From 77447041d19038f790e0f11e59a7164d839577b0 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 26 Jul 2019 11:31:52 +0200
Subject: [PATCH 01/20] initial commit of harden_sshd_crypto_policy rule

---
 .../crypto/harden_sshd_crypto_policy/oval/shared.xml         | 1 +
 .../integrity/crypto/harden_sshd_crypto_policy/rule.yaml     | 5 +++++
 rhel8/profiles/ospp.profile                                  | 2 ++
 3 files changed, 8 insertions(+)
 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/oval/shared.xml
 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yaml

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/oval/shared.xml
new file mode 100644
index 000000000000..6a869e006696
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/oval/shared.xml
@@ -0,0 +1 @@
+{{{ oval_check_config_file(path="/etc/crypto-policies/back-ends/opensshserver.config", parameter="CRYPTO_POLICY", value="'-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=hmac-sha2-256,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -oHostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384'", separator_regex="=", application="sshd") }}}
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yaml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yaml
new file mode 100644
index 000000000000..89626f92b4d7
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yaml
@@ -0,0 +1,5 @@
+documentation_complete: true
+title: 'Harden SSHD crypto-policy'
+description: 'tbd'
+rationale: 'tbd'
+
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
index 2f6928e8bef4..f067628c7254 100644
--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
@@ -1226,3 +1226,5 @@ selections:
 
     ## Enable dnf-automatic Timer
     - timer_dnf-automatic_enabled
+
+    - harden_sshd_crypto_policy
\ No newline at end of file

From 41a35ff65151cc53ac4726faaccd4d175004cb23 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 26 Jul 2019 14:08:32 +0200
Subject: [PATCH 02/20] fixed typo in rule file name

---
 .../crypto/harden_sshd_crypto_policy/{rule.yaml => rule.yml}      | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/{rule.yaml => rule.yml} (100%)

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yaml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yml
similarity index 100%
rename from linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yaml
rename to linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yml

From c63f501ea0f78e23134b3281e2ed357fa3ac9f33 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 26 Jul 2019 14:11:57 +0200
Subject: [PATCH 03/20] added the severity key to rule.yml

---
 .../software/integrity/crypto/harden_sshd_crypto_policy/rule.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yml
index 89626f92b4d7..4148cef86597 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yml
@@ -3,3 +3,4 @@ title: 'Harden SSHD crypto-policy'
 description: 'tbd'
 rationale: 'tbd'
 
+severity: medium
\ No newline at end of file

From 1128b1f42c2aefe31632c0accdaa3f9236bb21bc Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 26 Jul 2019 11:31:52 +0200
Subject: [PATCH 04/20] initial commit of harden_sshd_crypto_policy rule

---
 .../integrity/crypto/harden_sshd_crypto_policy/rule.yaml     | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yaml

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yaml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yaml
new file mode 100644
index 000000000000..89626f92b4d7
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yaml
@@ -0,0 +1,5 @@
+documentation_complete: true
+title: 'Harden SSHD crypto-policy'
+description: 'tbd'
+rationale: 'tbd'
+

From 0f6765a82e5fe306639eefc6774e1fa87d06596c Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 29 Jul 2019 09:25:53 +0200
Subject: [PATCH 05/20] check done

regex working
---
 .../integrity/crypto/harden_sshd_crypto_policy/oval/shared.xml  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/oval/shared.xml
index 6a869e006696..76154f880fa8 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/oval/shared.xml
@@ -1 +1 @@
-{{{ oval_check_config_file(path="/etc/crypto-policies/back-ends/opensshserver.config", parameter="CRYPTO_POLICY", value="'-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=hmac-sha2-256,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -oHostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384'", separator_regex="=", application="sshd") }}}
+{{{ oval_check_config_file(path="/etc/crypto-policies/back-ends/opensshserver.config", prefix_regex="^(?:.*\\n)*\s*", parameter="CRYPTO_POLICY", value="'-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=hmac-sha2-256,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -oHostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384'", separator_regex="=", application="sshd") }}}

From a740ada117f506f4e6f6f16a4980f0abbdcdaaf7 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 29 Jul 2019 09:31:40 +0200
Subject: [PATCH 06/20] initial commit for bash remediation

