Detections
Analytics
APPL-15-000057 - The macOS system must limit SSH to FIPS-compliant connections.
Information
SSH must be configured to limit the Ciphers, HostbasedAcceptedAlgorithms, HostKeyAlgorithms, KexAlgorithms, MACs, PubkeyAcceptedAlgorithms, CASignatureAlgorithms to algorithms that are FIPS-140 validated.FIPS 140-3 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets federal requirements.
Operating systems using encryption must use FIPS-validated mechanisms for authenticating to cryptographic modules.
NOTE: For more information on FIPS compliance with the version of SSH included in the macOS, the manual page apple_ssh_and_fips has additional information.
Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000250-GPOS-00093, SRG-OS-000396-GPOS-00176, SRG-OS-000424-GPOS-00188, SRG-OS-000478-GPOS-00223
Solution
Configure the macOS system to limit SSH to FIPS-compliant connections with the following command:if [ -f /etc/ssh/crypto.conf ] && /usr/bin/grep -q 'Include /etc/ssh/crypto.conf' /etc/ssh/ssh_config.d/100-macos.conf 2>/dev/null; then
/bin/ln -fs /etc/ssh/crypto/fips.conf /etc/ssh/crypto.conf
fi
include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/ssh_config | /usr/bin/tr -d '*')
fips_ssh_config=('Ciphers [email protected]' 'HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,[email protected]' 'HostKeyAlgorithms [email protected],[email protected],ecdsa-sha2-nistp256,[email protected]' 'KexAlgorithms ecdh-sha2-nistp256' 'MACs [email protected],hmac-sha2-256' 'PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,[email protected],[email protected]' 'CASignatureAlgorithms ecdsa-sha2-nistp256,[email protected]')
for ssh_config in $fips_ssh_config; do
ssh_setting=$(echo $ssh_config | /usr/bin/cut -d ' ' -f1)
/usr/bin/grep -qEi '^$ssh_setting' '${include_dir}01-mscp-ssh.conf' && /usr/bin/sed -i '' 's/^$ssh_setting.*/${ssh_config}/' '${include_dir}01-mscp-ssh.conf' || echo '$ssh_config' >> '${include_dir}01-mscp-ssh.conf'
for u in $(/usr/bin/dscl . list /users shell | /usr/bin/egrep -v '(^_)|(root)|(/usr/bin/false)' | /usr/bin/awk '{print $1}'); do
config=$(/usr/bin/sudo -u $u /usr/bin/ssh -Gv . 2>&1)
configfiles=$(echo '$config' | /usr/bin/awk '/Reading configuration data/ {print $NF}'| /usr/bin/tr -d 'r')
configarray=( ${(f)configfiles} )
if ! echo $config | /usr/bin/grep -q -i '$ssh_config' ; then
for c in $configarray; do
if [[ '$c' == '/etc/ssh/crypto.conf' ]]; then
continue
fi
/usr/bin/sudo -u $u /usr/bin/grep -qEi '^$ssh_setting' '$c' && /usr/bin/sed -i '' 's/^$ssh_setting.*/${ssh_config}/I' '$c'
if [[ '$c' =~ '.ssh/config' ]]; then
if /usr/bin/grep -qEi '$ssh_setting' '$c' 2> /dev/null; then
old_file=$(cat ~$u/.ssh/config)
echo '$ssh_config' > ~$u/.ssh/config
echo '$old_file' >> ~$u/.ssh/config
fi
fi
done
fi
done
done
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_macOS_15_V1R1_STIG.zip
Item Details
Audit Name: DISA Apple macOS 15 (Sequoia) STIG v1r1
Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|AC-17(2), 800-53|IA-7, 800-53|SC-8(1), 800-53|SC-13, CAT|I, CCI|CCI-000068, CCI|CCI-000803, CCI|CCI-001453, CCI|CCI-002421, CCI|CCI-002450, Rule-ID|SV-268439r1034803_rule, STIG-ID|APPL-15-000057, Vuln-ID|V-268439
Plugin: Unix
Control ID: fb868c72e0572021a3b052e0438f7996beccf3a36d44afe05d2d800384389489