scap-security-guide/SOURCES/scap-security-guide-0.1.58-rhel8_stig_08_010290-PR_7151.patch

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
index 194d7dfe2dc..b6c5e7f4b0d 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
@@ -37,7 +37,7 @@ ocil: |-
     MACs are in use, run the following command:
     <pre>$ sudo grep -i macs /etc/ssh/sshd_config</pre>
     The output should contain only following MACs (or a subset) in the exact order:
-    <pre>hmac-sha2-512,hmac-sha2-256</pre>
+    <pre>MACs {{{ xccdf_value("sshd_approved_macs") }}}</pre>
 
 warnings:
     - general: |-
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/ansible/shared.yml
new file mode 100644
index 00000000000..1c9dde77ee2
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/ansible/shared.yml
@@ -0,0 +1,16 @@
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
+{{{ ansible_instantiate_variables("sshd_approved_macs") }}}
+
+{{{ ansible_set_config_file(
+        msg='Configure SSH Daemon to Use FIPS 140-2 Validated MACs: openssh.config',
+        file='/etc/crypto-policies/back-ends/openssh.config',
+        parameter='MACs',
+        value="{{ sshd_approved_macs }}",
+        create='yes',
+        prefix_regex='^.*'
+    )
+}}}
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/bash/shared.sh
new file mode 100644
index 00000000000..b26992ce183
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/bash/shared.sh
@@ -0,0 +1,13 @@
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
+. /usr/share/scap-security-guide/remediation_functions
+{{{ bash_instantiate_variables("sshd_approved_macs") }}}
+
+{{{ set_config_file(
+        path="/etc/crypto-policies/back-ends/openssh.config",
+        parameter="MACs",
+        value="${sshd_approved_macs}",
+        create=true,
+        insensitive=false,
+        prefix_regex="^.*"
+	)
+}}}
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/oval/shared.xml
new file mode 100644
index 00000000000..5239af10612
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/oval/shared.xml
@@ -0,0 +1,35 @@
+{{%- set PATH = "/etc/crypto-policies/back-ends/openssh.config" -%}}
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+    {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.") }}}
+    <criteria operator="AND" comment="Test conditions - presence of the file plus.">
+      <criterion comment="Check that {{{ PATH }}} contains FIPS-approved SSHD MACs" test_ref="test_{{{ rule_id }}}" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all"
+  comment="test the value of MACs setting in the {{{ PATH }}} file"
+  id="test_{{{ rule_id }}}" version="1">
+    <ind:object object_ref="obj_{{{ rule_id }}}" />
+    <ind:state state_ref="ste_{{{ rule_id }}}" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_{{{ rule_id }}}" version="1">
+    <ind:filepath>{{{ PATH }}}</ind:filepath>
+    <ind:pattern operation="pattern match">^MACs.*$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_state id="ste_{{{ rule_id }}}" version="1">
+    <ind:text var_ref="sshd_macs_crypto" operation="equals"></ind:text>
+  </ind:textfilecontent54_state>
+
+  <local_variable id="sshd_macs_crypto" datatype="string" comment="The regex of the directive" version="1">
+    <concat>
+      <literal_component>MACs </literal_component>
+      <variable_component var_ref="sshd_approved_macs"/>
+    </concat>
+  </local_variable>
+
+  <external_variable comment="SSH Approved MACs by FIPS" datatype="string" id="sshd_approved_macs" version="1" />
+</def-group>
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml
new file mode 100644
index 00000000000..1aeb987db2d
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml
@@ -0,0 +1,60 @@
+documentation_complete: true
+
+prodtype: fedora,rhel8
+
+title: 'Configure SSH Client to Use FIPS 140-2 Validated MACs: openssh.config'
+
+description: |-
+    Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
+    OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be
+    set up incorrectly.
