APPL-15-000140 - The macOS system must set SSH Active Server Alive Maximum to 0.

Information

SSH must be configured with an Active Server Alive Maximum Count set to 0. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. Quickly terminating an idle session or an incomplete login attempt will also free up resources committed by the managed network element.

NOTE: /etc/ssh/ssh_config will be automatically modified to its original state following any update or major upgrade to the operating system.

Solution

Configure the macOS system to set SSH Active Server Alive Maximum to 0 with the following command:

include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/ssh_config | /usr/bin/tr -d '*')

ssh_config=('ServerAliveCountMax 0')

ssh_setting=$(echo $ssh_config | /usr/bin/cut -d ' ' -f1)
/usr/bin/grep -qEi '^$ssh_setting' '${include_dir}01-mscp-ssh.conf' && /usr/bin/sed -i '' 's/^$ssh_setting.*/${ssh_config}/' '${include_dir}01-mscp-ssh.conf' || echo '$ssh_config' >> '${include_dir}01-mscp-ssh.conf'
for u in $(/usr/bin/dscl . list /users shell | /usr/bin/egrep -v '(^_)|(root)|(/usr/bin/false)' | /usr/bin/awk '{print $1}'); do
config=$(/usr/bin/sudo -u $u /usr/bin/ssh -Gv . 2>&1)
configfiles=$(echo '$config' | /usr/bin/awk '/Reading configuration data/ {print $NF}'| /usr/bin/tr -d 'r')
configarray=( ${(f)configfiles} )
if ! echo $config | /usr/bin/grep -q -i '$ssh_config' ; then
for c in $configarray; do
if [[ '$c' == '/etc/ssh/crypto.conf' ]]; then
continue
fi

/usr/bin/sudo -u $u /usr/bin/grep -qEi '^$ssh_setting' '$c' && /usr/bin/sed -i '' 's/^$ssh_setting.*/${ssh_config}/I' '$c'
if [[ '$c' =~ '.ssh/config' ]]; then
if /usr/bin/grep -qEi '$ssh_setting' '$c' 2> /dev/null; then
old_file=$(cat ~$u/.ssh/config)
echo '$ssh_config' > ~$u/.ssh/config
echo '$old_file' >> ~$u/.ssh/config
fi
fi
done
fi
done

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_macOS_15_V1R1_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-10, CAT|II, CCI|CCI-001133, Rule-ID|SV-268447r1034805_rule, STIG-ID|APPL-15-000140, Vuln-ID|V-268447

Plugin: Unix

Control ID: 66cdf2972c9e273fc7cc558f2c28f96bd531d5e66bc73846d88f3ff3532916ba