usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-03-04 01:12:00 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

ssh changes due to fips discovery

Browse Source
This commit is contained in:
Bob Gendler
2020-10-19 17:18:47 -04:00
parent 3f966ff923
commit 429833b87d
19 changed files with 262 additions and 98 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
baselines/800-171.yaml
View File

@@ -32,7 +32,7 @@ profile:
- section: "macos"
rules:
- os_firewall_default_deny_require
- os_ssh_client_alive_count_max_configure
- os_ssh_server_alive_count_max_configure
- os_firmware_password_require
- os_gatekeeper_rearm
- os_root_disable
@@ -48,7 +48,6 @@ profile:
- os_password_autofill_disable
- os_password_sharing_disable
- os_ssh_fips_140_ciphers
- os_ssh_login_grace_time_configure
- os_uucp_disable
- os_policy_banner_loginwindow_enforce
- os_touchid_prompt_disable
@@ -76,7 +75,7 @@ profile:
- os_icloud_storage_prompt_disable
- os_ir_support_disable
- os_mail_app_disable
- os_ssh_client_alive_interval_configure
- os_ssh_server_alive_interval_configure
- os_bonjour_disable
- os_calendar_app_disable
- section: "passwordpolicy"

5
baselines/800-53_high.yaml
View File

@@ -36,7 +36,7 @@ profile:
- section: "macos"
rules:
- os_firewall_default_deny_require
- os_ssh_client_alive_count_max_configure
- os_ssh_server_alive_count_max_configure
- os_firmware_password_require
- os_gatekeeper_rearm
- os_root_disable
@@ -52,7 +52,6 @@ profile:
- os_password_autofill_disable
- os_password_sharing_disable
- os_ssh_fips_140_ciphers
- os_ssh_login_grace_time_configure
- os_secure_boot_verify
- os_uucp_disable
- os_policy_banner_loginwindow_enforce
@@ -83,7 +82,7 @@ profile:
- os_icloud_storage_prompt_disable
- os_ir_support_disable
- os_mail_app_disable
- os_ssh_client_alive_interval_configure
- os_ssh_server_alive_interval_configure
- os_bonjour_disable
- os_calendar_app_disable
- section: "passwordpolicy"

5
baselines/800-53_moderate.yaml
View File

@@ -34,7 +34,7 @@ profile:
- section: "macos"
rules:
- os_firewall_default_deny_require
- os_ssh_client_alive_count_max_configure
- os_ssh_server_alive_count_max_configure
- os_firmware_password_require
- os_gatekeeper_rearm
- os_root_disable
@@ -49,7 +49,6 @@ profile:
- os_password_autofill_disable
- os_password_sharing_disable
- os_ssh_fips_140_ciphers
- os_ssh_login_grace_time_configure
- os_uucp_disable
- os_policy_banner_loginwindow_enforce
- os_touchid_prompt_disable
@@ -79,7 +78,7 @@ profile:
- os_icloud_storage_prompt_disable
- os_ir_support_disable
- os_mail_app_disable
- os_ssh_client_alive_interval_configure
- os_ssh_server_alive_interval_configure
- os_bonjour_disable
- os_calendar_app_disable
- section: "passwordpolicy"

13
baselines/all_rules.yaml
View File

@@ -37,7 +37,7 @@ profile:
- section: "macos"
rules:
- os_firewall_default_deny_require
- os_ssh_client_alive_count_max_configure
- os_ssh_server_alive_count_max_configure
- os_firmware_password_require
- os_gatekeeper_rearm
- os_root_disable
@@ -53,7 +53,7 @@ profile:
- os_password_autofill_disable
- os_password_sharing_disable
- os_ssh_fips_140_ciphers
- os_ssh_login_grace_time_configure
- os_sshd_login_grace_time_configure
- os_privacy_setup_prompt_disable
- os_secure_boot_verify
- os_sudoers_tty_configure
@@ -86,12 +86,16 @@ profile:
- os_camera_disable
- os_guest_access_afp_disable
- os_icloud_storage_prompt_disable
- os_ssh_permit_root_login_configure
- os_sshd_permit_root_login_configure
- os_ir_support_disable
- os_mail_app_disable
- os_ssh_client_alive_interval_configure
- os_ssh_server_alive_interval_configure
- os_bonjour_disable
- os_calendar_app_disable
- os_sshd_client_alive_count_max_configure
- os_sshd_client_alive_interval_configure
- os_sshd_fips_140_ciphers
- os_sshd_fips_140_macs
- section: "passwordpolicy"
rules:
- pwpolicy_account_inactivity_enforce
@@ -127,6 +131,7 @@ profile:
- sysprefs_internet_sharing_disable
- sysprefs_rae_disable
- sysprefs_ssh_enable
- sysprefs_ssh_disable
- sysprefs_media_sharing_disabled
- sysprefs_screensaver_password_enforce
- sysprefs_gatekeeper_identified_developers_allowed

