diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/ansible/shared.yml
deleted file mode 100644
index 0a923c9176f..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/ansible/shared.yml
+++ /dev/null
@@ -1,12 +0,0 @@
-# platform = multi_platform_all
-# complexity = low
-# strategy = configure
-# disruption = low
-# reboot = false
-
-# the shell module is used because those three commands have to be executed in one Ansible task.
-# Othervise the SSH server will be stopped and Ansible will be not able to conect again and continue.
-
-- name: "{{{ rule_title }}} - reinstall the openssh-server package"
- ansible.builtin.shell:
- cmd: dnf -y remove openssh-server; dnf -y install openssh-server; systemctl restart sshd.service
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/bash/shared.sh
deleted file mode 100644
index 95970043405..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/bash/shared.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-# platform = multi_platform_all
-
-dnf -y remove openssh-server
-dnf -y install openssh-server
-systemctl restart sshd.service
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/oval/shared.xml
index 131c785aeb8..ab418587085 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/oval/shared.xml
@@ -14,19 +14,19 @@
/etc/ssh/sshd_config
- ^Include /etc/ssh/sshd_config.d/\*.conf$
+ ^[ \t]*(?i)Include(?-i)[ \t]+/etc/ssh/sshd_config\.d/\*.conf$
1
-
+
- /etc/ssh/sshd_config
- ^Include /etc/crypto-policies/back-ends/opensshserver\.config
+ /etc/ssh/(sshd_config|sshd_config\.d/.*\.conf)
+ ^[ \t]*(?i)Include(?-i)[ \t]+/etc/crypto-policies/back-ends/opensshserver\.config$
1
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/rule.yml
index 4db69e34612..458832d7cfd 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/rule.yml
@@ -25,8 +25,8 @@ references:
checktext: |-
Verify that RHEL 9 implements DOD-approved encryption ciphers for SSH connections.
Verify that the SSH configuration files include the path to the systemwide policy with the following command:
- sudo grep -R Include /etc/ssh/sshd_config /etc/ssh/sshd_config.d/
-
+ sudo grep -R "Include /etc/ssh/sshd_config" /etc/ssh/sshd_config.d/
+
/etc/ssh/sshd_config:Include /etc/ssh/sshd_config.d/*.conf
/etc/ssh/sshd_config.d/50-redhat.conf:Include /etc/crypto-policies/back-ends/opensshserver.config
If "Include /etc/ssh/sshd_config.d/*.conf" or "Include /etc/crypto-policies/back-ends/opensshserver.config" are not included in the system sshd config or if the file "/etc/ssh/sshd_config.d/50-redhat.conf" is missing, this is a finding.
@@ -36,4 +36,6 @@ fixtext: |-
Reinstall OpenSSH server package contents with the following command:
sudo dnf -y remove openssh-server && sudo dnf -y install openssh-server
-platform: not osbuild
+warnings:
+ - general: |-
+ There is no automated remediation because recommended action could severely disrupt the system and might not be efficient in fixing the problem.
