APPL-14-000052 - The macOS system must configure SSHD ClientAliveCountMax to 1.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

If SSHD is enabled it must be configured with the Client Alive Maximum Count set to 1.

This will set the number of client alive messages which may be sent without the SSH server receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, the SSH server will disconnect the client, terminating the session. The client alive messages are sent through the encrypted channel and therefore will not be spoofable. The client alive mechanism is valuable when the client or server depend on knowing when a connection has become unresponsive.

Note: This setting is not intended to manage idle user sessions where there is no input from the client. Its purpose is to monitor for interruptions in network connectivity and force the session to terminate after the connection appears to be broken.

Note: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.

Solution

Configure the macOS system to set the SSHD ClientAliveCountMax to 1 with the following command:

include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*')

if [[ -z $include_dir ]]; then
/usr/bin/sed -i.bk '1s/.*/Include /etc/ssh/sshd_config.d/*/' /etc/ssh/sshd_config
fi

/usr/bin/grep -qxF 'clientalivecountmax 1' '${include_dir}01-mscp-sshd.conf' 2>/dev/null || echo 'clientalivecountmax 1' >> '${include_dir}01-mscp-sshd.conf'

for file in $(ls ${include_dir}); do
if [[ '$file' == '100-macos.conf' ]]; then
continue
fi
if [[ '$file' == '01-mscp-sshd.conf' ]]; then
break
fi
/bin/mv ${include_dir}${file} ${include_dir}20-${file}
done

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_macOS_14_V2R1_STIG.zip

Item Details

References: CAT|II, CCI|CCI-001133, Rule-ID|SV-259436r970703_rule, STIG-ID|APPL-14-000052, Vuln-ID|V-259436

Plugin: Unix

Control ID: 4c072dd3734e753ed309ade27d025721f4894da2aafb11eaf690903d9f09544d