5
baselines/cnssi-1253.yaml
View File

@@ -34,7 +34,7 @@ profile:
- section: "macos"
rules:
- os_firewall_default_deny_require
- os_ssh_client_alive_count_max_configure
- os_ssh_server_alive_count_max_configure
- os_firmware_password_require
- os_gatekeeper_rearm
- os_root_disable
@@ -49,7 +49,6 @@ profile:
- os_password_autofill_disable
- os_password_sharing_disable
- os_ssh_fips_140_ciphers
- os_ssh_login_grace_time_configure
- os_sudoers_tty_configure
- os_uucp_disable
- os_policy_banner_loginwindow_enforce
@@ -79,7 +78,7 @@ profile:
- os_icloud_storage_prompt_disable
- os_ir_support_disable
- os_mail_app_disable
- os_ssh_client_alive_interval_configure
- os_ssh_server_alive_interval_configure
- os_bonjour_disable
- os_calendar_app_disable
- section: "passwordpolicy"

2
rules/os/os_required_crypto_module.yaml
View File

@@ -7,7 +7,7 @@ discussion: |
MacOS Big Sur is in process of testing from an accredited laboratory to submit the National Institute of Standards and Technology (NIST) for FIPS validation.
link:https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Modules-In-Process/Modules-In-Process-List[]
link:https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/IUT-List[]
link:https://support.apple.com/en-us/HT201159[]
check: |

1
rules/os/os_root_disable.yaml
View File

@@ -20,6 +20,7 @@ references:
- N/A
800-53r4:
- IA-2
- IA-2(5)
800-171r2:
- 3.5.1
- 3.5.2

10
rules/os/os_ssh_fips_140_ciphers.yaml
View File

@@ -9,28 +9,28 @@ discussion: |
NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.
check: |
/usr/bin/grep -c "^Ciphers aes256-ctr,aes192-ctr,aes128-ctr" /etc/ssh/sshd_config
/usr/bin/grep -c "^Ciphers aes256-ctr,aes192-ctr,aes128-ctr" /etc/ssh/ssh_config
result:
integer: 1
fix: |
[source,bash]
----
/usr/bin/grep -q '^Ciphers' /etc/ssh/sshd_config && /usr/bin/sed -i.bak 's/.^Ciphers.*/Ciphers aes256-ctr,aes192-ctr,aes128-ctr/' /etc/ssh/sshd_config || /bin/echo 'Ciphers aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd
/usr/bin/grep -q '^Ciphers' /etc/ssh/ssh_config && /usr/bin/sed -i.bak 's/.^Ciphers.*/Ciphers aes256-ctr,aes192-ctr,aes128-ctr/' /etc/ssh/ssh_config || /bin/echo 'Ciphers aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/ssh_config
----
references:
cce:
- CCE-85382-0
cci:
- CCI-001133
- N/A
800-53r4:
- AC-17(2)
- IA-7
- SC-8(1)
- SC-13
srg:
- SRG-OS-000163-GPOS-00072
- N/A
disa_stig:
- AOSX-15-000053
- N/A
800-171r2:
- 3.1.13
- 3.13.8

12
rules/os/os_ssh_fips_140_macs.yaml
View File

@@ -7,30 +7,30 @@ discussion: |
Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules.
NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.
NOTE: /etc/ssh/ssh_config will be automatically modified to its original state following any update or major upgrade to the operating system.
check: |
/usr/bin/grep -c "^MACs hmac-sha2-256,hmac-sha2-512" /etc/ssh/sshd_config
/usr/bin/grep -c "^MACs hmac-sha2-256,hmac-sha2-512" /etc/ssh/ssh_config
result:
integer: 1
fix: |
[source,bash]
----
/usr/bin/grep -q '^MACs' /etc/ssh/sshd_config && /usr/bin/sed -i.bak 's/.*MACs.*/MACs hmac-sha2-256,hmac-sha2-512/' /etc/ssh/sshd_config || /bin/echo 'MACs hmac-sha2-256,hmac-sha2-512' >> /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd
/usr/bin/grep -q '^MACs' /etc/ssh/ssh_config && /usr/bin/sed -i.bak 's/.*MACs.*/MACs hmac-sha2-256,hmac-sha2-512/' /etc/ssh/ssh_config || /bin/echo 'MACs hmac-sha2-256,hmac-sha2-512' >> /etc/ssh/ssh_config
----
references:
cce:
- CCE-85383-8
cci:
- CCI-001133
- N/A
800-53r4:
- AC-17(2)
- IA-7
- SC-8(1)
- SC-13
srg:
- SRG-OS-000163-GPOS-00072
- N/A
disa_stig:
- AOSX-15-000053
- N/A
800-171r2:
- 3.1.13
- 3.13.8

