Parameterize OpenSSH crypto-policy backend file paths via product properties

linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/rule.yml

@@ -6,7 +6,7 @@ description: |-
     SSHD should follow the system cryptographic policy.
     In order to accomplish this the SSHD configuration should include the configuration file provided by the system crypto policy.
     The following line should be present in <tt>/etc/ssh/sshd_config</tt> or in a file included by this file (a file within the <tt>/etc/ssh/sshd_config.d</tt> directory):
-    <pre>Include /etc/crypto-policies/back-ends/opensshserver.config</pre>
+    <pre>Include {{{ openssh_server_crypto_policy_config_file }}}</pre>
 
 
 rationale: |-
@@ -28,8 +28,8 @@ checktext: |-
     <pre>sudo grep -R "Include /etc/ssh/sshd_config"  /etc/ssh/sshd_config.d/
 
     /etc/ssh/sshd_config:Include /etc/ssh/sshd_config.d/*.conf
-    /etc/ssh/sshd_config.d/50-redhat.conf:Include /etc/crypto-policies/back-ends/opensshserver.config</pre>
-    If "Include /etc/ssh/sshd_config.d/*.conf" or "Include /etc/crypto-policies/back-ends/opensshserver.config" are not included in the system sshd config or if the file "/etc/ssh/sshd_config.d/50-redhat.conf" is missing, this is a finding.
+    /etc/ssh/sshd_config.d/50-redhat.conf:Include {{{ openssh_server_crypto_policy_config_file }}}</pre>
+    If "Include /etc/ssh/sshd_config.d/*.conf" or "Include {{{ openssh_server_crypto_policy_config_file }}}" are not included in the system sshd config or if the file "/etc/ssh/sshd_config.d/50-redhat.conf" is missing, this is a finding.
 
 fixtext: |-
     Configure the {{{ full_name }}} SSH daemon to use systemwide crypto policies.

linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/oval/shared.xml

@@ -1,5 +1,5 @@
 {{% if product in ['ol8', 'rhel8'] %}}
-{{% set path='/etc/crypto-policies/back-ends/opensshserver.config' %}}
+{{% set path=openssh_server_crypto_policy_config_file %}}
 {{% set prefix_conf="^\s*CRYPTO_POLICY\s*=.*-oKexAlgorithms=" %}}
 {{% set kex_algos=["ecdh-sha2-nistp256","ecdh-sha2-nistp384",
              "ecdh-sha2-nistp521","diffie-hellman-group-exchange-sha256",

linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/rule.yml

@@ -1,5 +1,5 @@
 {{% if product in ['ol8', 'rhel8'] %}}
-{{% set path='/etc/crypto-policies/back-ends/opensshserver.config' %}}
+{{% set path=openssh_server_crypto_policy_config_file %}}
 {{% set conf="CRYPTO_POLICY='-oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384" ~
              ",ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256" ~
              ",diffie-hellman-group14-sha256,diffie-hellman-group16-sha512" ~

linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml

@@ -4,10 +4,11 @@
 # complexity = low
 # disruption = low
 {{{ ansible_instantiate_variables("sshd_approved_ciphers") }}}
+{{%- set openssh_client_policy_file = openssh_client_crypto_policy_config_file -%}}
 
 {{{ ansible_set_config_file(
         msg='Configure SSH Daemon to Use FIPS 140-2 Validated Ciphers: openssh.config',
-        file='/etc/crypto-policies/back-ends/openssh.config',
+        file=openssh_client_policy_file,
         parameter='Ciphers',
         value="{{ sshd_approved_ciphers }}",
         create='yes',

linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/bash/shared.sh

@@ -1,9 +1,10 @@
 # platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,multi_platform_fedora
 
 {{{ bash_instantiate_variables("sshd_approved_ciphers") }}}
+{{%- set openssh_client_policy_file = openssh_client_crypto_policy_config_file -%}}
 