---
 .../crypto/harden_sshd_crypto_policy/bash/shared.sh        | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/bash/shared.sh

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/bash/shared.sh
new file mode 100644
index 000000000000..385f998adfe8
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/bash/shared.sh
@@ -0,0 +1,7 @@
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8
+
+#blank line at the begining to ease later readibility
+CP = "\n'-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=hmac-sha2-256,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -oHostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384'"
+
+echo $CP > /etc/crypto-policies/local.d/opensshserver-ospp.config
+update-cryptopolicies
\ No newline at end of file

From 5595df911b71da3f6c9d9f76bd4b10140df58ce5 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 29 Jul 2019 09:44:30 +0200
Subject: [PATCH 07/20] fixed a typo

---
 .../integrity/crypto/harden_sshd_crypto_policy/bash/shared.sh   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/bash/shared.sh
index 385f998adfe8..b3f722f289fd 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/bash/shared.sh
@@ -4,4 +4,4 @@
 CP = "\n'-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=hmac-sha2-256,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -oHostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384'"
 
 echo $CP > /etc/crypto-policies/local.d/opensshserver-ospp.config
-update-cryptopolicies
\ No newline at end of file
+update-crypto-policies
\ No newline at end of file

From da9c0e3dc026e0984c103985ce33b7d42354edb5 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 29 Jul 2019 10:07:41 +0200
Subject: [PATCH 08/20] fixed writing into file

---
 .../crypto/harden_sshd_crypto_policy/bash/shared.sh      | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/bash/shared.sh
index b3f722f289fd..1b4c87447303 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/bash/shared.sh
@@ -1,7 +1,10 @@
 # platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8
 
-#blank line at the begining to ease later readibility
-CP = "\n'-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=hmac-sha2-256,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -oHostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384'"
 
-echo $CP > /etc/crypto-policies/local.d/opensshserver-ospp.config
+cp="'-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=hmac-sha2-256,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -oHostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384'"
+file=/etc/crypto-policies/local.d/opensshserver-ospp.config
+
+#blank line at the begining to ease later readibility
+echo '' > $file
+echo $CP >> $file
 update-crypto-policies
\ No newline at end of file

From cec659f1418230bfea91eee9495c493d420dc8d8 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 29 Jul 2019 10:10:10 +0200
Subject: [PATCH 09/20] fixed variable name

---
 .../integrity/crypto/harden_sshd_crypto_policy/bash/shared.sh   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/bash/shared.sh
index 1b4c87447303..48ea99cf48ed 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/bash/shared.sh
@@ -6,5 +6,5 @@ file=/etc/crypto-policies/local.d/opensshserver-ospp.config
 
 #blank line at the begining to ease later readibility
 echo '' > $file
-echo $CP >> $file
+echo $cp >> $file
 update-crypto-policies
\ No newline at end of file

From 9ce84e987875220457aeca20da03be949b4499fb Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 29 Jul 2019 10:16:58 +0200
Subject: [PATCH 10/20] added actual environment variable

---
 .../integrity/crypto/harden_sshd_crypto_policy/bash/shared.sh   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/bash/shared.sh
index 48ea99cf48ed..17837e35dc5d 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/bash/shared.sh
@@ -1,7 +1,7 @@
 # platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8
 
 
-cp="'-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=hmac-sha2-256,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -oHostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384'"
+cp="CRYPTO_POLICY='-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=hmac-sha2-256,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -oHostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384'"
 file=/etc/crypto-policies/local.d/opensshserver-ospp.config
 
 #blank line at the begining to ease later readibility

From 61a7ea907ae2cdfe6913a03589a03a33c28427b0 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 29 Jul 2019 13:35:20 +0200
Subject: [PATCH 11/20] completed the rule.yaml file

---
 .../crypto/harden_sshd_crypto_policy/rule.yml | 22 +++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yml
index 4148cef86597..4d70f78e4d47 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yml
@@ -1,6 +1,20 @@
 documentation_complete: true
-title: 'Harden SSHD crypto-policy'
-description: 'tbd'
-rationale: 'tbd'
 
-severity: medium
\ No newline at end of file
+title: 'Harden SSHD Crypto Policy'
+
+description: |-
+    Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSH server.
+    The SSHD service is by default configured to enhance its configuration based on currently configured Crypto-Policy. However, in certain cases it is required to override the Crypto Policy specific to OpenSSH Server.
+    This can be done by dropping a file named <tt>opensshserver-xxx.config</tt>, replacing <tt>xxx</tt> with arbitrary identifier, into <tt>/etc/crypto-policies/local.d</tt>. This has to be followed by running <tt>update-crypto-policies</tt> sothat changes are applied.
+    Changes are propagated into <tt>/etc/crypto-policies/back-ends/opensshserver.config</tt>. This rule checks if this file contains predefined <tt>CRYPTO_POLICY</tt> environment variable configured with predefined value.
+
+rationale: |-
+    The Common Criteria requirements specify that certain parameters for OpenSSH Server are configured e.g. supported ciphers, accepted host key algorithms, public key types, key exchange algorithms, HMACs and GSSAPI key exchange is disabled.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: 82881-4
+
+references:
+    OSPP:FCS_SSHS_EXT.1
\ No newline at end of file

From 8c4a84ef48877346b016e42943c1efed910f7cf2 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 29 Jul 2019 13:41:56 +0200
Subject: [PATCH 12/20] removed badly named file

---
 .../integrity/crypto/harden_sshd_crypto_policy/rule.yaml     | 5 -----
 1 file changed, 5 deletions(-)
 delete mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yaml

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yaml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yaml
deleted file mode 100644
index 89626f92b4d7..000000000000
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yaml
+++ /dev/null
@@ -1,5 +0,0 @@
-documentation_complete: true
-title: 'Harden SSHD crypto-policy'
-description: 'tbd'
-rationale: 'tbd'
-

From 38715eea3c2e0544c64366a529a7508859a5ba93 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 29 Jul 2019 14:22:37 +0200
Subject: [PATCH 13/20] added missing space in rule.yaml

---
 .../integrity/crypto/harden_sshd_crypto_policy/rule.yml         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yml
index 4d70f78e4d47..e32585f716ea 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yml
@@ -17,4 +17,4 @@ identifiers:
     cce@rhel8: 82881-4
 
 references:
-    OSPP:FCS_SSHS_EXT.1
\ No newline at end of file
+    OSPP: FCS_SSHS_EXT.1
\ No newline at end of file

From f86b287f2efb24a7bb17c2b41afdcdb986ab2e48 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 29 Jul 2019 14:48:14 +0200
Subject: [PATCH 14/20] replaced duplicate reference

---
 .../integrity/crypto/harden_sshd_crypto_policy/rule.yml         | 2 +-
 shared/references/cce-redhat-avail.txt                          | 1 -
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yml
index e32585f716ea..bd162aef7afb 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yml
@@ -14,7 +14,7 @@ rationale: |-
 severity: medium
 
 identifiers:
-    cce@rhel8: 82881-4
+    cce@rhel8: 82176-9
 
 references:
     OSPP: FCS_SSHS_EXT.1
\ No newline at end of file
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 0d6150580b33..ccaaf75b3879 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -9,7 +9,6 @@ CCE-82172-8
 CCE-82173-6
 CCE-82174-4
 CCE-82175-1
-CCE-82176-9
 CCE-82177-7
 CCE-82178-5
 CCE-82179-3

From e3dc24a392c8de552e9be7c2fbd77397a1eab431 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 30 Jul 2019 08:31:39 +0200
Subject: [PATCH 15/20] added ocil to rule.yaml

added also empty lines at end of files
---
 .../crypto/harden_sshd_crypto_policy/bash/shared.sh    |  2 +-
 .../crypto/harden_sshd_crypto_policy/rule.yml          | 10 +++++++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/bash/shared.sh
index 17837e35dc5d..c618564f8067 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/bash/shared.sh
@@ -7,4 +7,4 @@ file=/etc/crypto-policies/local.d/opensshserver-ospp.config
 #blank line at the begining to ease later readibility
 echo '' > $file
 echo $cp >> $file
-update-crypto-policies
\ No newline at end of file
+update-crypto-policies
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yml
index bd162aef7afb..95575fb735f4 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yml
@@ -17,4 +17,12 @@ identifiers:
     cce@rhel8: 82176-9
 