18
rules/os/os_ssh_client_alive_count_max_configure.yaml → rules/os/os_ssh_server_alive_count_max_configure.yaml
View File

@@ -1,29 +1,29 @@
id: os_ssh_client_alive_count_max_configure
title: "Set SSH Active Client Alive Maximum to Zero"
id: os_ssh_server_alive_count_max_configure
title: "Set SSH Active Server Alive Maximum to Zero"
discussion: |
SSH _MUST_ be configured with an Active Client Alive Maximum Count set to zero. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session or an incomplete login attempt will also free up resources committed by the managed network element.
SSH _MUST_ be configured with an Active Server Alive Maximum Count set to zero. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session or an incomplete login attempt will also free up resources committed by the managed network element.
NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.
NOTE: /etc/ssh/ssh_config will be automatically modified to its original state following any update or major upgrade to the operating system.
check: |
/usr/bin/grep -c "^ClientAliveCountMax 0" /etc/ssh/sshd_config
/usr/bin/grep -c "^ServerAliveCountMax 0" /etc/ssh/ssh_config
result:
integer: 1
fix: |
[source,bash]
----
/usr/bin/sed -i.bak 's/.*ClientAliveCountMax.*/ClientAliveCountMax 0/' /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd
/usr/bin/sed -i.bak 's/.*ServerAliveCountMax.*/ServerAliveCountMax 0/' /etc/ssh/ssh_config
----
references:
cce:
- CCE-85380-4
cci:
- CCI-001133
- N/A
800-53r4:
- SC-10
srg:
- SRG-OS-000163-GPOS-00072
- N/A
disa_stig:
- AOSX-15-000052
- N/A
800-171r2:
- 3.13.9
macOS:

40
rules/os/os_ssh_server_alive_interval_configure.yaml Normal file
View File

@@ -0,0 +1,40 @@
id: os_ssh_server_alive_interval_configure
title: "Configure SSH ServerAliveInterval option set to 900 or less"
discussion: |
SSH _MUST_ be configured with an Active Server Alive Maximum Count set to 900 or less.
Setting the Active Server Alive Maximum Count to 900 (second) will log users out after a 15-minute interval of inactivity.
NOTE: /etc/ssh/ssh_config will be automatically modified to its original state following any update or major upgrade to the operating system.
check: |
/usr/bin/grep -c "^ServerAliveInterval 900" /etc/ssh/ssh_config
result:
integer: 1
fix: |
[source,bash]
----
/usr/bin/sed -i.bak 's/.*ServerAliveInterval.*/ServerAliveInterval 900/' /etc/ssh/ssh_config
----
references:
cce:
- CCE-85381-2
cci:
- N/A
800-53r4:
- SC-10
srg:
- N/A
disa_stig:
- N/A
800-171r2:
- 3.13.9
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r4_moderate
- 800-53r4_high
- STIG
mobileconfig: false
mobileconfig_info:

34
rules/os/os_sshd_client_alive_count_max_configure.yaml Normal file
View File

@@ -0,0 +1,34 @@
id: os_sshd_client_alive_count_max_configure
title: "Set SSHD Active Client Alive Maximum to Zero"
discussion: |
SSHD _MUST_ be configured with an Active Client Alive Maximum Count set to zero. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session or an incomplete login attempt will also free up resources committed by the managed network element.
NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.
check: |
/usr/bin/grep -c "^ClientAliveCountMax 0" /etc/ssh/sshd_config
result:
integer: 1
fix: |
[source,bash]
----
/usr/bin/sed -i.bak 's/.*ClientAliveCountMax.*/ClientAliveCountMax 0/' /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd
----
references:
cce:
- N/A
cci:
- CCI-001133
800-53r4:
- N/A
srg:
- SRG-OS-000163-GPOS-00072
disa_stig:
- AOSX-15-000052
800-171r2:
- N/A
macOS:
- "11.0"
tags:
- STIG
mobileconfig: false
mobileconfig_info:

16
rules/os/os_ssh_client_alive_interval_configure.yaml → rules/os/os_sshd_client_alive_interval_configure.yaml
View File

@@ -1,7 +1,7 @@
id: os_ssh_client_alive_interval_configure
title: "Configure SSH ClientAliveInterval option set to 900 or less"
id: os_sshd_client_alive_interval_configure
title: "Configure SSHD ClientAliveInterval option set to 900 or less"
discussion: |
SSH _MUST_ be configured with an Active Client Alive Maximum Count set to 900 or less.
SSHD _MUST_ be configured with an Active Client Alive Maximum Count set to 900 or less.
Setting the Active Client Alive Maximum Count to 900 (second) will log users out after a 15-minute interval of inactivity.
@@ -17,24 +17,20 @@ fix: |
----
references:
cce:
- CCE-85381-2
- N/A
cci:
- CCI-001133
800-53r4:
- SC-10
- N/A
srg:
- SRG-OS-000163-GPOS-00072
disa_stig:
- AOSX-15-000051
800-171r2:
- 3.13.9
- N/A
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r4_moderate
- 800-53r4_high
- STIG
mobileconfig: false
mobileconfig_info:

38
rules/os/os_sshd_fips_140_ciphers.yaml Normal file
View File

@@ -0,0 +1,38 @@
id: os_sshd_fips_140_ciphers
title: "Limit SSHD to FIPS 140 Validated Ciphers"
discussion: |
SSH _MUST_ be configured to limit the ciphers to algorithms that are FIPS 140 validated.
FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meet federal requirements.
Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules.
NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.
check: |
/usr/bin/grep -c "^Ciphers aes256-ctr,aes192-ctr,aes128-ctr" /etc/ssh/sshd_config
result:
integer: 1
fix: |
[source,bash]
----
/usr/bin/grep -q '^Ciphers' /etc/ssh/sshd_config && /usr/bin/sed -i.bak 's/.^Ciphers.*/Ciphers aes256-ctr,aes192-ctr,aes128-ctr/' /etc/ssh/sshd_config || /bin/echo 'Ciphers aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd
----
references:
cce:
- N/A
cci:
- CCI-001133
800-53r4:
- N/A
srg:
- SRG-OS-000163-GPOS-00072
disa_stig:
- AOSX-15-000053
800-171r2:
- N/A
macOS:
- "11.0"
tags:
- STIG
mobileconfig: false
mobileconfig_info:

38
rules/os/os_sshd_fips_140_macs.yaml Normal file
View File

@@ -0,0 +1,38 @@
id: os_sshd_fips_140_macs
title: "Limit SSHD to FIPS 140 Validated Message Authentication Code Algorithms"
discussion: |
SSHD _MUST_ be configured to limit the Message Authentication Codes (MACs) to algorithms that are FIPS 140 validated.
FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets federal requirements.
Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules.
NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.
check: |
/usr/bin/grep -c "^MACs hmac-sha2-256,hmac-sha2-512" /etc/ssh/sshd_config
result:
integer: 1
fix: |
[source,bash]
----
/usr/bin/grep -q '^MACs' /etc/ssh/sshd_config && /usr/bin/sed -i.bak 's/.*MACs.*/MACs hmac-sha2-256,hmac-sha2-512/' /etc/ssh/sshd_config || /bin/echo 'MACs hmac-sha2-256,hmac-sha2-512' >> /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd
----
references:
cce:
- N/A
cci:
- CCI-001133
800-53r4:
- N/A
srg:
- SRG-OS-000163-GPOS-00072
disa_stig:
- AOSX-15-000053
800-171r2:
- N/A
macOS:
- "11.0"
tags:
- STIG
mobileconfig: false
mobileconfig_info:

12
rules/os/os_ssh_login_grace_time_configure.yaml → rules/os/os_sshd_login_grace_time_configure.yaml
View File

@@ -1,7 +1,7 @@
id: os_ssh_login_grace_time_configure
id: os_sshd_login_grace_time_configure
title: "Set Login Grace Time to 30 or Less"
discussion: |
SSH _MUST_ be configured to wait only 30 seconds before timing out logon attempts.
SSHD _MUST_ be configured to wait only 30 seconds before timing out logon attempts.
NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.
check: |
@@ -19,20 +19,16 @@ references:
cci:
- CCI-001133
800-53r4:
- SC-10
- N/A
srg:
- SRG-OS-000163-GPOS-00072
disa_stig:
- AOSX-15-000053
800-171r2:
- 3.13.9
- N/A
macOS:
- "11.0"
tags:
- 800-171
- cnssi-1253
- 800-53r4_moderate
- 800-53r4_high
- STIG
mobileconfig: false
mobileconfig_info:

4
rules/os/os_ssh_permit_root_login_configure.yaml → rules/os/os_sshd_permit_root_login_configure.yaml
View File

@@ -1,4 +1,4 @@
id: os_ssh_permit_root_login_configure
id: os_sshd_permit_root_login_configure
title: "Disable Root Login for SSH"
discussion: |
To assure individual accountability and prevent unauthorized access, logging in as root via SSH _MUST_ be disabled.
@@ -22,7 +22,7 @@ references:
cci:
- CCI-000770
800-53r4:
- IA-2(5)
- N/A
srg:
- SRG-OS-000109-GPOS-00056
disa_stig:

47
rules/sysprefs/sysprefs_ssh_disable.yaml
View File

@@ -1,5 +1,5 @@
id: sysprefs_ssh_disable
title: "Disable SSH for Remote Access Sessions"
title: "Disable SSH Server for Remote Access Sessions"
discussion: |
SSH service _MUST_ be disabled for remote access.
@@ -17,50 +17,15 @@ references:
cce:
- CCE-85447-1
cci:
- CCI-001941
- CCI-001942
- CCI-002890
- CCI-002420
- CCI-002421
- CCI-002422
- CCI-003123
- CCI-001453
- CCI-000068
- CCI-002418
- N/A
800-53r4:
- AC-17(2)
- AC-17(4)
- IA-2(8)
- IA-2(9)
- MA-4(6)
- MA-4
- SC-8
- SC-8(1)
- SC-8(2)
- N/A
srg:
- SRG-OS-000393-GPOS-00173
- SRG-OS-000394-GPOS-00174
- SRG-OS-000112-GPOS-00057
- SRG-OS-000113-GPOS-00058
- SRG-OS-000033-GPOS-00014
- SRG-OS-000423-GPOS-00187
- SRG-OS-000424-GPOS-00188
- SRG-OS-000425-GPOS-00189
- SRG-OS-000426-GPOS-00190
- SRG-OS-000033-GPOS-00014
- SRG-OS-000250-GPOS-00093
- N/A
disa_stig:
- AOSX-15-000040
- AOSX-15-004011
- AOSX-15-004010
- AOSX-15-000011
- AOSX-15-000010
- N/A
800-171r2:
- 3.1.13
- 3.1.15
- 3.5.4
- 3.7.5
- 3.13.8
- N/A
macOS:
- "11.0"
tags:

55
rules/sysprefs/sysprefs_ssh_enable.yaml Normal file
View File

@@ -0,0 +1,55 @@
id: sysprefs_ssh_enable
title: "Enable SSH Server for Remote Access Sessions"
discussion: |
SSH service _MUST_ be enabled for remote access.
check: |
/bin/launchctl print-disabled system | /usr/bin/grep -c '"com.openssh.sshd" => true'
result:
integer: 1
fix: |
[source,bash]
----
/bin/launchctl disable system/com.openssh.sshd
----
references:
cce:
- CCE-85447-1
cci:
- CCI-001941
- CCI-001942
- CCI-002890
- CCI-002420
- CCI-002421
- CCI-002422
- CCI-003123
- CCI-001453
- CCI-000068
- CCI-002418
800-53r4:
- N/A
srg:
- SRG-OS-000393-GPOS-00173
- SRG-OS-000394-GPOS-00174
- SRG-OS-000112-GPOS-00057
- SRG-OS-000113-GPOS-00058
- SRG-OS-000033-GPOS-00014
- SRG-OS-000423-GPOS-00187
- SRG-OS-000424-GPOS-00188
- SRG-OS-000425-GPOS-00189
- SRG-OS-000426-GPOS-00190
- SRG-OS-000033-GPOS-00014
- SRG-OS-000250-GPOS-00093
disa_stig:
- AOSX-15-000040
- AOSX-15-004011
- AOSX-15-004010
- AOSX-15-000011
- AOSX-15-000010
800-171r2:
- N/A
macOS:
- "11.0"
tags:
- STIG
mobileconfig: false
mobileconfig_info: