Wrong ssh cipher/kex/macs rules used on RHEL8 CIS

[jeepingben]

Description of problem:

sshd_use_approved_ciphers, sshd_use_strong_kex andsshd_use_strong_macs have fixers that use bash_replace_or_append('/etc/ssh/sshd_config')

Appending to sshd_config isn't always valid (if there are Match blocks at the end of the file), but the real problem is that on RHEL8/OL8, others the ssh ciphers/macs/kex are set by the system crypto policy and the config added to sshd_config won't be used.

I think this should be using harden_sshd_ciphers_opensshserver_conf_crypto_policy and harden_sshd_macs_opensshserver_conf_crypto_policy (I did not see a rule like this for kex)

SCAP Security Guide Version:

0.1.75

Operating System Version:

RHEL-8

Steps to Reproduce:

1. apply hardening to include sshd_use_approved_ciphers, sshd_use_strong_kex andsshd_use_strong_macs
2. ensure that crypto policy (/etc/crypto-policy/backends/opensshserver.config) disagrees 3.restart sshd 4.run sshd -T -C lport=22 | grep "\(ciphers\|macs\|kexalgorithms\)"

Actual Results:

Ciphers/kex/macs set by hardening are not used (crypto-policy settings are used)

Expected Results:

Ciphers/kex/macs set by hardening are used by sshd

Additional Information/Debugging Steps: