ComplianceAsCode · Mab879 · Jan 5, 2026 · Dec 28, 2025
@@ -1695,13 +1695,11 @@ controls:
       levels:
           - l1_server
           - l1_workstation
-      status: pending
+      status: not applicable
       notes: |-
-          The status was automated but we need to double check the approach used in this rule.
-          Therefore I moved it to pending until deeper investigation.
-      rules:
-          - sshd_use_strong_kex
-          - sshd_strong_kex=cis_rhel10
+          This CIS requirement shall be notapplicable on RHEL 10. The CIS
+          Benchmark requires disabling the weak SHA1 key exchange algorithms,
+          but RHEL 10 doesn't provide these algorithms.
 
     - id: 5.1.13
       title: Ensure sshd LoginGraceTime is configured (Automated)

@@ -12,6 +12,7 @@ description: |-
     this profile is to keep a rule in the product's XCCDF Benchmark.
 
 selections:
+    - sshd_use_strong_kex
     - grub2_nousb_argument
     - audit_rules_kernel_module_loading_create
     - grub2_uefi_admin_username

@@ -1545,9 +1545,13 @@ controls:
           - l1_server
           - l1_workstation
       status: automated
+      notes: |-
+          We don't select rule sshd_use_strong_kex because the CIS Benchmark
+          recommends using system-wide crypto policies to disable the weak
+          SHA1 key exchange algorithms instead of configuring KexAlgorithms
+          in sshd configuration.
       rules:
-          - sshd_use_strong_kex
-          - sshd_strong_kex=cis_rhel8
+          - configure_custom_crypto_policy_cis
 
     - id: 4.2.12
       title: Ensure sshd LoginGraceTime is configured (Automated)

@@ -1517,13 +1517,14 @@ controls:
       levels:
           - l1_server
           - l1_workstation
-      status: pending
+      status: automated
       notes: |-
-          The status was automated but we need to double check the approach used in this rule.
-          Therefore I moved it to pending until deeper investigation.
+          We don't select rule sshd_use_strong_kex because the CIS Benchmark
+          recommends using system-wide crypto policies to disable the weak
+          SHA1 key exchange algorithms instead of configuring KexAlgorithms
+          in sshd configuration.
       rules:
-          - sshd_use_strong_kex
-          - sshd_strong_kex=cis_rhel9
+          - configure_custom_crypto_policy_cis
 
     - id: 5.1.6
       title: Ensure sshd MACs are configured (Automated)

@@ -13,6 +13,7 @@ description: |-
     is to keep a rule in the product's XCCDF Benchmark.
 
 selections:
+    - sshd_use_strong_kex
     - sebool_nfsd_anon_write
     - sebool_squid_connect_any
     - sebool_polipo_connect_all_unreserved

@@ -395,8 +395,6 @@ sshd_set_loglevel_verbose
 sshd_set_max_auth_tries
 sshd_set_max_sessions
 sshd_set_maxstartups
-sshd_strong_kex=cis_rhel10
-sshd_use_strong_kex
 sudo_add_use_pty
 sudo_custom_logfile
 sudo_remove_no_authenticate

@@ -286,8 +286,6 @@ sshd_set_loglevel_verbose
 sshd_set_max_auth_tries
 sshd_set_max_sessions
 sshd_set_maxstartups
-sshd_strong_kex=cis_rhel10
-sshd_use_strong_kex
 sudo_add_use_pty
 sudo_custom_logfile
 sudo_remove_no_authenticate

@@ -279,8 +279,6 @@ sshd_set_loglevel_verbose
 sshd_set_max_auth_tries
 sshd_set_max_sessions
 sshd_set_maxstartups
-sshd_strong_kex=cis_rhel10
-sshd_use_strong_kex
 sudo_add_use_pty
 sudo_custom_logfile
 sudo_remove_no_authenticate

@@ -391,8 +391,6 @@ sshd_set_loglevel_verbose
 sshd_set_max_auth_tries
 sshd_set_max_sessions
 sshd_set_maxstartups
-sshd_strong_kex=cis_rhel10
-sshd_use_strong_kex
 sudo_add_use_pty
 sudo_custom_logfile
 sudo_remove_no_authenticate

@@ -369,8 +369,6 @@ sshd_set_loglevel_verbose
 sshd_set_max_auth_tries
 sshd_set_max_sessions
 sshd_set_maxstartups
-sshd_strong_kex=cis_rhel8
-sshd_use_strong_kex
 sudo_add_use_pty
 sudo_custom_logfile
 sudo_require_authentication

@@ -270,8 +270,6 @@ sshd_set_loglevel_verbose
 sshd_set_max_auth_tries
 sshd_set_max_sessions
 sshd_set_maxstartups
-sshd_strong_kex=cis_rhel8
-sshd_use_strong_kex
 sudo_add_use_pty
 sudo_custom_logfile
 sudo_require_authentication

@@ -265,8 +265,6 @@ sshd_set_loglevel_verbose
 sshd_set_max_auth_tries
 sshd_set_max_sessions
 sshd_set_maxstartups
-sshd_strong_kex=cis_rhel8
-sshd_use_strong_kex
 sudo_add_use_pty
 sudo_custom_logfile
 sudo_require_authentication

@@ -365,8 +365,6 @@ sshd_set_loglevel_verbose
 sshd_set_max_auth_tries
 sshd_set_max_sessions
 sshd_set_maxstartups
-sshd_strong_kex=cis_rhel8
-sshd_use_strong_kex
 sudo_add_use_pty
 sudo_custom_logfile
 sudo_require_authentication

@@ -366,8 +366,6 @@ sshd_set_loglevel_verbose
 sshd_set_max_auth_tries
 sshd_set_max_sessions
 sshd_set_maxstartups
-sshd_strong_kex=cis_rhel9
-sshd_use_strong_kex
 sudo_add_use_pty
 sudo_custom_logfile
 sudo_require_authentication

@@ -263,8 +263,6 @@ sshd_set_loglevel_verbose
 sshd_set_max_auth_tries
 sshd_set_max_sessions
 sshd_set_maxstartups
-sshd_strong_kex=cis_rhel9
-sshd_use_strong_kex
 sudo_add_use_pty
 sudo_custom_logfile
 sudo_require_reauthentication

@@ -257,8 +257,6 @@ sshd_set_loglevel_verbose
 sshd_set_max_auth_tries
 sshd_set_max_sessions
 sshd_set_maxstartups
-sshd_strong_kex=cis_rhel9
-sshd_use_strong_kex
 sudo_add_use_pty
 sudo_custom_logfile
 sudo_require_reauthentication

@@ -362,8 +362,6 @@ sshd_set_loglevel_verbose
 sshd_set_max_auth_tries
 sshd_set_max_sessions
 sshd_set_maxstartups
-sshd_strong_kex=cis_rhel9
-sshd_use_strong_kex
 sudo_add_use_pty
 sudo_custom_logfile
 sudo_require_authentication