ComplianceAsCode · jan-cerny · Oct 20, 2025 · Oct 27, 2025 · Oct 27, 2025 · Oct 27, 2025
diff --git a/components/crypto-policies.yml b/components/crypto-policies.yml
@@ -12,6 +12,10 @@ rules:
 - configure_openssl_crypto_policy
 - configure_openssl_tls_crypto_policy
 - configure_ssh_crypto_policy
+- crypto_sub_policy_sshd_ciphers
+- crypto_sub_policy_sshd_macs
+- crypto_sub_policy_sshd_cbc
+- crypto_sub_policy_weak_macs
 - harden_openssl_crypto_policy
 - harden_ssh_client_crypto_policy
 - harden_sshd_ciphers_openssh_conf_crypto_policy

diff --git a/components/openssh.yml b/components/openssh.yml
@@ -9,6 +9,9 @@ packages:
 - openssh-clients
 - openssh-server
 rules:
+- crypto_sub_policy_sshd_cbc
+- crypto_sub_policy_sshd_ciphers
+- crypto_sub_policy_sshd_macs
 - directory_groupowner_sshd_config_d
 - directory_owner_sshd_config_d
 - directory_permissions_sshd_config_d

@@ -556,24 +556,18 @@ controls:
       levels:
           - l1_server
           - l1_workstation
-      status: pending
-      notes: |-
-          It is necessary a new rule to ensure a module disabling CBC in
-          /etc/crypto-policies/policies/modules/ so it can be used by update-crypto-policies command.
-      related_rules:
-          - configure_crypto_policy
+      status: automated
+      rules:
+          - crypto_sub_policy_sshd_cbc
 
     - id: 1.6.4
       title: Ensure system wide crypto policy disables macs less than 128 bits (Automated)
       levels:
           - l1_server
           - l1_workstation
-      status: pending
-      notes: |-
-          It is necessary a new rule to ensure a module disabling weak MACs in
-          /etc/crypto-policies/policies/modules/ so it can be used by update-crypto-policies command.
-      related_rules:
-          - configure_crypto_policy
+      status: automated
+      rules:
+          - crypto_sub_policy_weak_macs
 
     - id: 1.7.1
       title: Ensure message of the day is configured properly (Automated)
@@ -1504,8 +1498,7 @@ controls:
       notes: |-
           Introduced in CIS RHEL8 v3.0.0
       rules:
-          - sshd_use_approved_ciphers
-          - sshd_approved_ciphers=cis_rhel8
+          - crypto_sub_policy_sshd_ciphers
 
     - id: 4.2.7
       title: Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured (Automated)
@@ -1594,8 +1587,7 @@ controls:
           - l1_workstation
       status: automated
       rules:
-          - sshd_use_strong_macs
-          - sshd_strong_macs=cis_rhel8
+          - crypto_sub_policy_sshd_macs
 
     - id: 4.2.15
       title: Ensure sshd MaxAuthTries is configured (Automated)

diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md
@@ -245,6 +245,21 @@
 
 -   Languages: OVAL, Kubernetes
 
+#### crypto_sub_policy
+-   Configures a sub policy for system wide crypto policies. Creates a module
+    file `module_name.pmod` in `/etc/crypto-policies/policies/modules/` that
+    contains `key = value`. Then, it applies this module.
+
+-   Parameters:
+
+    -   **module_name** - crypto sub policy name, eg. `NO-SSHWEAKCIPHERS`
+
+    -   **key** - entry key, eg. `cipher@SSH`
+
+    -   **value** - entry value, eg. `-3DES-CBC -AES-128-CBC -AES-192-CBC -AES-256-CBC -CHACHA20-POLY1305`
+
+-   Languages: Ansible, Bash, OVAL
+
 #### dconf_ini_file
 -   Checks for `dconf` configuration. Additionally checks if the
     configuration is locked so it cannot be overridden by the user.

