From 52bcc51bd539a4d181e585999925967938c65891 Mon Sep 17 00:00:00 2001 From: Armando Acosta Date: Tue, 3 Mar 2026 12:58:23 -0600 Subject: [PATCH 1/2] Remove configure_ssh_crypto_policy from OL9 profiles The variable CRYPTO_POLICY is no longer honored by sshd on OL 9 Signed-off-by: Armando Acosta --- controls/ccn_ol9.yml | 4 ++-- products/ol9/profiles/e8.profile | 1 + products/ol9/profiles/hipaa.profile | 1 + products/ol9/profiles/ospp.profile | 1 - products/ol9/profiles/pci-dss.profile | 1 + 5 files changed, 5 insertions(+), 3 deletions(-) diff --git a/controls/ccn_ol9.yml b/controls/ccn_ol9.yml index c065f65c5eb2..ec263c9b4823 100644 --- a/controls/ccn_ol9.yml +++ b/controls/ccn_ol9.yml @@ -321,7 +321,7 @@ controls: - advanced status: automated rules: - - configure_ssh_crypto_policy + - configure_crypto_policy - id: A.5.SEC-OL7 title: Network Session Inactivity is Controlled @@ -655,7 +655,7 @@ controls: notes: |- It overlaps the rule in A.5.SEC-OL6 requirement related_rules: - - configure_ssh_crypto_policy + - configure_crypto_policy - id: A.11.SEC-OL7 title: GUI Idle Time is Limited diff --git a/products/ol9/profiles/e8.profile b/products/ol9/profiles/e8.profile index 3d47fe491c0f..18fbc4757f7d 100644 --- a/products/ol9/profiles/e8.profile +++ b/products/ol9/profiles/e8.profile @@ -27,3 +27,4 @@ selections: - '!package_talk_removed' - '!package_talk-server_removed' - '!ensure_redhat_gpgkey_installed' + - '!configure_ssh_crypto_policy' diff --git a/products/ol9/profiles/hipaa.profile b/products/ol9/profiles/hipaa.profile index 23e64e8c5d0b..3e3456216c10 100644 --- a/products/ol9/profiles/hipaa.profile +++ b/products/ol9/profiles/hipaa.profile @@ -89,3 +89,4 @@ selections: - "!sshd_use_approved_ciphers" - "!sshd_use_approved_macs" - "!sshd_use_priv_separation" + - "!configure_ssh_crypto_policy" diff --git a/products/ol9/profiles/ospp.profile b/products/ol9/profiles/ospp.profile index 0acf6672a569..84370f9a3622 100644 --- a/products/ol9/profiles/ospp.profile +++ b/products/ol9/profiles/ospp.profile @@ -135,7 +135,6 @@ selections: - enable_fips_mode - var_system_crypto_policy=fips_ospp - configure_crypto_policy - - configure_ssh_crypto_policy - configure_openssl_crypto_policy - enable_dracut_fips_module diff --git a/products/ol9/profiles/pci-dss.profile b/products/ol9/profiles/pci-dss.profile index 835e32687f46..935d6700cc4b 100644 --- a/products/ol9/profiles/pci-dss.profile +++ b/products/ol9/profiles/pci-dss.profile @@ -62,6 +62,7 @@ selections: - '!service_timesyncd_enabled' - '!audit_rules_file_deletion_events_renameat2' - '!audit_rules_dac_modification_fchmodat2' + - '!configure_ssh_crypto_policy' # Not applicable to OL9, packages not available in OL9 - '!package_cryptsetup-luks_installed' - '!service_rpcbind_disabled' From 75f3d19f0e288b25aadd7cd6e395fa4e624c9cc5 Mon Sep 17 00:00:00 2001 From: Armando Acosta Date: Tue, 10 Mar 2026 10:52:44 -0600 Subject: [PATCH 2/2] Remove configure_ssh_crypto_policy from OL10 profiles The variable CRYPTO_POLICY is no longer honored by sshd on OL10 Signed-off-by: Armando Acosta --- products/ol10/profiles/e8.profile | 1 + products/ol10/profiles/hipaa.profile | 1 + products/ol10/profiles/ism_o.profile | 1 + products/ol10/profiles/ism_o_secret.profile | 1 + products/ol10/profiles/ism_o_top_secret.profile | 1 + products/ol10/profiles/ospp.profile | 1 + products/ol10/profiles/pci-dss.profile | 1 + 7 files changed, 7 insertions(+) diff --git a/products/ol10/profiles/e8.profile b/products/ol10/profiles/e8.profile index 92ef5b8b0541..cb6b3cb6ecdf 100644 --- a/products/ol10/profiles/e8.profile +++ b/products/ol10/profiles/e8.profile @@ -33,3 +33,4 @@ selections: # authselect is enabled by default - '!enable_authselect' - var_authselect_profile=local + - '!configure_ssh_crypto_policy' diff --git a/products/ol10/profiles/hipaa.profile b/products/ol10/profiles/hipaa.profile index 900b942a72a8..6c9bea239ae0 100644 --- a/products/ol10/profiles/hipaa.profile +++ b/products/ol10/profiles/hipaa.profile @@ -61,6 +61,7 @@ selections: - '!sshd_disable_kerb_auth' - '!sshd_disable_gssapi_auth' - '!service_rlogin_disabled' + - '!configure_ssh_crypto_policy' # authselect is enabled by default - '!enable_authselect' diff --git a/products/ol10/profiles/ism_o.profile b/products/ol10/profiles/ism_o.profile index 346e4cc4a62e..db42368179c0 100644 --- a/products/ol10/profiles/ism_o.profile +++ b/products/ol10/profiles/ism_o.profile @@ -75,6 +75,7 @@ selections: - '!accounts_password_all_shadowed' - '!usbguard_allow_hid_and_hub' - '!sshd_allow_only_protocol2' + - '!configure_ssh_crypto_policy' # Older rules, no longer needed - '!security_patches_up_to_date' diff --git a/products/ol10/profiles/ism_o_secret.profile b/products/ol10/profiles/ism_o_secret.profile index d4784c6a6dc4..a16c1f8e1ce4 100644 --- a/products/ol10/profiles/ism_o_secret.profile +++ b/products/ol10/profiles/ism_o_secret.profile @@ -76,6 +76,7 @@ selections: - "!usbguard_allow_hid_and_hub" - "!sshd_allow_only_protocol2" - var_authselect_profile=local + - "!configure_ssh_crypto_policy" # Needed for references in other products - '!security_patches_up_to_date' diff --git a/products/ol10/profiles/ism_o_top_secret.profile b/products/ol10/profiles/ism_o_top_secret.profile index b298e2dc194a..86488417d6c0 100644 --- a/products/ol10/profiles/ism_o_top_secret.profile +++ b/products/ol10/profiles/ism_o_top_secret.profile @@ -76,6 +76,7 @@ selections: - "!usbguard_allow_hid_and_hub" - "!sshd_allow_only_protocol2" - var_authselect_profile=local + - "!configure_ssh_crypto_policy" # Needed for references in other products - '!security_patches_up_to_date' diff --git a/products/ol10/profiles/ospp.profile b/products/ol10/profiles/ospp.profile index 6344b2d9d587..56d272d9f25d 100644 --- a/products/ol10/profiles/ospp.profile +++ b/products/ol10/profiles/ospp.profile @@ -65,3 +65,4 @@ selections: - '!zipl_page_alloc_shuffle_argument' - '!zipl_systemd_debug-shell_argument_absent' - var_authselect_profile=local + - '!configure_ssh_crypto_policy' diff --git a/products/ol10/profiles/pci-dss.profile b/products/ol10/profiles/pci-dss.profile index 55bb210d97d1..6fd45dbccbd5 100644 --- a/products/ol10/profiles/pci-dss.profile +++ b/products/ol10/profiles/pci-dss.profile @@ -77,3 +77,4 @@ selections: # Irrelevant for ol10 - '!enable_dconf_user_profile' - var_authselect_profile=local + - '!configure_ssh_crypto_policy'