+
+    To check that Crypto Policies settings are configured correctly, ensure that
+    <tt>/etc/crypto-policies/back-ends/openssh.config</tt> contains the following
+    line and is not commented out:
+    <tt>MACs hmac-sha2-512,hmac-sha2-256</tt>
+
+rationale: |-
+    Overriding the system crypto policy makes the behavior of the OpenSSH
+    client violate expectations, and makes system configuration more
+    fragmented.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-85870-4
+
+references:
+    disa: CCI-001453
+    nist: AC-17(2)
+    srg: SRG-OS-000250-GPOS-00093
+    stigid@rhel8: RHEL-08-010290
+
+ocil_clause: 'Crypto Policy for OpenSSH client is not configured correctly'
+
+ocil: |-
+    To verify if the OpenSSH client uses defined MACs in the Crypto Policy, run:
+    <pre>$ grep -i macs /etc/crypto-policies/back-ends/openssh.config</pre>
+    and verify that the line matches:
+    <pre>MACs hmac-sha2-512,hmac-sha2-256</pre>
+
+warnings:
+    - general: |-
+        The system needs to be rebooted for these changes to take effect.
+    - regulatory: |-
+        System Crypto Modules must be provided by a vendor that undergoes
+        FIPS-140 certifications.
+        FIPS-140 is applicable to all Federal agencies that use
+        cryptographic-based security systems to protect sensitive information
+        in computer and telecommunication systems (including voice systems) as
+        defined in Section 5131 of the Information Technology Management Reform
+        Act of 1996, Public Law 104-106. This standard shall be used in
+        designing and implementing cryptographic modules that Federal
+        departments and agencies operate or are operated for them under
+        contract. See <b>{{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}}</b>
+        To meet this, the system has to have cryptographic software provided by
+        a vendor that has undergone this certification. This means providing
+        documentation, test results, design information, and independent third
+        party review by an accredited lab. While open source software is
+        capable of meeting this, it does not meet FIPS-140 unless the vendor
+        submits to this process.
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct.pass.sh
new file mode 100644
index 00000000000..5a4b6887cba
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct.pass.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+sshd_approved_macs=hmac-sha2-512,hmac-sha2-256
+configfile=/etc/crypto-policies/back-ends/openssh.config
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+if [[ -f $configfile ]]; then
+    sed -i "s/^.*MACs.*$/MACs ${sshd_approved_macs}/" $configfile
+else
+    echo "MACs ${sshd_approved_macs}" > "$configfile"
+fi
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh
new file mode 100644
index 00000000000..e713d254f9c
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+sshd_approved_macs=hmac-sha2-512,hmac-sha2-256
+configfile=/etc/crypto-policies/back-ends/openssh.config
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+if [[ -f $configfile ]]; then
+    sed -i "s/^.*MACs.*$/#MACs ${sshd_approved_macs}/" $configfile
+else
+    echo "#MACs ${sshd_approved_macs}" > "$configfile"
+fi
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh
new file mode 100644
index 00000000000..b8a63bec194
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+sshd_approved_macs=hmac-sha2-512,hmac-sha2-256
+configfile=/etc/crypto-policies/back-ends/openssh.config
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+if [[ -f $configfile ]]; then
+    sed -i "s/^.*MACs.*$/MACs ${sshd_approved_macs}/" $configfile
+else
+    echo "MACs ${sshd_approved_macs}" > "$configfile"
+fi
+
+# follow up with incorrect
+echo "#MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512" >> $configfile
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh
new file mode 100644
index 00000000000..55ef3f58422
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+configfile=/etc/crypto-policies/back-ends/openssh.config
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+echo "" > $configfile
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh
new file mode 100644
index 00000000000..9980a45681c
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+configfile=/etc/crypto-policies/back-ends/openssh.config
