profile.d/cc-ssh-strong-rng.csh
+ regexp: '^[\s]*setenv[\s]+SSH_USE_STRONG_RNG.*$'
+ line: 'setenv SSH_USE_STRONG_RNG 32'
+ state: present
+ create: yes
+
+- name: "Ensure that the configuration is not overridden in /etc/profile"
+ lineinfile:
+ path: /etc/profile
+ regexp: '^[\s]*setenv[\s]+SSH_USE_STRONG_RNG.*$'
+ state: absent
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/bash/shared.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/bash/shared.sh
new file mode 100644
index 0000000000..a3b0b3a9c6
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/bash/shared.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+
+# put line into the file
+echo "setenv SSH_USE_STRONG_RNG 32" > /etc/profile.d/cc-ssh-strong-rng.csh
+
+# remove eventual override in /etc/profile
+sed -i '/^[[:space:]]*setenv[[:space:]]\+SSH_USE_STRONG_RNG.*$/d' /etc/profile
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/oval/shared.xml b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/oval/shared.xml
new file mode 100644
index 0000000000..fe6d3a5f25
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/oval/shared.xml
@@ -0,0 +1,36 @@
+
+
+ {{{ oval_metadata("Ensure the SSH_USE_STRONG_RNG environment variable is exported in /etc/profile.d/cc-ssh-strong-rng.csh and is not overridden in /etc/profile") }}}
+
+
+
+
+
+
+
+
+
+
+
+
+ /etc/profile.d/cc-ssh-strong-rng.csh
+ ^[\s]*setenv[\s]+SSH_USE_STRONG_RNG[\s]+([\d]+)$
+ 1
+
+
+
+
+
+
+
+ /etc/profile
+ ^[\s]*setenv[\s]+SSH_USE_STRONG_RNG.*$
+ 1
+
+
+
+ 32
+
+
+
\ No newline at end of file
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/rule.yml b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/rule.yml
new file mode 100644
index 0000000000..a2b9bfa37d
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/rule.yml
@@ -0,0 +1,36 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'SSH client uses strong entropy to seed (for CSH like shells)'
+
+description: |-
+ To set up SSH client to use entropy from a high-quality source, make sure
+ that the appropriate shell environment variable is configured. The
+ SSH_USE_STRONG_RNG environment variable determines how many bytes
+ of entropy to use. Make sure that the file
+ /etc/profile.d/cc-ssh-strong-rng.csh contains line
+ setenv SSH_USE_STRONG_RNG 32
.
+
+rationale: |-
+ Some SSH implementations use the openssl library for entropy, which by default, doesn't use high-entropy sources.
+ Randomness is needed to generate considerably more secure data-encryption keys. Plaintext padding, initialization vectors
+ in encryption algorithms, and high-quality entropy eliminates the possibility that the output of
+ the random number generator used by SSH would be known to potential attackers.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: CCE-83349-1
+
+references:
+ ospp: FCS_CKM.1.1
+ srg: SRG-OS-000480-GPOS-00227
+
+ocil_clause: 'SSH client is not configured to use 32 bytes of entropy or more'
+
+ocil: |-
+ Run the following command to verify that SSH client is configured to use 32 bytes of entropy:
+ grep SSH_USE_STRONG_RNG /etc/profile.d/cc-ssh-strong-rng.csh
+ It should return the following output:
+ setenv SSH_USE_STRONG_RNG 32
.