 {{{ set_config_file(
-        path="/etc/crypto-policies/back-ends/openssh.config",
+        path=openssh_client_policy_file,
         parameter="Ciphers",
         value="${sshd_approved_ciphers}",
         create=true,

linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml

@@ -1,4 +1,4 @@
-{{%- set PATH = "/etc/crypto-policies/back-ends/openssh.config" -%}}
+{{%- set PATH = openssh_client_crypto_policy_config_file -%}}
 <def-group>
   <definition class="compliance" id="{{{ rule_id }}}" version="1">
     {{{ oval_metadata("Limit the Ciphers to those which are FIPS-approved.", rule_title=rule_title) }}}

linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml

@@ -9,7 +9,7 @@ description: |-
     set up incorrectly.
 
     To check that Crypto Policies settings for ciphers are configured correctly, ensure that
-    <tt>/etc/crypto-policies/back-ends/openssh.config</tt> contains the following
+    <tt>{{{ openssh_client_crypto_policy_config_file }}}</tt> contains the following
     line and is not commented out:
     <pre>Ciphers {{{ xccdf_value("sshd_approved_ciphers") }}}</pre>
 
@@ -35,7 +35,7 @@ ocil_clause: 'Crypto Policy for OpenSSH client is not configured correctly'
 
 ocil: |-
     To verify if the OpenSSH client uses defined Cipher suite in the Crypto Policy, run:
-    <pre>$ grep -i ciphers /etc/crypto-policies/back-ends/openssh.config</pre>
+    <pre>$ grep -i ciphers {{{ openssh_client_crypto_policy_config_file }}}</pre>
     and verify that the line matches:
     <pre>Ciphers {{{ xccdf_value("sshd_approved_ciphers") }}}</pre>
 

linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml

@@ -4,10 +4,11 @@
 # complexity = low
 # disruption = low
 {{{ ansible_instantiate_variables("sshd_approved_ciphers") }}}
+{{%- set openssh_server_policy_file = openssh_server_crypto_policy_config_file -%}}
 
 -   name: "{{{ rule_title }}}: Set relevant paths and correct value"
     ansible.builtin.set_fact:
-        opensshserver_path: /etc/crypto-policies/back-ends/opensshserver.config
+        opensshserver_path: "{{{ openssh_server_policy_file }}}"
         local_path: /etc/crypto-policies/local.d/opensshserver-ssg.config
         correct_value: "-oCiphers={{ sshd_approved_ciphers }}"
 

linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh

@@ -1,8 +1,9 @@
 # platform = Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora
 
 {{{ bash_instantiate_variables("sshd_approved_ciphers") }}}
+{{%- set openssh_server_policy_file = openssh_server_crypto_policy_config_file -%}}
 
-CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config
+CONF_FILE="{{{ openssh_server_policy_file }}}"
 LOCAL_CONF_DIR=/etc/crypto-policies/local.d
 LOCAL_CONF_FILE=${LOCAL_CONF_DIR}/opensshserver-ssg.config
 correct_value="-oCiphers=${sshd_approved_ciphers}"

linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml

@@ -1,4 +1,4 @@
-{{%- set PATH = "/etc/crypto-policies/back-ends/opensshserver.config" -%}}
+{{%- set PATH = openssh_server_crypto_policy_config_file -%}}
 <def-group>
   <definition class="compliance" id="{{{ rule_id }}}" version="1">
     {{{ oval_metadata("Limit the Ciphers to those which are FIPS-approved.", rule_title=rule_title) }}}

linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml

@@ -1,4 +1,5 @@
 documentation_complete: true
+{{% set openssh_server_policy_file = openssh_server_crypto_policy_config_file %}}
 
 
 title: 'Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config'
@@ -9,7 +10,7 @@ description: |-
     set up incorrectly.
 
