...
CIS vs STIG solved only conflict:
CIS recommendation 5.2.11 states that we need to "Ensure only approved MAC algorithms are used", however STIG V-23826 requires that the SSH daemon only uses a FIPS 140-2 validated cryptographic module (operating in FIPS mode). And after some research, this document: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2907.pdf indicates that if we use the CIS settings for this parameter, we still satisfy the FIPS 140-2 validated cryptographic module and in consequence STIG V-23826 as well.
So the MAC parameter on sshd_conf for STIG changed from this:
MACs hmac-sha1to this one:
MACs hmac- MAC algorithms include:
hmac-sha2-512-etm@openssh.com,
hmac-sha2-256-etm@openssh.com,
umac-128-etm@openssh.com,
hmac-sha2-512,
hmac-sha2-256,
umac-128@openssh.com