ComplianceAsCode · jan-cerny · Oct 20, 2025 · Oct 31, 2025 · Oct 31, 2025 · Nov 5, 2025
diff --git a/components/crypto-policies.yml b/components/crypto-policies.yml
@@ -12,6 +12,11 @@ rules:
 - configure_openssl_crypto_policy
 - configure_openssl_tls_crypto_policy
 - configure_ssh_crypto_policy
+- configure_custom_crypto_policy_cis
+- configure_custom_crypto_policy_cis_mac
+- configure_custom_crypto_policy_cis_ssh_cbc
+- configure_custom_crypto_policy_cis_ssh_ciphers
+- configure_custom_crypto_policy_cis_ssh_macs
 - harden_openssl_crypto_policy
 - harden_ssh_client_crypto_policy
 - harden_sshd_ciphers_openssh_conf_crypto_policy

diff --git a/components/openssh.yml b/components/openssh.yml
@@ -9,6 +9,7 @@ packages:
 - openssh-clients
 - openssh-server
 rules:
+- configure_custom_crypto_policy_cis
 - directory_groupowner_sshd_config_d
 - directory_owner_sshd_config_d
 - directory_permissions_sshd_config_d

@@ -606,44 +606,34 @@ controls:
           - l1_workstation
       status: automated
       rules:
-          - configure_crypto_policy
-          - var_system_crypto_policy=default_policy
+          - configure_custom_crypto_policy_cis
 
     - id: 1.6.2
       title: Ensure system wide crypto policy disables sha1 hash and signature support (Automated)
       levels:
           - l1_server
           - l1_workstation
-      status: manual
-      notes: |-
-          It is necessary a new rule to ensure a module disabling sha1 in
-          /etc/crypto-policies/policies/modules/ so it can be used by update-crypto-policies command.
-      related_rules:
-          - configure_crypto_policy
+      status: automated
+      rules:
+          - configure_custom_crypto_policy_cis
 
     - id: 1.6.3
       title: Ensure system wide crypto policy macs are configured (Automated)
       levels:
           - l1_server
           - l1_workstation
-      status: manual
-      notes: |-
-          It is necessary a new rule to ensure a module disabling weak MACs in
-          /etc/crypto-policies/policies/modules/ so it can be used by update-crypto-policies command.
-      related_rules:
-          - configure_crypto_policy
+      status: automated
+      rules:
+          - configure_custom_crypto_policy_cis_mac
 
     - id: 1.6.4
       title: Ensure system wide crypto policy disables cbc for ssh (Automated)
       levels:
           - l1_server
           - l1_workstation
-      status: manual
-      notes: |-
-          It is necessary a new rule to ensure a module disabling CBC in
-          /etc/crypto-policies/policies/modules/ so it can be used by update-crypto-policies command.
-      related_rules:
-          - configure_crypto_policy
+      status: automated
+      rules:
+          - configure_custom_crypto_policy_cis_ssh_cbc
 
     - id: 1.7.1
       title: Ensure /etc/motd is configured (Automated)
@@ -1637,12 +1627,8 @@ controls:
           - l1_server
           - l1_workstation
       status: automated
-      notes: |-
-          The status was automated but we need to double check the approach used in this rule.
-          Therefore I moved it to pending until deeper investigation.
-      related_rules:
-          - sshd_use_approved_ciphers
-          - sshd_approved_ciphers=cis_rhel10
+      rules:
+          - configure_custom_crypto_policy_cis_ssh_ciphers
 
     - id: 5.1.7
       title: Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured (Automated)
@@ -1741,13 +1727,9 @@ controls:
       levels:
           - l1_server
           - l1_workstation
-      status: pending
-      notes: |-
-          The status was automated but we need to double check the approach used in this rule.
-          Therefore I moved it to pending until deeper investigation.
+      status: automated
       rules:
-          - sshd_use_strong_macs
-          - sshd_strong_macs=cis_rhel10
+          - configure_custom_crypto_policy_cis_ssh_macs
 
     - id: 5.1.16
       title: Ensure sshd MaxAuthTries is configured (Automated)

@@ -537,8 +537,7 @@ controls:
           - l1_workstation
       status: automated
       rules:
-          - configure_crypto_policy
-          - var_system_crypto_policy=default_nosha1
+          - configure_custom_crypto_policy_cis
 