 references:
-    OSPP: FCS_SSHS_EXT.1
\ No newline at end of file
+    OSPP: FCS_SSHS_EXT.1
+
+ocil_clause: 'Crypto Policy for OpenSSH Server is not configured according to CC requirements'
+
+ocil: |-
+    To verify if the OpenSSH server uses defined Crypto Policy, run:
+<pre>$ grep 'CRYPTO_POLICY' /etc/crypto-policies/back-ends/opensshserver.txt | tail -n 1</pre>
+and verify that the line matches
+<pre>CRYPTO_POLICY", value="'-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=hmac-sha2-256,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -oHostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384'</pre>

From 7408d4962e0f7476974ee866762d2d657c1542a2 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 30 Jul 2019 14:40:47 +0200
Subject: [PATCH 16/20] tests created

---
 .../integrity/crypto/harden_sshd_crypto_policy/rule.yml   | 6 +++---
 .../rule_harden_sshd_crypto_policy/correct.pass.sh        | 8 ++++++++
 .../correct_commented.fail.sh                             | 7 +++++++
 .../correct_followed_by_incorrect.fail.sh                 | 8 ++++++++
 .../rule_harden_sshd_crypto_policy/empty_file.fail.sh     | 7 +++++++
 .../rule_harden_sshd_crypto_policy/empty_policy.fail.sh   | 7 +++++++
 .../incorrect_followed_by_correct.pass.sh                 | 8 ++++++++
 .../incorrect_policy.fail.sh                              | 7 +++++++
 .../rule_harden_sshd_crypto_policy/missing_file.fail.sh   | 7 +++++++
 9 files changed, 62 insertions(+), 3 deletions(-)
 create mode 100644 tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/correct.pass.sh
 create mode 100644 tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/correct_commented.fail.sh
 create mode 100644 tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/correct_followed_by_incorrect.fail.sh
 create mode 100644 tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/empty_file.fail.sh
 create mode 100644 tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/empty_policy.fail.sh
 create mode 100644 tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/incorrect_followed_by_correct.pass.sh
 create mode 100644 tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/incorrect_policy.fail.sh
 create mode 100644 tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/missing_file.fail.sh

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yml
index 95575fb735f4..845464ffe9e4 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yml
@@ -23,6 +23,6 @@ ocil_clause: 'Crypto Policy for OpenSSH Server is not configured according to CC
 
 ocil: |-
     To verify if the OpenSSH server uses defined Crypto Policy, run:
-<pre>$ grep 'CRYPTO_POLICY' /etc/crypto-policies/back-ends/opensshserver.txt | tail -n 1</pre>
-and verify that the line matches
-<pre>CRYPTO_POLICY", value="'-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=hmac-sha2-256,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -oHostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384'</pre>
+    <pre>$ grep 'CRYPTO_POLICY' /etc/crypto-policies/back-ends/opensshserver.txt | tail -n 1</pre>
+    and verify that the line matches
+    <pre>CRYPTO_POLICY", value="'-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=hmac-sha2-256,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -oHostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384'</pre>
diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/correct.pass.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/correct.pass.sh
new file mode 100644
index 000000000000..24bc4aa9632f
--- /dev/null
+++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/correct.pass.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
+
+echo "CRYPTO_POLICY='-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=hmac-sha2-256,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -oHostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384'" > "$configfile"
+
diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/correct_commented.fail.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/correct_commented.fail.sh
new file mode 100644
index 000000000000..e2059a1bd9ea
--- /dev/null
+++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/correct_commented.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
+
+echo "#CRYPTO_POLICY='-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=hmac-sha2-256,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -oHostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384'" > "$configfile"
diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/correct_followed_by_incorrect.fail.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/correct_followed_by_incorrect.fail.sh
new file mode 100644
index 000000000000..5ea8a4c4f510
--- /dev/null
+++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/correct_followed_by_incorrect.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
+
+echo "CRYPTO_POLICY='-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=hmac-sha2-256,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -oHostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384'" > "$configfile"
+echo "CRYPTO_POLICY='-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=hmac-sha2-256,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -oHostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,spamspam'" >> "$configfile"
diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/empty_file.fail.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/empty_file.fail.sh
new file mode 100644
index 000000000000..f9ef2781c505
--- /dev/null
+++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/empty_file.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
+
+echo "" > "$configfile"
diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/empty_policy.fail.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/empty_policy.fail.sh
new file mode 100644
index 000000000000..ac99aa83a53b
--- /dev/null
+++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/empty_policy.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
+
+echo "CRYPTO_POLICY=" > "$configfile"
diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/incorrect_followed_by_correct.pass.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/incorrect_followed_by_correct.pass.sh
new file mode 100644
index 000000000000..ce9244f39d38
--- /dev/null
+++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/incorrect_followed_by_correct.pass.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
+
+echo "CRYPTO_POLICY='-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=hmac-sha2-256,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -oHostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,bogusbogus'" > "$configfile"
+echo "CRYPTO_POLICY='-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=hmac-sha2-256,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -oHostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384'" >> "$configfile"
diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/incorrect_policy.fail.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/incorrect_policy.fail.sh
new file mode 100644
index 000000000000..95dc844282e3
--- /dev/null
+++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/incorrect_policy.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
+
+echo "CRYPTO_POLICY='-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=hmac-sha2-256,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -oHostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp38'" > "$configfile"
diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/missing_file.fail.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/missing_file.fail.sh
new file mode 100644
index 000000000000..3e91d242a01d
--- /dev/null
+++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/missing_file.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
+
+rm -f "$configfile"

