update stig_rhel9 to v2r7

Arden97 · Arden97 · commit c8e41341162b · 2026-02-12T21:15:41.000+01:00
diff --git a/products/rhel9/controls/stig_rhel9.yml b/products/rhel9/controls/stig_rhel9.yml
@@ -3,7 +3,7 @@ policy: 'Red Hat Enterprise Linux 9 Security Technical Implementation Guide'
 title: 'Red Hat Enterprise Linux 9 Security Technical Implementation Guide'
 id: stig_rhel9
 source: https://www.cyber.mil/stigs/downloads/
-version: V2R4
+version: V2R7
 reference_type: stigid
 product: rhel9
 
@@ -1766,23 +1766,6 @@ controls:
           - sshd_enable_pam
       status: automated
 
-    - id: RHEL-09-255055
-      levels:
-          - medium
-      title: RHEL 9 SSH daemon must be configured to use system-wide crypto policies.
-      rules:
-          - file_sshd_50_redhat_exists
-          - sshd_include_crypto_policy
-      status: automated
-
-    - id: RHEL-09-255060
-      levels:
-          - medium
-      title: RHEL 9 must implement DOD-approved encryption ciphers to protect the confidentiality of
-          SSH client connections.
-      rules:
-          - sshd_include_crypto_policy
-      status: automated
     - id: RHEL-09-255064
       title: The RHEL 9 SSH client must be configured to use only DOD-approved encryption ciphers employing
           FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client
@@ -1795,9 +1778,10 @@ controls:
     - id: RHEL-09-255065
       levels:
           - medium
-      title: RHEL 9 must implement DOD-approved encryption ciphers to protect the confidentiality of
-          SSH server connections.
+      title: The RHEL 9 SSH server must be configured to use only DOD-approved encryption ciphers employing
+          FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.
       rules:
+          - sshd_include_crypto_policy
           - harden_sshd_ciphers_opensshserver_conf_crypto_policy
           - sshd_approved_ciphers=stig_rhel9
       status: automated
@@ -1872,6 +1856,7 @@ controls:
           - medium
       title: RHEL 9 SSH server configuration file must be group-owned by root.
       rules:
+          - file_sshd_50_redhat_exists
           - file_groupowner_sshd_config
           - directory_groupowner_sshd_config_d
           - file_groupowner_sshd_drop_in_config
@@ -1882,6 +1867,7 @@ controls:
           - medium
       title: RHEL 9 SSH server configuration file must be owned by root.
       rules:
+          - file_sshd_50_redhat_exists
           - file_owner_sshd_config
           - directory_owner_sshd_config_d
           - file_owner_sshd_drop_in_config
@@ -3281,14 +3267,6 @@ controls:
           roles appointed by the ISSM) to select which auditable events are to be audited.
       rules:
           - file_permissions_audit_configuration
-      status: automated
-
-    - id: RHEL-09-653115
-      levels:
-          - medium
-      title: RHEL 9 /etc/audit/auditd.conf file must have 0640 or less permissive to prevent unauthorized
-          access.
-      rules:
           - file_permissions_etc_audit_auditd
       status: automated
 
@@ -3831,7 +3809,7 @@ controls:
     - id: RHEL-09-672020
       levels:
           - medium
-      title: RHEL 9 crypto policy must not be overridden.
+      title: RHEL 9 cryptographic policy must not be overridden.
       notes: Rules for this control are intentionally not implemented. Checking whether files under /etc/crypto-policies/back-ends/
           are symlinks is not an appropriate way to verify the consistency of the system's cryptographic settings.
           The suggested fix mentioned in the STIG does not fully satisfy its own requirements, as it also symlinks the nss.config file.
@@ -3841,16 +3819,6 @@ controls:
           More information can be found at https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/security_hardening/switching-rhel-to-fips-mode_security-hardening
       status: pending
 
-    - id: RHEL-09-672025
-      levels:
-          - medium
-      title: RHEL 9 must use mechanisms meeting the requirements of applicable federal laws, executive
-          orders, directives, policies, regulations, standards, and guidance for authentication to a
-          cryptographic module.
-      rules:
-          - configure_kerberos_crypto_policy
-      status: automated
-
     - id: RHEL-09-672030
       levels:
           - high
diff --git a/tests/data/profile_stability/rhel9/stig.profile b/tests/data/profile_stability/rhel9/stig.profile
@@ -149,7 +149,6 @@ chronyd_specify_remote_server
 clean_components_post_updating
 configure_bind_crypto_policy
 configure_crypto_policy
-configure_kerberos_crypto_policy
 configure_libreswan_crypto_policy
 configure_opensc_card_drivers
 configure_usbguard_auditbackend
diff --git a/tests/data/profile_stability/rhel9/stig_gui.profile b/tests/data/profile_stability/rhel9/stig_gui.profile
@@ -149,7 +149,6 @@ chronyd_specify_remote_server
 clean_components_post_updating
 configure_bind_crypto_policy
 configure_crypto_policy
-configure_kerberos_crypto_policy
 configure_libreswan_crypto_policy
 configure_opensc_card_drivers
 configure_usbguard_auditbackend