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+if [[ -f $configfile ]]; then
+    sed -i "s/^.*MACs.*$/MACs /" $configfile
+else
+    echo "MACs " > "$configfile"
+fi
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh
new file mode 100644
index 00000000000..d1303d60746
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+sshd_approved_macs=hmac-sha2-512,hmac-sha2-256
+incorrect_sshd_approved_macs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
+configfile=/etc/crypto-policies/back-ends/openssh.config
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+if [[ -f $configfile ]]; then
+    sed -i "s/^.*MACs.*$/MACs ${incorrect_sshd_approved_macs}/" $configfile
+else
+    echo "MACs ${incorrect_sshd_approved_macs}" > "$configfile"
+fi
+
+# follow up with correct value
+echo "MACs ${sshd_approved_macs}" >> $configfile
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh
new file mode 100644
index 00000000000..8b21af46896
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+configfile=/etc/crypto-policies/back-ends/openssh.config
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+if [[ -f $configfile ]]; then
+    sed -i "s/^.*MACs.*$/MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512/" $configfile
+else
+    echo "MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512" > "$configfile"
+fi
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh
new file mode 100644
index 00000000000..2138caad319
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+configfile=/etc/crypto-policies/back-ends/openssh.config
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+# If file exists, remove it
+test -f $configfile && rm -f $configfile
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/ansible/shared.yml
new file mode 100644
index 00000000000..5ed618586ae
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/ansible/shared.yml
@@ -0,0 +1,45 @@
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
+{{{ ansible_instantiate_variables("sshd_approved_macs") }}}
+
+- name: "{{{ rule_title }}}: Set facts"
+  set_fact:
+    path: /etc/crypto-policies/back-ends/opensshserver.config
+    correct_value: "-oMACs={{ sshd_approved_macs }}"
+
+- name: "{{{ rule_title }}}: Stat"
+  stat:
+    path: "{{ path }}"
+    follow: yes
+  register: opensshserver_file
+
+- name: "{{{ rule_title }}}: Create"
+  lineinfile:
+    path: "{{ path }}"
+    line: "CRYPTO_POLICY='{{ correct_value }}'"
+    create: yes
+  when: not opensshserver_file.stat.exists or opensshserver_file.stat.size <= correct_value|length
+
+- name: "{{{ rule_title }}}"
+  block:
+    - name: "Existing value check"
+      lineinfile:
+        path: "{{ path }}"
+        create: false
+        regexp: "{{ correct_value }}"
+        state: absent
+      check_mode: true
+      changed_when: false
+      register: opensshserver
+
+    - name: "Update/Correct value"
+      replace:
+        path: "{{ path }}"
+        regexp: (-oMACs=\S+)
+        replace: "{{ correct_value }}"
+      when: opensshserver.found is defined and opensshserver.found != 1
+
+  when: opensshserver_file.stat.exists and opensshserver_file.stat.size > correct_value|length
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/bash/shared.sh
new file mode 100644
index 00000000000..790a2951bab
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/bash/shared.sh
@@ -0,0 +1,31 @@
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
+. /usr/share/scap-security-guide/remediation_functions
+{{{ bash_instantiate_variables("sshd_approved_macs") }}}
+
+CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config
+correct_value="-oMACs=${sshd_approved_macs}"
+
+# Test if file exists
+test -f ${CONF_FILE} || touch ${CONF_FILE}
+
+# Ensure CRYPTO_POLICY is not commented out
+sed -i 's/#CRYPTO_POLICY=/CRYPTO_POLICY=/' ${CONF_FILE}
+
+grep -q "'${correct_value}'" ${CONF_FILE}
+
+if [[ $? -ne 0 ]]; then
+    # We need to get the existing value, using PCRE to maintain same regex
+    existing_value=$(grep -Po '(-oMACs=\S+)' ${CONF_FILE})
+
+    if [[ ! -z ${existing_value} ]]; then
+        # replace existing_value with correct_value
+        sed -i "s/${existing_value}/${correct_value}/g" ${CONF_FILE}
+    else
+        # ***NOTE*** #
+        # This probably means this file is not here or it's been modified
+        # unintentionally.