From a5faa9e109c814226a7497859577945518333b5d Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 31 Jul 2019 08:27:34 +0200
Subject: [PATCH 17/20] changed wording and styling in the rule

---
 .../integrity/crypto/harden_sshd_crypto_policy/rule.yml     | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yml
index 845464ffe9e4..7e1bffeb4829 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yml
@@ -4,12 +4,12 @@ title: 'Harden SSHD Crypto Policy'
 
 description: |-
     Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSH server.
-    The SSHD service is by default configured to enhance its configuration based on currently configured Crypto-Policy. However, in certain cases it is required to override the Crypto Policy specific to OpenSSH Server.
+    The SSHD service is by default configured to modify its configuration based on currently configured Crypto-Policy. However, in certain cases it might be needed to override the Crypto Policy specific to OpenSSH Server and leave rest of the Crypto Policy in tact.
     This can be done by dropping a file named <tt>opensshserver-xxx.config</tt>, replacing <tt>xxx</tt> with arbitrary identifier, into <tt>/etc/crypto-policies/local.d</tt>. This has to be followed by running <tt>update-crypto-policies</tt> sothat changes are applied.
     Changes are propagated into <tt>/etc/crypto-policies/back-ends/opensshserver.config</tt>. This rule checks if this file contains predefined <tt>CRYPTO_POLICY</tt> environment variable configured with predefined value.
 
 rationale: |-
-    The Common Criteria requirements specify that certain parameters for OpenSSH Server are configured e.g. supported ciphers, accepted host key algorithms, public key types, key exchange algorithms, HMACs and GSSAPI key exchange is disabled.
+    The Common Criteria requirements specify that certain parameters for OpenSSH Server are configured e.g. supported ciphers, accepted host key algorithms, public key types, key exchange algorithms, HMACs and GSSAPI key exchange is disabled. Currently particular requirements specified by CC are stricter compared to any current Crypto Policy.
 
 severity: medium
 
@@ -17,7 +17,7 @@ identifiers:
     cce@rhel8: 82176-9
 
 references:
-    OSPP: FCS_SSHS_EXT.1
+    ospp : FCS_SSHS_EXT.1
 
 ocil_clause: 'Crypto Policy for OpenSSH Server is not configured according to CC requirements'
 

From ba95a5731ab64bed721cd4adbddfe8175a505f4e Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 31 Jul 2019 08:34:16 +0200
Subject: [PATCH 18/20] quoting variables in remediation

---
 .../integrity/crypto/harden_sshd_crypto_policy/bash/shared.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/bash/shared.sh
index c618564f8067..a6adf6762362 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/bash/shared.sh
@@ -5,6 +5,6 @@ cp="CRYPTO_POLICY='-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=
 file=/etc/crypto-policies/local.d/opensshserver-ospp.config
 