     - id: 1.6.2
       title: Ensure system wide crypto policy disables sha1 hash and signature support (Automated)
@@ -549,31 +548,25 @@ controls:
       notes: |-
           This requirement is already satisfied by 1.6.1.
       related_rules:
-          - configure_crypto_policy
+          - configure_custom_crypto_policy_cis
 
     - id: 1.6.3
       title: Ensure system wide crypto policy disables cbc for ssh (Automated)
       levels:
           - l1_server
           - l1_workstation
-      status: pending
-      notes: |-
-          It is necessary a new rule to ensure a module disabling CBC in
-          /etc/crypto-policies/policies/modules/ so it can be used by update-crypto-policies command.
-      related_rules:
-          - configure_crypto_policy
+      status: automated
+      rules:
+          - configure_custom_crypto_policy_cis_ssh_cbc
 
     - id: 1.6.4
       title: Ensure system wide crypto policy disables macs less than 128 bits (Automated)
       levels:
           - l1_server
           - l1_workstation
-      status: pending
-      notes: |-
-          It is necessary a new rule to ensure a module disabling weak MACs in
-          /etc/crypto-policies/policies/modules/ so it can be used by update-crypto-policies command.
-      related_rules:
-          - configure_crypto_policy
+      status: automated
+      rules:
+          - configure_custom_crypto_policy_cis_mac
 
     - id: 1.7.1
       title: Ensure message of the day is configured properly (Automated)
@@ -1504,8 +1497,7 @@ controls:
       notes: |-
           Introduced in CIS RHEL8 v3.0.0
       rules:
-          - sshd_use_approved_ciphers
-          - sshd_approved_ciphers=cis_rhel8
+          - configure_custom_crypto_policy_cis_ssh_ciphers
 
     - id: 4.2.7
       title: Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured (Automated)
@@ -1594,8 +1586,7 @@ controls:
           - l1_workstation
       status: automated
       rules:
-          - sshd_use_strong_macs
-          - sshd_strong_macs=cis_rhel8
+          - configure_custom_crypto_policy_cis_ssh_macs
 
     - id: 4.2.15
       title: Ensure sshd MaxAuthTries is configured (Automated)

diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md
@@ -253,6 +253,27 @@
 
 -   Languages: OVAL, Kubernetes
 
+#### crypto_sub_policies
+-   Configures a sub policy for system wide crypto policies. Creates a module
+    file `module_name.pmod` in `/etc/crypto-policies/policies/modules/` that
+    contains `key = value`. Then, it applies this module. The template allows
+    to specify multiple crypto policy sub modules at once, which is convenient
+    for use in benchmarks that require multiple custom crypto settings.
+
+-   Parameters:
+
+    -   **base_policy** - The base system wide crypto policy, eg. `DEFAULT`
+
+    -   **sub_policies** - A dictionary of dictionaries. Keys are crypto sub policy name, eg. `NO-SSHWEAKCIPHERS`. Each child dictionary represents one custom crypto sub policy module. The dictionary has the following members:
+
+        -   **key** - entry key, eg. `cipher@SSH`
+
+        -   **value** - entry value, eg. `-3DES-CBC -AES-128-CBC -AES-192-CBC -AES-256-CBC -CHACHA20-POLY1305`
+
+    -   **specific_module** - This parameter affects only OVAL. It specifies a specific crypto sub policy name from the sub_policies dictionary,  eg. `NO-SSHWEAKCIPHERS`.
+
+-   Languages: Ansible, Bash, OVAL
+
 #### dconf_ini_file
 -   Checks for `dconf` configuration. Additionally checks if the
     configuration is locked so it cannot be overridden by the user.