+        # ********** #
+        # echo correct_value to end
+        echo "CRYPTO_POLICY='${correct_value}'" >> ${CONF_FILE}
+    fi
+fi
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/oval/shared.xml
new file mode 100644
index 00000000000..18028157032
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/oval/shared.xml
@@ -0,0 +1,35 @@
+{{%- set PATH = "/etc/crypto-policies/back-ends/opensshserver.config" -%}}
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+    {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.") }}}
+    <criteria operator="AND" comment="Test conditions - presence of the file plus.">
+      <criterion comment="Check that {{{ PATH }}} contains FIPS-approved SSHD MACs" test_ref="test_{{{ rule_id }}}" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all"
+  comment="test the value of MACs setting in the {{{ PATH }}} file"
+  id="test_{{{ rule_id }}}" version="1">
+    <ind:object object_ref="obj_{{{ rule_id }}}" />
+    <ind:state state_ref="ste_{{{ rule_id }}}" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_{{{ rule_id }}}" version="1">
+    <ind:filepath>{{{ PATH }}}</ind:filepath>
+    <ind:pattern operation="pattern match">^(?!#).*(-oMACs=\S+).+$</ind:pattern>
+    <ind:instance operation="equals" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_state id="ste_{{{ rule_id }}}" version="1">
+    <ind:subexpression var_ref="sshd_macs_crypto_opensshserver" operation="equals" />
+  </ind:textfilecontent54_state>
+
+  <local_variable id="sshd_macs_crypto_opensshserver" datatype="string" comment="The regex of the directive" version="1">
+    <concat>
+      <literal_component>-oMACs=</literal_component>
+      <variable_component var_ref="sshd_approved_macs"/>
+    </concat>
+  </local_variable>
+
+  <external_variable comment="SSH Approved MACs by FIPS" datatype="string" id="sshd_approved_macs" version="1" />
+</def-group>
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/rule.yml
new file mode 100644
index 00000000000..0fd107a1bbe
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/rule.yml
@@ -0,0 +1,60 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config'
+
+description: |-
+    Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
+    OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be
+    set up incorrectly.
+
+    To check that Crypto Policies settings are configured correctly, ensure that
+    <tt>/etc/crypto-policies/back-ends/opensshserver.config</tt> contains the following
+    text and is not commented out:
+    <tt>-oMACS=hmac-sha2-512,hmac-sha2-256</tt>
+
+rationale: |-
+    Overriding the system crypto policy makes the behavior of the OpenSSH
+    server violate expectations, and makes system configuration more
+    fragmented.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-85899-3
+
+references:
+    disa: CCI-001453
+    nist: AC-17(2)
+    srg: SRG-OS-000250-GPOS-00093
+    stigid@rhel8: RHEL-08-010290
+
+ocil_clause: 'Crypto Policy for OpenSSH Server is not configured correctly'
+
+ocil: |-
+    To verify if the OpenSSH server uses defined MACs in the Crypto Policy, run:
+    <pre>$ grep -Po '(-oMACs=\S+)' /etc/crypto-policies/back-ends/opensshserver.config</pre>
+    and verify that the line matches:
+    <pre>-oMACS=hmac-sha2-512,hmac-sha2-256</pre>
+
+warnings:
+    - general: |-
+        The system needs to be rebooted for these changes to take effect.
+    - regulatory: |-
+        System Crypto Modules must be provided by a vendor that undergoes
+        FIPS-140 certifications.
+        FIPS-140 is applicable to all Federal agencies that use
+        cryptographic-based security systems to protect sensitive information
+        in computer and telecommunication systems (including voice systems) as
+        defined in Section 5131 of the Information Technology Management Reform
+        Act of 1996, Public Law 104-106. This standard shall be used in
+        designing and implementing cryptographic modules that Federal
+        departments and agencies operate or are operated for them under
+        contract. See <b>{{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}}</b>
+        To meet this, the system has to have cryptographic software provided by
+        a vendor that has undergone this certification. This means providing
+        documentation, test results, design information, and independent third
+        party review by an accredited lab. While open source software is
+        capable of meeting this, it does not meet FIPS-140 unless the vendor
+        submits to this process.
