According to Red Hat Insights, an important security incident with critical likelihood is raised when a machine uses the DEFAULT crypto policy ("SSH security is decreased when insecure cipher or hmac is enabled in the crypto policy")

According to the DEFAULT crypto policy, up to RHEL10 /cs10, "# SHA1 is allowed in HMAC where collision resistance does not matter."

This is inconvenient as a user, it means the distro is shipped with insecure standard (according to the vendor audit tool, that ships the same distro... but other audit tools raise the same "issue" ) and so I need to update this myself to comply.
Adding to the annoyance there is no module NO-HMAC-SHA1 shipped (as there used to be, a NO-SHA1) so I need to craft a policy myself, which is error prone.

Is it possible to update the DEFAULT policy so that hmac-sha1 is forbidden in ssh mac? or at least provide a module for convenience? Thanks!!

$ rpm -q -a crypto-policies\*
crypto-policies-20250214-1.gitfd9b9b9.el10.noarch
crypto-policies-scripts-20250214-1.gitfd9b9b9.el10.noarch
$ update-crypto-policies --show
DEFAULT
$ sudo sshd -T | grep mac
macs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hma-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512