diff --git a/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_cbc/rule.yml b/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_cbc/rule.yml
@@ -0,0 +1,33 @@
+documentation_complete: true
+
+title: Implement Custom Crypto Policy to disable CBC mode ciphers
+
+{{% set module_name = "NO-SSHCBC" %}}
+{{% set key = "cipher@SSH" %}}
+{{% set value = "-*-CBC" %}}
+
+description: |-
+    Create a custom crypto policy module for SSHD to disable CBC mode ciphers.
+    {{{ describe_crypto_sub_policy(module_name, key, value) }}}
+
+rationale: |-
+    CBC mode ciphers are vulnerable to certain attacks, such as the BEAST attack.
+    Disabling CBC mode ciphers helps protect against these attacks and ensures that only
+    strong, proven cryptographic algorithms are used to protect SSH communications.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-86956-0
+
+ocil_clause: 'the custom crypto policy module for SSHD to disable CBC mode ciphers does not exist'
+
+ocil: |-
+    {{{ ocil_crypto_sub_policy(module_name, key, value) }}}
+
+template:
+    name: crypto_sub_policy
+    vars:
+        module_name: {{{ module_name }}}
+        key: {{{ key }}}
+        value: {{{ value }}}
diff --git a/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/rule.yml b/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/rule.yml
@@ -0,0 +1,32 @@
+documentation_complete: true
+
+title: Implement Custom Crypto Policy for SSHD Ciphers
+
+{{% set module_name = "NO-SSHWEAKCIPHERS" %}}
+{{% set key = "cipher@SSH" %}}
+{{% set value = "-3DES-CBC -AES-128-CBC -AES-192-CBC -AES-256-CBC -CHACHA20-POLY1305" %}}
+
+description: |-
+    Create a custom crypto policy module for SSHD to enforce the use of strong ciphers.
+    {{{ describe_crypto_sub_policy(module_name, key, value) }}}
+
+rationale: |-
+    Weak ciphers that are used for authentication to the cryptographic module cannot be
+    relied upon to provide confidentiality or integrity, and system data may be compromised.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-86707-7
+
+ocil_clause: 'the custom crypto policy module for SSH does not exist'
+
+ocil: |-
+    {{{ ocil_crypto_sub_policy(module_name, key, value) }}}
+
+template:
+    name: crypto_sub_policy
+    vars:
+        module_name: {{{ module_name }}}
+        key: {{{ key }}}
+        value: {{{ value }}}
diff --git a/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_macs/rule.yml b/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_macs/rule.yml
@@ -0,0 +1,36 @@
+documentation_complete: true
+
+title: Implement Custom Crypto Policy for SSHD MACs
+
+{{% set module_name = "NO-SSHWEAKMACS" %}}
+{{% set key = "mac@SSH" %}}
+{{% set value = "-HMAC-MD5* -UMAC-64* -UMAC-128*" %}}
+
+description: |-
+    Create a custom crypto policy module for SSHD to enforce the use of strong MACs.
+    {{{ describe_crypto_sub_policy(module_name, key, value) }}}
+
+rationale: |-
+    Message Authentication Codes (MACs) are cryptographic mechanisms used to verify the
+    integrity and authenticity of data transmitted over SSH connections. Weak MACs that
+    are used for authentication to the cryptographic module cannot be relied upon to
+    provide integrity, and system data may be compromised. Implementing a custom crypto
+    policy that disables weak MAC algorithms helps ensure that only strong, proven
+    cryptographic algorithms are used to protect SSH communications.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-86952-9
+
+ocil_clause: 'the custom crypto policy module for SSH does not exist'
+
+ocil: |-
+    {{{ ocil_crypto_sub_policy(module_name, key, value) }}}
+
+template:
+    name: crypto_sub_policy
+    vars:
+        module_name: {{{ module_name }}}
+        key: {{{ key }}}
+        value: {{{ value }}}
diff --git a/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_weak_macs/rule.yml b/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_weak_macs/rule.yml
@@ -0,0 +1,36 @@
+documentation_complete: true
+
+title: Implement Custom Crypto Policy to Disable Weak MAC Algorithms
+
+{{% set module_name = "NO-WEAKMAC" %}}
+{{% set key = "mac" %}}
+{{% set value = "-*-128*" %}}
+
+description: |-
+    Create a custom crypto policy module to disable weak MACs.
+    {{{ describe_crypto_sub_policy(module_name, key, value) }}}
+
+rationale: |-
+    Message Authentication Codes (MACs) are cryptographic mechanisms used to verify the
+    integrity and authenticity of data transmitted over SSH connections. Weak MACs
+    that are used for authentication to the cryptographic module cannot be relied upon to
+    provide integrity, and system data may be compromised. Implementing a custom crypto
+    policy that disables weak MAC algorithms helps ensure that only strong, proven
+    cryptographic algorithms are used to protect system data.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-86958-6
+
+ocil_clause: 'the custom crypto policy module to disable weak MACs does not exist'
+
+ocil: |-
+    {{{ ocil_crypto_sub_policy(module_name, key, value) }}}
+
+template:
+    name: crypto_sub_policy
+    vars:
+        module_name: {{{ module_name }}}
+        key: {{{ key }}}
+        value: {{{ value }}}
@@ -726,3 +726,4 @@ selections:
     - service_rlogin_disabled
     - service_zebra_disabled
     - package_rsh-server_removed
+    - sshd_use_strong_macs
diff --git a/shared/macros/01-general.jinja b/shared/macros/01-general.jinja
@@ -1446,3 +1446,20 @@ Create a rule description for rules using the `audit_rules_kernel_module_loading
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility,
     add the line to file <tt>/etc/audit/audit.rules</tt>.
 {{% endmacro %}}
+
+{{#
+Create a description text for rules that use the crypto_sub_policy template.
+
+:param module_name: crypto sub policy name, eg. `NO-SSHWEAKCIPHERS`
+:type module_name: str
+:param key: The entry key, eg. cipher@SSH
+:type key: str
+:param value: The entry value, eg. -3DES-CBC -AES-128-CBC -AES-192-CBC -AES-256-CBC -CHACHA20-POLY1305
+:type value: str
+#}}
+{{% macro describe_crypto_sub_policy(module_name, key, value) %}}
+    Add the following line to the file <tt>/etc/crypto-policies/policies/modules/{{{ module_name }}}.pmod</tt>:
+    <pre>
+    {{{ key }}} = {{{ value }}}
+    </pre>
+{{%- endmacro %}}
diff --git a/shared/macros/10-ocil.jinja b/shared/macros/10-ocil.jinja
@@ -1538,3 +1538,20 @@ Create an OCIL text for rules that use the audit_rules_watch platform.
     -w {{{ path }}} -p wa -k {{{ key }}}
 {{% endif %}}
 {{% endmacro %}}
+
+{{#
+Create an OCIL text for rules that use the crypto_sub_policy template.
+
+:param module_name: crypto sub policy name, eg. `NO-SSHWEAKCIPHERS`
+:type module_name: str
+:param key: The entry key, eg. cipher@SSH
+:type key: str
+:param value: The entry value, eg. -3DES-CBC -AES-128-CBC -AES-192-CBC -AES-256-CBC -CHACHA20-POLY1305
+:type value: str
+#}}
+{{% macro ocil_crypto_sub_policy(module_name, key, value) %}}
+    Verify that <tt>/etc/crypto-policies/policies/modules/{{{ module_name }}}.pmod</tt> exists and has the following content:
+    <pre>
+    {{{ key }}} = {{{ value }}}
+    </pre>
+{{% endmacro %}}
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -72,7 +72,6 @@ CCE-86702-8
 CCE-86703-6
 CCE-86704-4
 CCE-86706-9
-CCE-86707-7
 CCE-86708-5
 CCE-86709-3
 CCE-86710-1
@@ -172,10 +171,7 @@ CCE-86934-7
 CCE-86935-4
 CCE-86936-2
 CCE-86937-0
-CCE-86952-9
 CCE-86955-2
-CCE-86956-0
-CCE-86958-6
 CCE-86959-4
 CCE-86963-6
 CCE-86965-1