diff --git a/linux_os/guide/system/software/integrity/crypto/configure_custom_crypto_policy_cis/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_custom_crypto_policy_cis/rule.yml
@@ -0,0 +1,46 @@
+documentation_complete: true
+
+title: Implement Custom Crypto Policy Modules for CIS Benchmark
+
+description: |-
+    Create a custom crypto policy module to enforce the use of strong ciphers and MACs in SSHD, disable CBC mode ciphers in SSHD and disable the use of weak MACs globally.
+    {{% for module_name, sub_policy in sub_policies.items() %}}
+    {{{ describe_crypto_sub_policy(module_name, sub_policy.key, sub_policy.value) }}}
+    {{% endfor %}}
+    Then, set the system wide crypto policy to use the custom policy.
+    <pre>
+    $ sudo update-crypto-policies --set {{{ base_policy }}}:{{{ sub_policies.keys() | join(":") }}}
+    </pre>
+
+rationale: |-
+    CBC mode ciphers are vulnerable to certain attacks, such as the BEAST attack.
+    Disabling CBC mode ciphers helps protect against these attacks and ensures that only
+    strong, proven cryptographic algorithms are used to protect SSH communications.
+    Weak ciphers that are used for authentication to the cryptographic module cannot be
+    relied upon to provide confidentiality or integrity, and system data may be compromised.
+    Message Authentication Codes (MACs) are cryptographic mechanisms used to verify the
+    integrity and authenticity of data transmitted over SSH connections. Weak MACs that
+    are used for authentication to the cryptographic module cannot be relied upon to
+    provide integrity, and system data may be compromised. Implementing a custom crypto
+    policy that disables weak MAC algorithms helps ensure that only strong, proven
+    cryptographic algorithms are used to protect SSH communications.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-86707-7
+    cce@rhel9: CCE-88900-6
+    cce@rhel10: CCE-88902-2
+
+ocil_clause: 'the custom crypto policy modules do not exist'
+
+ocil: |-
+    {{% for module_name, sub_policy in sub_policies.items() %}}
+    {{{ ocil_crypto_sub_policy(module_name, sub_policy.key, sub_policy.value) }}}
+    {{% endfor %}}
+
+template:
+    name: crypto_sub_policies
+    vars:
+        base_policy: {{{ base_policy }}}
+        sub_policies: {{{ sub_policies }}}
diff --git a/...os/guide/system/software/integrity/crypto/configure_custom_crypto_policy_cis_mac/rule.yml b/...os/guide/system/software/integrity/crypto/configure_custom_crypto_policy_cis_mac/rule.yml
@@ -0,0 +1,34 @@
+documentation_complete: true
+
+title: Use Only Strong MACs Globally for CIS Benchmark
+
+description: |-
+    Create a custom crypto policy module to enforce the use of strong MACs globally.
+    {{{ describe_crypto_sub_policy("NO-WEAKMAC", sub_policies["NO-WEAKMAC"].key, sub_policies["NO-WEAKMAC"].value) }}}
+    Then, set the system wide crypto policy to use the custom policy.
+    <pre>
+    $ sudo update-crypto-policies --set {{{ base_policy }}}:{{{ sub_policies.keys() | join(":") }}}
+    </pre>
+
+rationale: |-
+    Implementing a custom crypto policy that disables weak MAC algorithms helps ensure that only strong, proven
+    cryptographic algorithms are used globally.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-86661-6
+    cce@rhel9: CCE-86662-4
+    cce@rhel10: CCE-86663-2
+
+ocil_clause: 'the custom crypto policy modules do not exist'
+
+ocil: |-
+    {{{ ocil_crypto_sub_policy("NO-WEAKMAC", sub_policies["NO-WEAKMAC"].key, sub_policies["NO-WEAKMAC"].value) }}}
+
+template:
+    name: crypto_sub_policies
+    vars:
+        base_policy: {{{ base_policy }}}
+        sub_policies: {{{ sub_policies }}}
+        specific_module: "NO-WEAKMAC"
diff --git a/...uide/system/software/integrity/crypto/configure_custom_crypto_policy_cis_ssh_cbc/rule.yml b/...uide/system/software/integrity/crypto/configure_custom_crypto_policy_cis_ssh_cbc/rule.yml
@@ -0,0 +1,35 @@
+documentation_complete: true
+
+title: Disable CBC Mode Ciphers in SSHD for CIS Benchmark
+
+description: |-
+    Create a custom crypto policy module to enforce the disabling of CBC mode ciphers in SSHD.
+    {{{ describe_crypto_sub_policy("NO-SSHCBC", sub_policies["NO-SSHCBC"].key, sub_policies["NO-SSHCBC"].value) }}}