     To check that Crypto Policies settings for ciphers are configured correctly, ensure that
-    <tt>/etc/crypto-policies/back-ends/opensshserver.config</tt> contains the following
+    <tt>{{{ openssh_server_policy_file }}}</tt> contains the following
     text and is not commented out:
     <pre>-oCiphers={{{ xccdf_value("sshd_approved_ciphers") }}}</pre>
 
@@ -36,7 +37,7 @@ ocil_clause: 'Crypto Policy for OpenSSH Server is not configured correctly'
 
 ocil: |-
     To verify if the OpenSSH server uses defined ciphers in the Crypto Policy, run:
-    <pre>$ grep -Po '(-oCiphers=\S+)' /etc/crypto-policies/back-ends/opensshserver.config</pre>
+    <pre>$ grep -Po '(-oCiphers=\S+)' {{{ openssh_server_policy_file }}}</pre>
     and verify that the line matches:
     <pre>-oCiphers={{{ xccdf_value("sshd_approved_ciphers") }}}</pre>
 

linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/oval/shared.xml

@@ -1 +1 @@
-{{{ oval_check_config_file(path="/etc/crypto-policies/back-ends/opensshserver.config", prefix_regex="^(?:.*\\n)*\s*", parameter="CRYPTO_POLICY", value="'-oCiphers=aes256-ctr,aes128-ctr,aes256-cbc,aes128-cbc -oMACs=hmac-sha2-512,hmac-sha2-256 -oGSSAPIKeyExchange=no -oKexAlgorithms=ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 -oPubkeyAcceptedKeyTypes=rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256'", separator_regex="=", application="sshd", rule_id=rule_id, rule_title=rule_title) }}}
+{{{ oval_check_config_file(path=openssh_server_crypto_policy_config_file, prefix_regex="^(?:.*\\n)*\s*", parameter="CRYPTO_POLICY", value="'-oCiphers=aes256-ctr,aes128-ctr,aes256-cbc,aes128-cbc -oMACs=hmac-sha2-512,hmac-sha2-256 -oGSSAPIKeyExchange=no -oKexAlgorithms=ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 -oPubkeyAcceptedKeyTypes=rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256'", separator_regex="=", application="sshd", rule_id=rule_id, rule_title=rule_title) }}}

linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yml

@@ -1,4 +1,5 @@
 documentation_complete: true
+{{% set openssh_server_policy_file = openssh_server_crypto_policy_config_file %}}
 
 
 title: 'Harden SSHD Crypto Policy'
@@ -7,7 +8,7 @@ description: |-
     Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSH server.
     The SSHD service is by default configured to modify its configuration based on currently configured Crypto-Policy. However, in certain cases it might be needed to override the Crypto Policy specific to OpenSSH Server and leave rest of the Crypto Policy intact.
     This can be done by dropping a file named <tt>opensshserver-xxx.config</tt>, replacing <tt>xxx</tt> with arbitrary identifier, into <tt>/etc/crypto-policies/local.d</tt>. This has to be followed by running <tt>update-crypto-policies</tt> so that changes are applied.
-    Changes are propagated into <tt>/etc/crypto-policies/back-ends/opensshserver.config</tt>. This rule checks if this file contains predefined <tt>CRYPTO_POLICY</tt> environment variable configured with predefined value.
+    Changes are propagated into <tt>{{{ openssh_server_policy_file }}}</tt>. This rule checks if this file contains predefined <tt>CRYPTO_POLICY</tt> environment variable configured with predefined value.
 
 rationale: |-
     The Common Criteria requirements specify that certain parameters for OpenSSH Server are configured e.g. supported ciphers, accepted host key algorithms, public key types, key exchange algorithms, HMACs and GSSAPI key exchange is disabled. Currently particular requirements specified by CC are stricter compared to any existing Crypto Policy.
@@ -28,7 +29,7 @@ ocil_clause: 'Crypto Policy for OpenSSH Server is not configured according to CC
 
