Harden sshd crypto policy rules vs other sshd rules

[jdloft]

Hi,

With the addition of the sshd_use_approved_kex_ordered_stig rule in #10103 (and my subsequent failure to comply on my machines), I decided to start looking at the differences between the crypto policy rules (harden_sshd_ciphers_opensshserver_conf_crypto_policy, harden_sshd_macs_opensshserver_conf_crypto_policy, etc.) and the other sshd hardening rules (sshd_use_approved_ciphers, sshd_use_approved_macs, etc.). This was mostly due to the visual difference between the two types:

Now, from what I can glean from the OVAL files, some differences are:

• The crypto policy rules are only applied to RHEL 8/9, while the other rules are applied to RHEL 7 and others (SLE, Ubuntu)
• The non-crypto policy rules extend installed_OS_is_FIPS_certified
• Some pattern matching differences (regex)

Firstly, are there differences I'm missing here? There doesn't seem to be an obvious technical reason why there is a divide between the RHEL 7 and RHEL 8 rules. Second, is there a reason there is no new RHEL 8 crypto policy equivalent of sshd_use_approved_kex_ordered_stig and instead sshd_use_approved_kex_ordered_stig is applied to both RHEL 7 and RHEL 8+ systems, unlike the other adjacent rules (sshd_use_approved_ciphers and sshd_use_approved_macs)? Thanks!

[jdloft]

The reason I bring this up is because the FIPS-certified rule can be deselected on a non-FIPS-certified distro (i.e. Stream), but the rules that extend installed_OS_is_FIPS_certified can't be deselected without losing other functionality (ensuring the correct key-exchange algos are in the policy).