+    Then, set the system wide crypto policy to use the custom policy.
+    <pre>
+    $ sudo update-crypto-policies --set {{{ base_policy }}}:{{{ sub_policies.keys() | join(":") }}}
+    </pre>
+
+rationale: |-
+    CBC mode ciphers are vulnerable to certain attacks, such as the BEAST attack.
+    Disabling CBC mode ciphers helps protect against these attacks and ensures that only
+    strong, proven cryptographic algorithms are used to protect SSH communications.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-90149-6
+    cce@rhel9: CCE-86648-3
+    cce@rhel10: CCE-86650-9
+
+ocil_clause: 'the custom crypto policy modules do not exist'
+
+ocil: |-
+    {{{ ocil_crypto_sub_policy("NO-SSHCBC", sub_policies["NO-SSHCBC"].key, sub_policies["NO-SSHCBC"].value) }}}
+
+template:
+    name: crypto_sub_policies
+    vars:
+        base_policy: {{{ base_policy }}}
+        sub_policies: {{{ sub_policies }}}
+        specific_module: "NO-SSHCBC"
diff --git a/.../system/software/integrity/crypto/configure_custom_crypto_policy_cis_ssh_ciphers/rule.yml b/.../system/software/integrity/crypto/configure_custom_crypto_policy_cis_ssh_ciphers/rule.yml
@@ -0,0 +1,34 @@
+documentation_complete: true
+
+title: Use Only Strong Ciphers in SSHD for CIS Benchmark
+
+description: |-
+    Create a custom crypto policy module to enforce the use of strong ciphers in SSHD.
+    {{{ describe_crypto_sub_policy("NO-SSHWEAKCIPHERS", sub_policies["NO-SSHWEAKCIPHERS"].key, sub_policies["NO-SSHWEAKCIPHERS"].value) }}}
+    Then, set the system wide crypto policy to use the custom policy.
+    <pre>
+    $ sudo update-crypto-policies --set {{{ base_policy }}}:{{{ sub_policies.keys() | join(":") }}}
+    </pre>
+
+rationale: |-
+    Weak ciphers that are used for authentication to the cryptographic module cannot be
+    relied upon to provide confidentiality or integrity, and system data may be compromised.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-86701-0
+    cce@rhel9: CCE-86702-8
+    cce@rhel10: CCE-86703-6
+
+ocil_clause: 'the custom crypto policy modules do not exist'
+
+ocil: |-
+    {{{ ocil_crypto_sub_policy("NO-SSHWEAKCIPHERS", sub_policies["NO-SSHWEAKCIPHERS"].key, sub_policies["NO-SSHWEAKCIPHERS"].value) }}}
+
+template:
+    name: crypto_sub_policies
+    vars:
+        base_policy: {{{ base_policy }}}
+        sub_policies: {{{ sub_policies }}}
+        specific_module: "NO-SSHWEAKCIPHERS"
diff --git a/...ide/system/software/integrity/crypto/configure_custom_crypto_policy_cis_ssh_macs/rule.yml b/...ide/system/software/integrity/crypto/configure_custom_crypto_policy_cis_ssh_macs/rule.yml
@@ -0,0 +1,38 @@
+documentation_complete: true
+
+title: Use Only Strong MACs in SSHD for CIS Benchmark
+
+description: |-
+    Create a custom crypto policy module to enforce the use of strong MACs in SSHD.
+    {{{ describe_crypto_sub_policy("NO-SSHWEAKMACS", sub_policies["NO-SSHWEAKMACS"].key, sub_policies["NO-SSHWEAKMACS"].value) }}}
+    Then, set the system wide crypto policy to use the custom policy.
+    <pre>
+    $ sudo update-crypto-policies --set {{{ base_policy }}}:{{{ sub_policies.keys() | join(":") }}}
+    </pre>
+
+rationale: |-
+    Message Authentication Codes (MACs) are cryptographic mechanisms used to verify the
+    integrity and authenticity of data transmitted over SSH connections. Weak MACs that
+    are used for authentication to the cryptographic module cannot be relied upon to
+    provide integrity, and system data may be compromised. Implementing a custom crypto
+    policy that disables weak MAC algorithms helps ensure that only strong, proven
+    cryptographic algorithms are used to protect SSH communications.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-86726-7
+    cce@rhel9: CCE-86728-3
+    cce@rhel10: CCE-86730-9
+
+ocil_clause: 'the custom crypto policy modules do not exist'
+
+ocil: |-
+    {{{ ocil_crypto_sub_policy("NO-SSHWEAKMACS", sub_policies["NO-SSHWEAKMACS"].key, sub_policies["NO-SSHWEAKMACS"].value) }}}
+
+template:
+    name: crypto_sub_policies
+    vars:
+        base_policy: {{{ base_policy }}}
+        sub_policies: {{{ sub_policies }}}
+        specific_module: "NO-SSHWEAKMACS"