diff --git a/shared/templates/crypto_sub_policy/ansible.template b/shared/templates/crypto_sub_policy/ansible.template
@@ -0,0 +1,26 @@
+# platform = multi_platform_all
+# reboot = true
+# strategy = configure
+# complexity = low
+# disruption = low
+
+-   name: "{{{ rule_title }}} - Create custom crypto policy - {{{ KEY }}}"
+    ansible.builtin.lineinfile:
+        path: /etc/crypto-policies/policies/modules/{{{ MODULE_NAME }}}.pmod
+        owner: root
+        group: root
+        mode: '0644'
+        line: {{{ KEY }}} = {{{ VALUE }}}
+        create: true
+        regexp: "{{{ KEY }}}"
+
+-   name: "{{{ rule_title }}} - Check current crypto policy"
+    ansible.builtin.command: update-crypto-policies --show
+    register: current_crypto_policy
+    changed_when: false
+    failed_when: false
+    check_mode: false
+
+-   name: "{{{ rule_title }}} - Update crypto-policies"
+    ansible.builtin.command: update-crypto-policies --set DEFAULT:{{{ MODULE_NAME }}}
+    when: current_crypto_policy.stdout.strip() != "DEFAULT:{{{ MODULE_NAME }}}"
diff --git a/shared/templates/crypto_sub_policy/bash.template b/shared/templates/crypto_sub_policy/bash.template
@@ -0,0 +1,9 @@
+# platform = multi_platform_all
+# reboot = true
+# strategy = configure
+# complexity = low
+# disruption = low
+
+{{{ bash_file_contents("/etc/crypto-policies/policies/modules/" ~ MODULE_NAME ~ ".pmod", KEY ~ " = " ~ VALUE) }}}
+
+sudo update-crypto-policies --set DEFAULT:{{{ MODULE_NAME }}}
diff --git a/shared/templates/crypto_sub_policy/oval.template b/shared/templates/crypto_sub_policy/oval.template
@@ -0,0 +1,21 @@
+<def-group>
+    <definition class="compliance" id="{{{ rule_id }}}" version="1">
+        {{{ oval_metadata("Ensure that the custom crypto policy module " ~ MODULE_NAME ~ " is configured", rule_title=rule_title) }}}
+        <criteria operator="AND" comment="Ensure that all of the correct lines are in the file.">
+            <criterion comment="Check that {{{ KEY }}} is configured"
+                       test_ref="test_{{{ rule_id }}}"/>
+        </criteria>
+    </definition>
+        <ind:textfilecontent54_test check="all"
+                                    comment="Tests that {{{ KEY }}} is configured correctly."
+                                    id="test_{{{ rule_id }}}" version="1">
+
+            <ind:object object_ref="obj_{{{ rule_id }}}"/>
+        </ind:textfilecontent54_test>
+        <ind:textfilecontent54_object id="obj_{{{ rule_id }}}" version="1">
+            <ind:path>/etc/crypto-policies/policies/modules/</ind:path>
+            <ind:filename>{{{ MODULE_NAME }}}.pmod</ind:filename>
+            <ind:pattern operation="pattern match">^{{{ KEY }}} = {{{ VALUE | escape_regex }}}$</ind:pattern>
+            <ind:instance datatype="int">1</ind:instance>
+        </ind:textfilecontent54_object>
+</def-group>
diff --git a/shared/templates/crypto_sub_policy/template.yml b/shared/templates/crypto_sub_policy/template.yml
@@ -0,0 +1,4 @@
+supported_languages:
+  - ansible
+  - bash
+  - oval
@@ -0,0 +1,4 @@
+#!/bin/bash
+cat > /etc/crypto-policies/policies/modules/{{{ MODULE_NAME }}}.pmod << EOF
+{{{ KEY }}} = {{{ VALUE }}}
+EOF
@@ -0,0 +1,2 @@
+#!/bin/bash
+touch /etc/crypto-policies/policies/modules/{{{ MODULE_NAME }}}.pmod
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+if [[ -f /etc/crypto-policies/policies/modules/{{{ MODULE_NAME }}}.pmod ]]
+then
+  rm /etc/crypto-policies/policies/modules/{{{ MODULE_NAME }}}.pmod
+fi
@@ -0,0 +1,4 @@
+#!/bin/bash
+cat > /etc/crypto-policies/policies/modules/{{{ MODULE_NAME }}}.pmod << EOF
+{{{ KEY }}} = ABCDEFGHIJKLMNOPQRSTUVWXYZ
+EOF
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		#!/bin/bash
		touch /etc/crypto-policies/policies/modules/{{{ MODULE_NAME }}}.pmod