 ocil: |-
     To verify if the OpenSSH server uses defined Crypto Policy, run:
-    <pre>$ grep 'CRYPTO_POLICY' /etc/crypto-policies/back-ends/opensshserver.config | tail -n 1</pre>
+    <pre>$ grep 'CRYPTO_POLICY' {{{ openssh_server_policy_file }}} | tail -n 1</pre>
     and verify that the line matches
     <pre>CRYPTO_POLICY='-oCiphers=aes256-ctr,aes128-ctr,aes256-cbc,aes128-cbc -oMACs=hmac-sha2-512,hmac-sha2-256 -oGSSAPIKeyExchange=no -oKexAlgorithms=ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 -oPubkeyAcceptedKeyTypes=rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256'</pre>
 

linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/tests/correct.pass.sh

@@ -1,5 +1,6 @@
 #!/bin/bash
 # platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# packages = crypto-policies-scripts
 
 configfile=/etc/crypto-policies/back-ends/opensshserver.config
 

linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/tests/correct_commented.fail.sh

@@ -1,5 +1,6 @@
 #!/bin/bash
 # platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# packages = crypto-policies-scripts
 
 configfile=/etc/crypto-policies/back-ends/opensshserver.config
 

linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/tests/correct_followed_by_incorrect.fail.sh

@@ -1,5 +1,6 @@
 #!/bin/bash
 # platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# packages = crypto-policies-scripts
 
 configfile=/etc/crypto-policies/back-ends/opensshserver.config
 

linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/tests/empty_file.fail.sh

@@ -1,5 +1,6 @@
 #!/bin/bash
 # platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# packages = crypto-policies-scripts
 
 configfile=/etc/crypto-policies/back-ends/opensshserver.config
 

linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/tests/empty_policy.fail.sh

@@ -1,5 +1,6 @@
 #!/bin/bash
 # platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# packages = crypto-policies-scripts
 
 configfile=/etc/crypto-policies/back-ends/opensshserver.config
 

linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/tests/incorrect_followed_by_correct.pass.sh

@@ -1,5 +1,6 @@
 #!/bin/bash
 # platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# packages = crypto-policies-scripts
 
 configfile=/etc/crypto-policies/back-ends/opensshserver.config
 

linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/tests/incorrect_policy.fail.sh

@@ -1,5 +1,6 @@
 #!/bin/bash
 # platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# packages = crypto-policies-scripts
 
 configfile=/etc/crypto-policies/back-ends/opensshserver.config
 

linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/tests/missing_file.fail.sh

@@ -1,5 +1,6 @@
 #!/bin/bash
 # platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# packages = crypto-policies-scripts
 
 configfile=/etc/crypto-policies/back-ends/opensshserver.config
 

linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/ansible/shared.yml

@@ -4,12 +4,14 @@
 # complexity = low
 # disruption = low
 {{{ ansible_instantiate_variables("sshd_approved_macs") }}}
+{{%- set openssh_client_policy_file = openssh_client_crypto_policy_config_file -%}}
 
-{{{ ansible_set_config_file(
+{{{ ansible_only_lineinfile(
         msg='Configure SSH Daemon to Use FIPS 140-2 Validated MACs: openssh.config',
-        file='/etc/crypto-policies/back-ends/openssh.config',
-        parameter='MACs',
-        value="{{ sshd_approved_macs }}",
+        path=openssh_client_policy_file,
+        line_regex='^.*MACs\\s+',
+        new_line='MACs {{ sshd_approved_macs }}',
         create='yes',
-        prefix_regex='^.*', rule_title=rule_title)
+        block=True,
+        rule_title=rule_title)
 }}}

linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/bash/shared.sh

@@ -1,9 +1,10 @@
 # platform = Red Hat Enterprise Linux 8,multi_platform_ol,multi_platform_fedora
 
 {{{ bash_instantiate_variables("sshd_approved_macs") }}}
+{{%- set openssh_client_policy_file = openssh_client_crypto_policy_config_file -%}}
 