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh
new file mode 100644
index 00000000000..14da92218dc
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+sshd_approved_macs=hmac-sha2-512,hmac-sha2-256
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
+correct_value="-oMACs=${sshd_approved_macs}"
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+# Proceed when file exists
+if [[ -f $configfile ]]; then
+    sed -i -r "s/-oMACs=\S+/${correct_value}/" $configfile
+else
+    echo "${correct_value}" > "$configfile"
+fi
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh
new file mode 100644
index 00000000000..3dde1479296
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
+
+echo "" > "$configfile"
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh
new file mode 100644
index 00000000000..a50a0fc02bf
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+if [[ -f $configfile ]]; then
+    sed -i -r "s/-oMACs=\S+/-oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com/" $configfile
+else
+    echo "-oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com" > "$configfile"
+fi
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh
new file mode 100644
index 00000000000..11e596ced87
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+# If file exists, remove it
+test -f $configfile && rm -f $configfile
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 6372d13cfc9..28b47cca487 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -50,6 +50,7 @@ selections:
     - var_password_pam_retry=3
     - var_password_pam_minlen=15
     - var_sshd_set_keepalive=0
+    - sshd_approved_macs=stig
     - sshd_idle_timeout_value=10_minutes
     - var_accounts_passwords_pam_faillock_deny=3
     - var_accounts_passwords_pam_faillock_fail_interval=900
@@ -174,11 +175,17 @@ selections:
     # RHEL-08-010260
     - file_groupowner_var_log
 
+    # *** SHARED *** #
     # RHEL-08-010290 && RHEL-08-010291
-    ### NOTE: This will get split out in future STIG releases, as well as we will break
-    ### these rules up to be more flexible in meeting the requirements.
+    # *** SHARED *** #
     - configure_ssh_crypto_policy
 
+    # RHEL-08-010290
+    - harden_sshd_macs_openssh_conf_crypto_policy
+    - harden_sshd_macs_opensshserver_conf_crypto_policy
+
+    # RHEL-08-010291
+
     # RHEL-08-010292
     - sshd_use_strong_rng
 
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 24e81491683..036d34cea1d 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -10,7 +10,6 @@ CCE-85866-2
 CCE-85867-0
 CCE-85868-8
 CCE-85869-6
-CCE-85870-4
 CCE-85872-0
 CCE-85873-8
 CCE-85874-6
@@ -36,7 +35,6 @@ CCE-85895-1
 CCE-85896-9
 CCE-85897-7
 CCE-85898-5
-CCE-85899-3
 CCE-85900-9
 CCE-85901-7
 CCE-85902-5
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 32f1a24a7a4..393051a34ea 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -145,6 +145,8 @@ selections:
 - grub2_uefi_admin_username
 - grub2_uefi_password
 - grub2_vsyscall_argument
+- harden_sshd_macs_openssh_conf_crypto_policy
+- harden_sshd_macs_opensshserver_conf_crypto_policy
 - install_smartcard_packages
 - installed_OS_is_vendor_supported
 - kerberos_disable_no_keytab
@@ -325,6 +327,7 @@ selections:
 - var_password_pam_lcredit=1
 - var_password_pam_retry=3
 - var_sshd_set_keepalive=0
+- sshd_approved_macs=stig
 - sshd_idle_timeout_value=10_minutes
 - var_accounts_passwords_pam_faillock_deny=3
 - var_accounts_passwords_pam_faillock_fail_interval=900
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index d6a27c67dc0..de82fb34518 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -156,6 +156,8 @@ selections:
 - grub2_uefi_admin_username
 - grub2_uefi_password
 - grub2_vsyscall_argument
+- harden_sshd_macs_openssh_conf_crypto_policy
+- harden_sshd_macs_opensshserver_conf_crypto_policy
 - install_smartcard_packages
 - installed_OS_is_vendor_supported
 - kerberos_disable_no_keytab
@@ -335,6 +337,7 @@ selections:
 - var_password_pam_lcredit=1
 - var_password_pam_retry=3
 - var_sshd_set_keepalive=0
+- sshd_approved_macs=stig
 - sshd_idle_timeout_value=10_minutes
 - var_accounts_passwords_pam_faillock_deny=3
 - var_accounts_passwords_pam_faillock_fail_interval=900