Update RHEL 8 STIG control file to align with DISA STIG v2r6

[vojtapolasek]

Description:

• Update RHEL 8 STIG reference content from DISA STIG v2r5 to v2r6 (updated XCCDF manual and SCAP files).
• Add new control RHEL-08-010015 (high) requiring the crypto-policies package to be installed.
• Align RHEL-08-010020 with the latest STIG update: replace individual cryptographic policy rules (configure_bind_crypto_policy, enable_dracut_fips_module, sysctl_crypto_fips_enabled, etc.) with fips_crypto_subpolicy, fips_custom_stig_sub_policy, and var_system_crypto_policy=fips_stig.
• Add new controls RHEL-08-010270 (cryptographic policy must not be overridden), RHEL-08-010275 (DOD-approved encryption in bind), and RHEL-08-010280 (FIPS 140-3 for IP tunnels) as separate controls broken out from the previous combined RHEL-08-010020.
• Update controls RHEL-08-010290, RHEL-08-010291, RHEL-08-010296, and RHEL-08-010297 to implement SSH MACs and ciphers via STIG subpolicy instead of individual harden_sshd_* rules.
• Drop obsolete controls: RHEL-08-010293 (OpenSSL crypto policy), RHEL-08-010294 (OpenSSL TLS crypto policy), RHEL-08-010295 (GnuTLS TLS crypto policy), RHEL-08-010287 (SSH daemon crypto policy), and RHEL-08-040342 (SSH FIPS KEX algorithms).
• Move dropped rules (harden_sshd_ciphers_opensshserver_conf_crypto_policy, harden_sshd_macs_opensshserver_conf_crypto_policy, sysctl_crypto_fips_enabled, configure_gnutls_tls_crypto_policy, configure_openssl_tls_crypto_policy, sshd_use_approved_kex_ordered_stig) to default.profile to keep them in the data stream.
• Add RHEL-08-020360 control which uses the rule accounts_tmout to enforce 10 minutes timeout in console sessions
• Update profile stability test data for stig and stig_gui profiles and product stability data for rhel8, rhel9, and rhel10.
• Add rhel8 CCE identifier (CCE-86459-5) to the fips_custom_stig_sub_policy rule.

Rationale:

• DISA released STIG v2r6 for RHEL 8, which restructures how cryptographic policy requirements are checked. Instead of individually verifying each component's crypto policy (OpenSSL, GnuTLS, SSH server, SSH client, Kerberos), the updated STIG relies on a unified FIPS STIG subpolicy (fips_custom_stig_sub_policy) that enforces all cryptographic requirements through the system-wide crypto policy mechanism. This is a more robust approach that prevents policy drift between components.
• Dropped controls were either superseded by the subpolicy approach or consolidated into other controls in the v2r6 release.

Review Hints:

• Note that the new version of STIG can be viewed at https://stigaview.com/products/rhel8/v2r6
• This PR contains multiple categories of changes that are best reviewed by commit. The STIG control file update is the core change; the other commits handle consequences (stability tests, default.profile, CCE).
• Affected products: rhel8 (primary), rhel9 and rhel10 (product stability data only)
• Build with: ./build_product --datastream-only rhel8
• Key files to review:
  • products/rhel8/controls/stig_rhel8.yml — core STIG control updates
  • products/rhel8/profiles/default.profile — rules moved here to stay in data stream
  • tests/data/profile_stability/rhel8/stig.profile — stability test expectations
  • shared/references/disa-stig-rhel8-v2r6-xccdf-manual.xml — updated DISA reference content
  • shared/references/disa-stig-rhel8-v2r6-xccdf-scap.xml — updated DISA reference content
• Note: This branch also contains unrelated upstream commits (SLE16 support, Ubuntu sshd drop-in, sysctl dropin remediations, Testing Farm changes, banner fix, etc.) that were merged from master. The RHEL 8 STIG-specific commits are:
  • update official STIG manual and SCAP content from v2r5 to v2r6
  • Fix cce id conflict with master branch
  • add new control RHEL-08-010015
  • align RHEL-08-010020 with the latest STIG update
  • create RHEL-08-010275, create RHEL-08-010280, add RHEL-08-010270
  • remove rules from generic control, they were duplicates or no longer needed
  • modify controls which check for STIG-specific modifications to ssh server cryptopolicy
  • modify controls regarding SSH client macs and ciphers handled by special STIG subpolicy
  • add rhel8 cce to rule
  • update the default profile to prevent removing rules from datastream
  • drop RHEL-08-010287, drop RHEL-08-010293, drop RHEL-08-010294, drop RHEL-08-010295, drop RHEL-08-040342
  • update default profile to keep rules in the data stream

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[Mab879]

Something is up with the base of this PR. Please review before moving to ready for review.

[vojtapolasek]

/packit retest-failed

[Mab879]

/packit retest-failed

[Mab879]

[2026-02-12 21:50:32] [W] [worker_0] [stderr] [CentOS-Stream-8:x86_64:/plans/contest/static-checks]             00:00:07 fail /static-checks/rule-identifiers (on default-0) [5/6]
[2026-02-12 21:50:32] [W] [worker_0] [stderr] [CentOS-Stream-8:x86_64:/plans/contest/static-checks]                 ..:..:.. fail /stig/stigref/display_login_attempts (subresult)
[2026-02-12 21:50:33] [W] [worker_0] [stderr] [CentOS-Stream-8:x86_64:/plans/contest/static-checks]                     Note: missing https://www.cyber.mil/stigs/srg-stig-tools/
[2026-02-12 21:50:33] [W] [worker_0] [stderr] [CentOS-Stream-8:x86_64:/plans/contest/static-checks]                 ..:..:.. fail /stig/stigref/accounts_user_dot_no_world_writable_programs (subresult)
[2026-02-12 21:50:34] [W] [worker_0] [stderr] [CentOS-Stream-8:x86_64:/plans/contest/static-checks]                     Note: missing https://www.cyber.mil/stigs/srg-stig-tools/
[2026-02-12 21:50:34] [W] [worker_0] [stderr] [CentOS-Stream-8:x86_64:/plans/contest/static-checks]                 ..:..:.. fail /stig/stigref/enable_fips_mode (subresult)
[2026-02-12 21:50:35] [W] [worker_0] [stderr] [CentOS-Stream-8:x86_64:/plans/contest/static-checks]                     Note: missing https://www.cyber.mil/stigs/srg-stig-tools/

Is this expected?

[Mab879]

Make sure you update the profile versions as well.

[openshift-ci]

@vojtapolasek: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-openshift-node-compliance	c6a68f0	link	true	/test e2e-aws-openshift-node-compliance

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.