 {{{ set_config_file(
-        path="/etc/crypto-policies/back-ends/openssh.config",
+        path=openssh_client_policy_file,
         parameter="MACs",
         value="${sshd_approved_macs}",
         create=true,

linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/oval/shared.xml

@@ -1,4 +1,4 @@
-{{%- set PATH = "/etc/crypto-policies/back-ends/openssh.config" -%}}
+{{%- set PATH = openssh_client_crypto_policy_config_file -%}}
 <def-group>
   <definition class="compliance" id="{{{ rule_id }}}" version="1">
     {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.", rule_title=rule_title) }}}

linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml

@@ -1,4 +1,5 @@
 documentation_complete: true
+{{% set openssh_client_policy_file = openssh_client_crypto_policy_config_file %}}
 
 
 title: 'Configure SSH Client to Use FIPS 140-2 Validated MACs: openssh.config'
@@ -9,7 +10,7 @@ description: |-
     set up incorrectly.
 
     To check that Crypto Policies settings are configured correctly, ensure that
-    <tt>/etc/crypto-policies/back-ends/openssh.config</tt> contains the following
+    <tt>{{{ openssh_client_policy_file }}}</tt> contains the following
     line and is not commented out:
     <tt>MACs {{{ xccdf_value("sshd_approved_macs") }}}</tt>
 
@@ -33,7 +34,7 @@ ocil_clause: 'Crypto Policy for OpenSSH client is not configured correctly'
 
 ocil: |-
     To verify if the OpenSSH client uses defined MACs in the Crypto Policy, run:
-    <pre>$ grep -i macs /etc/crypto-policies/back-ends/openssh.config</pre>
+    <pre>$ grep -i macs {{{ openssh_client_policy_file }}}</pre>
     and verify that the line matches:
     <pre>MACs {{{ xccdf_value("sshd_approved_macs") }}}</pre>
 

linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh

@@ -1,5 +1,6 @@
 #!/bin/bash
 # platform = Red Hat Enterprise Linux 8,multi_platform_ol,multi_platform_fedora
+# remediation = bash
 # variables = sshd_approved_macs=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
 
 sshd_approved_macs=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com

linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh

@@ -1,5 +1,6 @@
 #!/bin/bash
 # platform = Red Hat Enterprise Linux 8,multi_platform_ol,multi_platform_fedora
+# remediation = bash
 # variables = sshd_approved_macs=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
 
 sshd_approved_macs=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com

linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/ansible/shared.yml

@@ -4,10 +4,11 @@
 # complexity = low
 # disruption = low
 {{{ ansible_instantiate_variables("sshd_approved_macs") }}}
+{{%- set openssh_server_policy_file = openssh_server_crypto_policy_config_file -%}}
 
 -   name: "{{{ rule_title }}}: Set relevant paths and correct value"
     ansible.builtin.set_fact:
-        opensshserver_path: /etc/crypto-policies/back-ends/opensshserver.config
+        opensshserver_path: "{{{ openssh_server_policy_file }}}"
         local_path: /etc/crypto-policies/local.d/opensshserver-ssg.config
         correct_value: "-oMACs={{ sshd_approved_macs }}"
 

linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/bash/shared.sh

@@ -1,8 +1,9 @@
 # platform = Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora
 
 {{{ bash_instantiate_variables("sshd_approved_macs") }}}
+{{%- set openssh_server_policy_file = openssh_server_crypto_policy_config_file -%}}
 
-CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config
+CONF_FILE="{{{ openssh_server_policy_file }}}"
 LOCAL_CONF_DIR=/etc/crypto-policies/local.d
 LOCAL_CONF_FILE=${LOCAL_CONF_DIR}/opensshserver-ssg.config
 correct_value="-oMACs=${sshd_approved_macs}"

linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/oval/shared.xml

@@ -1,4 +1,4 @@
-{{%- set PATH = "/etc/crypto-policies/back-ends/opensshserver.config" -%}}
+{{%- set PATH = openssh_server_crypto_policy_config_file -%}}
 <def-group>
   <definition class="compliance" id="{{{ rule_id }}}" version="1">
     {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.", rule_title=rule_title) }}}

linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/rule.yml

@@ -1,4 +1,5 @@
 documentation_complete: true
+{{% set openssh_server_policy_file = openssh_server_crypto_policy_config_file %}}
 
 
 title: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config'
@@ -9,7 +10,7 @@ description: |-
     set up incorrectly.
 
     To check that Crypto Policies settings are configured correctly, ensure that
-    <tt>/etc/crypto-policies/back-ends/opensshserver.config</tt> contains the following
+    <tt>{{{ openssh_server_policy_file }}}</tt> contains the following
     text and is not commented out:
     <tt>-oMACS={{{ xccdf_value("sshd_approved_macs") }}}</tt>
 
@@ -34,7 +35,7 @@ ocil_clause: 'Crypto Policy for OpenSSH Server is not configured correctly'
 
 ocil: |-
     To verify if the OpenSSH server uses defined MACs in the Crypto Policy, run:
-    <pre>$ grep -Po '(-oMACs=\S+)' /etc/crypto-policies/back-ends/opensshserver.config</pre>
+    <pre>$ grep -Po '(-oMACs=\S+)' {{{ openssh_server_policy_file }}}</pre>
     and verify that the line matches:
     <pre>-oMACS={{{ xccdf_value("sshd_approved_macs") }}}</pre>
 

ssg/constants.py

@@ -465,6 +465,8 @@
 DEFAULT_SSHD_SYSCONFIG_FILE = '/etc/sysconfig/sshd'
 DEFAULT_SSH_CLIENT_MAIN_CONFIG_FILE = '/etc/ssh/ssh_config'
 DEFAULT_SSH_CLIENT_CONFIG_DIR = '/etc/ssh/ssh_config.d'
+DEFAULT_OPENSSH_CLIENT_CRYPTO_POLICY_CONFIG_FILE = '/etc/crypto-policies/back-ends/openssh.config'
+DEFAULT_OPENSSH_SERVER_CRYPTO_POLICY_CONFIG_FILE = '/etc/crypto-policies/back-ends/opensshserver.config'
 DEFAULT_PRODUCT = 'example'
 DEFAULT_CHRONY_CONF_PATH = '/etc/chrony.conf'
 DEFAULT_CHRONY_D_PATH = '/etc/chrony.d/'

ssg/products.py

@@ -23,6 +23,8 @@
                         DEFAULT_SSHD_SYSCONFIG_FILE,
                         DEFAULT_SSH_CLIENT_MAIN_CONFIG_FILE,
                         DEFAULT_SSH_CLIENT_CONFIG_DIR,
+                        DEFAULT_OPENSSH_CLIENT_CRYPTO_POLICY_CONFIG_FILE,
+                        DEFAULT_OPENSSH_SERVER_CRYPTO_POLICY_CONFIG_FILE,
                         DEFAULT_CHRONY_CONF_PATH,
                         DEFAULT_CHRONY_D_PATH,
                         DEFAULT_AUDISP_CONF_PATH,
@@ -138,6 +140,12 @@ def _get_implied_properties(existing_properties):
     if "ssh_client_config_dir" not in existing_properties:
         result["ssh_client_config_dir"] = DEFAULT_SSH_CLIENT_CONFIG_DIR
 
+    if "openssh_client_crypto_policy_config_file" not in existing_properties:
+        result["openssh_client_crypto_policy_config_file"] = DEFAULT_OPENSSH_CLIENT_CRYPTO_POLICY_CONFIG_FILE
+
+    if "openssh_server_crypto_policy_config_file" not in existing_properties:
+        result["openssh_server_crypto_policy_config_file"] = DEFAULT_OPENSSH_SERVER_CRYPTO_POLICY_CONFIG_FILE
+
     if "product" not in existing_properties:
         result["product"] = DEFAULT_PRODUCT