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/correct.pass.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/correct.pass.sh
new file mode 100644
index 0000000000..4cfafa9f96
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/correct.pass.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "setenv SSH_USE_STRONG_RNG 32" > /etc/profile.d/cc-ssh-strong-rng.csh
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/file_missing.fail.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/file_missing.fail.sh
new file mode 100644
index 0000000000..c2fead5697
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/file_missing.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+rm -f /etc/profile.d/cc-ssh-strong-rng.csh
\ No newline at end of file
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/line_commented.fail.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/line_commented.fail.sh
new file mode 100644
index 0000000000..4a0d26165b
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/line_commented.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "#setenv SSH_USE_STRONG_RNG 32" > /etc/profile.d/cc-ssh-strong-rng.csh
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/line_followed_by_wrong_line.fail.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/line_followed_by_wrong_line.fail.sh
new file mode 100644
index 0000000000..5fbccb5f29
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/line_followed_by_wrong_line.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+echo "setenv SSH_USE_STRONG_RNG 32" > /etc/profile.d/cc-ssh-strong-rng.csh
+echo "setenv SSH_USE_STRONG_RNG 8" >> /etc/profile.d/cc-ssh-strong-rng.csh
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/line_overridden_in_etc_profile.fail.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/line_overridden_in_etc_profile.fail.sh
new file mode 100644
index 0000000000..d93d1151f8
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/line_overridden_in_etc_profile.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+echo "setenv SSH_USE_STRONG_RNG 32" >> /etc/profile.d/cc-ssh-strong-rng.csh
+echo "setenv SSH_USE_STRONG_RNG 8" >> /etc/profile
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/use_more_entropy.pass.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/use_more_entropy.pass.sh
new file mode 100644
index 0000000000..d73f22ce5d
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/use_more_entropy.pass.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "setenv SSH_USE_STRONG_RNG 64" > /etc/profile.d/cc-ssh-strong-rng.csh
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/ansible/shared.yml
new file mode 100644
index 0000000000..d19ee819c0
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/ansible/shared.yml
@@ -0,0 +1,19 @@
+# platform = Red Hat Enterprise Linux 8
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+
+- name: "Ensure that correct variable is exported in /etc/profile.d/cc-ssh-strong-rng.sh"
+ lineinfile:
+ path: /etc/profile.d/cc-ssh-strong-rng.sh
+ regexp: '^[\s]*export[\s]+SSH_USE_STRONG_RNG=.*$'
+ line: 'export SSH_USE_STRONG_RNG=32'
+ state: present
+ create: yes
+
+- name: "Ensure that the configuration is not overridden in /etc/profile"
+ lineinfile:
+ path: /etc/profile
+ regexp: '^[\s]*export[\s]+SSH_USE_STRONG_RNG=.*$'
+ state: absent
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/bash/shared.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/bash/shared.sh
new file mode 100644
index 0000000000..07e45f1dfa
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/bash/shared.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+
+# put line into the file
+echo "export SSH_USE_STRONG_RNG=32" > /etc/profile.d/cc-ssh-strong-rng.sh
+
+# remove eventual override in /etc/profile
+sed -i '/^[[:space:]]*export[[:space:]]\+SSH_USE_STRONG_RNG=.*$/d' /etc/profile
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/oval/shared.xml b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/oval/shared.xml
new file mode 100644
index 0000000000..23bda9bf83
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/oval/shared.xml
@@ -0,0 +1,36 @@
+
+
+ {{{ oval_metadata("Ensure the SSH_USE_STRONG_RNG environment variable is exported in /etc/profile.d/cc-ssh-strong-rng.sh and is not overridden in /etc/profile") }}}
+
+
+
+
+
+
+
+
+
+
+
+
+ /etc/profile.d/cc-ssh-strong-rng.sh
+ ^[\s]*export[\s]+SSH_USE_STRONG_RNG=([\d]+)$
+ 1
+
+
+
+
+
+
+
+ /etc/profile
+ ^[\s]*export[\s]+SSH_USE_STRONG_RNG=.*$
+ 1
+
+
+
+ 32
+
+
+
\ No newline at end of file
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/rule.yml b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/rule.yml
new file mode 100644
index 0000000000..3de4df0a2e
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/rule.yml
@@ -0,0 +1,36 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'SSH client uses strong entropy to seed (Bash-like shells)'
+
+description: |-
+ To set up SSH client to use entropy from a high-quality source, make sure
+ that the appropriate shell environment variable is configured. The
+ SSH_USE_STRONG_RNG environment variable determines how many bytes
+ of entropy to use. Make sure that the file
+ /etc/profile.d/cc-ssh-strong-rng.sh contains line
+ export SSH_USE_STRONG_RNG=32
.
+
+rationale: |-
+ Some SSH implementations use the openssl library for entropy, which by default, doesn't use high-entropy sources.
+ Randomness is needed to generate considerably more secure data-encryption keys. Plaintext padding, initialization vectors
+ in encryption algorithms, and high-quality entropy eliminates the possibility that the output of
+ the random number generator used by SSH would be known to potential attackers.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: CCE-83346-7
+
+references:
+ ospp: FCS_CKM.1.1
+ srg: SRG-OS-000480-GPOS-00227
+
+ocil_clause: 'SSH client is not configured to use 32 bytes of entropy or more'
+
+ocil: |-
+ Run the following command to verify that SSH client is configured to use 32 bytes of entropy:
+ grep SSH_USE_STRONG_RNG /etc/profile.d/cc-ssh-strong-rng.sh
+ The output should be:
+ export SSH_USE_STRONG_RNG=32
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/correct.pass.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/correct.pass.sh
new file mode 100644
index 0000000000..8dc01bb3b5
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/correct.pass.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "export SSH_USE_STRONG_RNG=32" > /etc/profile.d/cc-ssh-strong-rng.sh
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/file_missing.fail.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/file_missing.fail.sh
new file mode 100644
index 0000000000..feab751995
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/file_missing.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+rm -f /etc/profile.d/cc-ssh-strong-rng.sh
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/line_commented.fail.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/line_commented.fail.sh
new file mode 100644
index 0000000000..f77cfabfe4
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/line_commented.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "#export SSH_USE_STRONG_RNG=32" > /etc/profile.d/cc-ssh-strong-rng.sh
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/line_followed_by_wrong_line.fail.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/line_followed_by_wrong_line.fail.sh
new file mode 100644
index 0000000000..acbe72da2c
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/line_followed_by_wrong_line.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+echo "export SSH_USE_STRONG_RNG=32" > /etc/profile.d/cc-ssh-strong-rng.sh
+echo "export SSH_USE_STRONG_RNG=8" >> /etc/profile.d/cc-ssh-strong-rng.sh
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/line_overridden_in_etc_profile.fail.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/line_overridden_in_etc_profile.fail.sh
new file mode 100644
index 0000000000..38ce27729d
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/line_overridden_in_etc_profile.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+echo "export SSH_USE_STRONG_RNG=32" > /etc/profile.d/cc-ssh-strong-rng.sh
+echo "export SSH_USE_STRONG_RNG=8" >> /etc/profile
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/use_more_entropy.pass.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/use_more_entropy.pass.sh
new file mode 100644
index 0000000000..2b3b0fbeca
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/use_more_entropy.pass.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "export SSH_USE_STRONG_RNG=64" > /etc/profile.d/cc-ssh-strong-rng.sh
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
index 687b948b34..755573a6f9 100644
--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
@@ -427,6 +427,10 @@ selections:
- var_ssh_client_rekey_limit_size=1G
- var_ssh_client_rekey_limit_time=1hour
+# configure ssh client to use strong entropy
+ - ssh_client_use_strong_rng_sh
+ - ssh_client_use_strong_rng_csh
+
# zIPl specific rules
- zipl_bls_entries_only
- zipl_bootmap_is_up_to_date
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
index 8bbc01f0d5..4bfb91de9d 100644
--- a/tests/data/profile_stability/rhel8/ospp.profile
+++ b/tests/data/profile_stability/rhel8/ospp.profile
@@ -175,6 +175,8 @@ selections:
- service_systemd-coredump_disabled
- service_usbguard_enabled
- ssh_client_rekey_limit
+- ssh_client_use_strong_rng_csh
+- ssh_client_use_strong_rng_sh
- sshd_disable_empty_passwords
- sshd_disable_gssapi_auth
- sshd_disable_kerb_auth
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index e1915d648b..adace8fd54 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -199,6 +199,8 @@ selections:
- service_usbguard_enabled
- smartcard_configure_cert_checking
- ssh_client_rekey_limit
+- ssh_client_use_strong_rng_csh
+- ssh_client_use_strong_rng_sh
- sshd_disable_empty_passwords
- sshd_disable_gssapi_auth
- sshd_disable_kerb_auth