 #blank line at the begining to ease later readibility
-echo '' > $file
-echo $cp >> $file
+echo '' > "$file"
+echo "$cp" >> "$file"
 update-crypto-policies

From 8544e06e87adb36991a1ed79b8dbcc84b37ca7e8 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 2 Aug 2019 11:46:20 +0200
Subject: [PATCH 19/20] fix typos

---
 .../integrity/crypto/harden_sshd_crypto_policy/rule.yml       | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yml
index 7e1bffeb4829..6fad3d5c3211 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yml
@@ -4,8 +4,8 @@ title: 'Harden SSHD Crypto Policy'
 
 description: |-
     Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSH server.
-    The SSHD service is by default configured to modify its configuration based on currently configured Crypto-Policy. However, in certain cases it might be needed to override the Crypto Policy specific to OpenSSH Server and leave rest of the Crypto Policy in tact.
-    This can be done by dropping a file named <tt>opensshserver-xxx.config</tt>, replacing <tt>xxx</tt> with arbitrary identifier, into <tt>/etc/crypto-policies/local.d</tt>. This has to be followed by running <tt>update-crypto-policies</tt> sothat changes are applied.
+    The SSHD service is by default configured to modify its configuration based on currently configured Crypto-Policy. However, in certain cases it might be needed to override the Crypto Policy specific to OpenSSH Server and leave rest of the Crypto Policy intact.
+    This can be done by dropping a file named <tt>opensshserver-xxx.config</tt>, replacing <tt>xxx</tt> with arbitrary identifier, into <tt>/etc/crypto-policies/local.d</tt>. This has to be followed by running <tt>update-crypto-policies</tt> so that changes are applied.
     Changes are propagated into <tt>/etc/crypto-policies/back-ends/opensshserver.config</tt>. This rule checks if this file contains predefined <tt>CRYPTO_POLICY</tt> environment variable configured with predefined value.
 
 rationale: |-

From 59a7be8e4898a22b92588f8d1598d13792817411 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 2 Aug 2019 12:58:52 +0200
Subject: [PATCH 20/20] wording fixes

---
 .../integrity/crypto/harden_sshd_crypto_policy/rule.yml       | 4 ++--
 rhel8/profiles/ospp.profile                                   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yml
index 6fad3d5c3211..84f25f135896 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yml
@@ -9,7 +9,7 @@ description: |-
     Changes are propagated into <tt>/etc/crypto-policies/back-ends/opensshserver.config</tt>. This rule checks if this file contains predefined <tt>CRYPTO_POLICY</tt> environment variable configured with predefined value.
 
 rationale: |-
-    The Common Criteria requirements specify that certain parameters for OpenSSH Server are configured e.g. supported ciphers, accepted host key algorithms, public key types, key exchange algorithms, HMACs and GSSAPI key exchange is disabled. Currently particular requirements specified by CC are stricter compared to any current Crypto Policy.
+    The Common Criteria requirements specify that certain parameters for OpenSSH Server are configured e.g. supported ciphers, accepted host key algorithms, public key types, key exchange algorithms, HMACs and GSSAPI key exchange is disabled. Currently particular requirements specified by CC are stricter compared to any existing Crypto Policy.
 
 severity: medium
 
@@ -23,6 +23,6 @@ ocil_clause: 'Crypto Policy for OpenSSH Server is not configured according to CC
 
 ocil: |-
     To verify if the OpenSSH server uses defined Crypto Policy, run:
-    <pre>$ grep 'CRYPTO_POLICY' /etc/crypto-policies/back-ends/opensshserver.txt | tail -n 1</pre>
+    <pre>$ grep 'CRYPTO_POLICY' /etc/crypto-policies/back-ends/opensshserver.config | tail -n 1</pre>
     and verify that the line matches
     <pre>CRYPTO_POLICY", value="'-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=hmac-sha2-256,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -oHostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384'</pre>
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
index f067628c7254..98141052e27d 100644
--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
@@ -1227,4 +1227,4 @@ selections:
     ## Enable dnf-automatic Timer
     - timer_dnf-automatic_enabled
 
-    - harden_sshd_crypto_policy
\ No newline at end of file
+    - harden_sshd_crypto_policy