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/confing.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/confing.pass.sh
new file mode 100644
index 00000000000..58b9ed0e937
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/confing.pass.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# remediation = none
+# platform = multi_platform_all
+
+sed -i '/Include \/etc\/crypto-policies\/back-ends\/opensshserver.config/d' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf
+echo "Include /etc/crypto-policies/back-ends/opensshserver.config" >> /etc/ssh/sshd_config
+
+if ! grep -q "Include /etc/ssh/sshd_config.d/*.conf" /etc/ssh/sshd_config; then
+ echo "Include /etc/ssh/sshd_config.d/*.conf" >> /etc/ssh/sshd_config
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/default_pass.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/default_pass.pass.sh
deleted file mode 100644
index e280a7a5676..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/default_pass.pass.sh
+++ /dev/null
@@ -1,9 +0,0 @@
-#!/bin/bash
-
-if ! grep -q "Include /etc/crypto-policies/back-ends/opensshserver.config" /etc/ssh/ssh_config.d/*.conf /etc/ssh/sshd_config; then
- echo "Include /etc/crypto-policies/back-ends/opensshserver.config" >> /etc/ssh/ssh_config.d/50-redhat.conf
-fi
-
-if ! grep -q "Include /etc/ssh/sshd_config.d/*.conf" /etc/ssh/sshd_config; then
- echo "Include /etc/ssh/sshd_config.d/*.conf" >> /etc/ssh/ssh_config
-fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/drop_in.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/drop_in.pass.sh
new file mode 100644
index 00000000000..d8bd0f74085
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/drop_in.pass.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# remediation = none
+# platform = multi_platform_all
+
+sed -i '/Include \/etc\/crypto-policies\/back-ends\/opensshserver.config/d' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf
+echo "Include /etc/crypto-policies/back-ends/opensshserver.config" >> /etc/ssh/sshd_config.d/50-redhat.conf
+
+if ! grep -q "Include /etc/ssh/sshd_config.d/*.conf" /etc/ssh/sshd_config; then
+ echo "Include /etc/ssh/sshd_config.d/*.conf" >> /etc/ssh/sshd_config
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/no_crypto.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/no_crypto.fail.sh
index 1d0e92a4af0..e5bdc53cc5f 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/no_crypto.fail.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/no_crypto.fail.sh
@@ -1,12 +1,9 @@
#!/bin/bash
+# remediation = none
+# platform = multi_platform_all
-# this is done because the remediation will reset the /etc/ssh/sshd_config file
-# which is modified by Automatus so that root can log in.
-# This prevents Automatus from logging in for final scan.
-echo "PermitRootLogin yes" > /etc/ssh/sshd_config.d/99-automatus.conf
-
-sed -i '/Include/d' /etc/ssh/sshd_config
+sed -i '/Include \/etc\/crypto-policies\/back-ends\/opensshserver.config/d' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf
if ! grep -q "Include /etc/ssh/sshd_config.d/*.conf" /etc/ssh/sshd_config; then
- echo "Include /etc/ssh/sshd_config.d/*.conf" >> /etc/ssh/ssh_config.d/50-redhat.conf
+ echo "Include /etc/ssh/sshd_config.d/*.conf" >> /etc/ssh/sshd_config
fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/no_drop_in.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/no_drop_in.fail.sh
index 2f2062ba7a9..790e46320a9 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/no_drop_in.fail.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/no_drop_in.fail.sh
@@ -1,12 +1,9 @@
#!/bin/bash
-
-# this is done because the remediation will reset the /etc/ssh/sshd_config file
-# which is modified by Automatus so that root can log in.
-# This prevents Automatus from logging in for final scan.
-echo "PermitRootLogin yes" > /etc/ssh/sshd_config.d/99-automatus.conf
+# remediation = none
+# platform = multi_platform_all
sed -i '/Include/d' /etc/ssh/sshd_config
-if ! grep -q "Include /etc/ssh/sshd_config.d/*.conf" /etc/ssh/sshd_config; then
- echo "Include /etc/ssh/sshd_config.d/*.conf" >> /etc/ssh/ssh_config
+if ! grep -q "Include /etc/crypto-policies/back-ends/opensshserver.config" /etc/ssh/sshd_config.d/*.conf /etc/ssh/sshd_config; then
+ echo "Include /etc/crypto-policies/back-ends/opensshserver.config" >> /etc/ssh/sshd_config.d/50-redhat.conf
fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/no_includes.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/no_includes.fail.sh
index 43b43f23bc1..c821672d944 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/no_includes.fail.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/no_includes.fail.sh
@@ -1,8 +1,5 @@
#!/bin/bash
+# remediation = none
+# platform = multi_platform_all
-# this is done because the remediation will reset the /etc/ssh/sshd_config file
-# which is modified by Automatus so that root can log in.
-# This prevents Automatus from logging in for final scan.
-echo "PermitRootLogin yes" > /etc/ssh/sshd_config.d/99-automatus.conf
-
-sed -i '/Include/d' /etc/ssh/sshd_config
+sed -i '/Include/d' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf