Remove rule sshd_use_strong_kex from CIS profiles#14262
Merged
Mab879 merged 1 commit intoComplianceAsCode:masterfrom Jan 5, 2026
Merged
Remove rule sshd_use_strong_kex from CIS profiles#14262Mab879 merged 1 commit intoComplianceAsCode:masterfrom
Mab879 merged 1 commit intoComplianceAsCode:masterfrom
Conversation
jan-cerny
requested review from
a team,
Mab879,
matusmarhefka and
vojtapolasek
as code owners
ATEX Test ResultsTest artifacts have been submitted to Testing Farm. Results: View Test Results This comment was automatically generated by the ATEX workflow. |
We will remove rule sshd_use_strong_kex from RHEL 8, 9 and 10 CIS profiles. The reason for RHEL 8 and 9 is the CIS Benchmark recommends using system-wide crypto policies to disable the weak SHA1 key exchange algorithms instead of configuring KexAlgorithms in sshd configuration. This is already fully covered in our profiles by configure_custom_crypto_policy_cis. The reason for RHEL 10 is different. This CIS requirement shall be notapplicable on RHEL 10. The CIS Benchmark requires disabling the weak SHA1 key exchange algorithms, but RHEL 10 doesn't provide these algorithms. Consequently, the rule configure_custom_crypto_policy_cis doesn't disable them and selecting it would make no difference. This change is done according to these CIS Benchmarks: - CIS RHEL 8 v4.0.0 - CIS RHEL 9 v2.0.0 - CIS RHEL 10 v1.0.1 Resolves: https://issues.redhat.com/browse/RHEL-62941
jan-cerny
force-pushed
the
cis_strong_kex
branch
from
1b73986 to
9c20016
Compare
jan-cerny
added
the
Update Profile
|
@jan-cerny: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Mab879
approved these changes
Jan 5, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
We will remove rule sshd_use_strong_kex from RHEL 8, 9 and 10 CIS profiles.
The reason for RHEL 8 and 9 is the CIS Benchmark recommends using system-wide crypto policies to disable the weak SHA1 key exchange algorithms instead of configuring KexAlgorithms in sshd configuration. This is already fully covered in our profiles by
configure_custom_crypto_policy_cis.
The reason for RHEL 10 is different. This CIS requirement shall be notapplicable on RHEL 10. The CIS Benchmark requires disabling the weak SHA1 key exchange algorithms, but RHEL 10 doesn't provide these algorithms. Consequently, the rule configure_custom_crypto_policy_cis doesn't disable them and selecting it would make no difference.
This change is done according to these CIS Benchmarks:
Resolves: https://issues.redhat.com/browse/RHEL-62941