So, I tied doing this via github but it seems the issue and PR were just
abruptly closed within 20m without any meaningful conversation so I'm
hoping that there can be a more fruitful discussion on list here.
https://github.com/ComplianceAsCode/content/issues/4917
https://github.com/ComplianceAsCode/content/pull/4920
The issue in question is that any FIPS related check includes a test for
whether or not the OS is FIPS certified. That seems to make sense as a
stand alone rule but shouldn't that be orthogonal to whether or not SSH is
configured to use FIPS approved crypto algorithms or if AIDE is configured
to exclusively use FIPS approved hashes? The rule isn't whether or not ssh
is FIPS approved but just whether or not it's configuration is such that
only approved ciphers are used.
----------
Chuck Atkins
Staff R&D Engineer, Scientific Computing
Kitware, Inc.
(518) 881-1183