diff --git a/baselines/800-171.yaml b/baselines/800-171.yaml index 6e543411..c7bc68c8 100644 --- a/baselines/800-171.yaml +++ b/baselines/800-171.yaml @@ -32,7 +32,7 @@ profile: - section: "macos" rules: - os_firewall_default_deny_require - - os_ssh_client_alive_count_max_configure + - os_ssh_server_alive_count_max_configure - os_firmware_password_require - os_gatekeeper_rearm - os_root_disable @@ -48,7 +48,6 @@ profile: - os_password_autofill_disable - os_password_sharing_disable - os_ssh_fips_140_ciphers - - os_ssh_login_grace_time_configure - os_uucp_disable - os_policy_banner_loginwindow_enforce - os_touchid_prompt_disable @@ -76,7 +75,7 @@ profile: - os_icloud_storage_prompt_disable - os_ir_support_disable - os_mail_app_disable - - os_ssh_client_alive_interval_configure + - os_ssh_server_alive_interval_configure - os_bonjour_disable - os_calendar_app_disable - section: "passwordpolicy" diff --git a/baselines/800-53_high.yaml b/baselines/800-53_high.yaml index 2b0a07a5..0ec40c68 100644 --- a/baselines/800-53_high.yaml +++ b/baselines/800-53_high.yaml @@ -36,7 +36,7 @@ profile: - section: "macos" rules: - os_firewall_default_deny_require - - os_ssh_client_alive_count_max_configure + - os_ssh_server_alive_count_max_configure - os_firmware_password_require - os_gatekeeper_rearm - os_root_disable @@ -52,7 +52,6 @@ profile: - os_password_autofill_disable - os_password_sharing_disable - os_ssh_fips_140_ciphers - - os_ssh_login_grace_time_configure - os_secure_boot_verify - os_uucp_disable - os_policy_banner_loginwindow_enforce @@ -83,7 +82,7 @@ profile: - os_icloud_storage_prompt_disable - os_ir_support_disable - os_mail_app_disable - - os_ssh_client_alive_interval_configure + - os_ssh_server_alive_interval_configure - os_bonjour_disable - os_calendar_app_disable - section: "passwordpolicy" diff --git a/baselines/800-53_moderate.yaml b/baselines/800-53_moderate.yaml index 75d318bf..65f3d7c5 100644 --- a/baselines/800-53_moderate.yaml +++ b/baselines/800-53_moderate.yaml @@ -34,7 +34,7 @@ profile: - section: "macos" rules: - os_firewall_default_deny_require - - os_ssh_client_alive_count_max_configure + - os_ssh_server_alive_count_max_configure - os_firmware_password_require - os_gatekeeper_rearm - os_root_disable @@ -49,7 +49,6 @@ profile: - os_password_autofill_disable - os_password_sharing_disable - os_ssh_fips_140_ciphers - - os_ssh_login_grace_time_configure - os_uucp_disable - os_policy_banner_loginwindow_enforce - os_touchid_prompt_disable @@ -79,7 +78,7 @@ profile: - os_icloud_storage_prompt_disable - os_ir_support_disable - os_mail_app_disable - - os_ssh_client_alive_interval_configure + - os_ssh_server_alive_interval_configure - os_bonjour_disable - os_calendar_app_disable - section: "passwordpolicy" diff --git a/baselines/all_rules.yaml b/baselines/all_rules.yaml index aad55135..e5ff8984 100644 --- a/baselines/all_rules.yaml +++ b/baselines/all_rules.yaml @@ -37,7 +37,7 @@ profile: - section: "macos" rules: - os_firewall_default_deny_require - - os_ssh_client_alive_count_max_configure + - os_ssh_server_alive_count_max_configure - os_firmware_password_require - os_gatekeeper_rearm - os_root_disable @@ -53,7 +53,7 @@ profile: - os_password_autofill_disable - os_password_sharing_disable - os_ssh_fips_140_ciphers - - os_ssh_login_grace_time_configure + - os_sshd_login_grace_time_configure - os_privacy_setup_prompt_disable - os_secure_boot_verify - os_sudoers_tty_configure @@ -86,12 +86,16 @@ profile: - os_camera_disable - os_guest_access_afp_disable - os_icloud_storage_prompt_disable - - os_ssh_permit_root_login_configure + - os_sshd_permit_root_login_configure - os_ir_support_disable - os_mail_app_disable - - os_ssh_client_alive_interval_configure + - os_ssh_server_alive_interval_configure - os_bonjour_disable - os_calendar_app_disable + - os_sshd_client_alive_count_max_configure + - os_sshd_client_alive_interval_configure + - os_sshd_fips_140_ciphers + - os_sshd_fips_140_macs - section: "passwordpolicy" rules: - pwpolicy_account_inactivity_enforce @@ -127,6 +131,7 @@ profile: - sysprefs_internet_sharing_disable - sysprefs_rae_disable - sysprefs_ssh_enable + - sysprefs_ssh_disable - sysprefs_media_sharing_disabled - sysprefs_screensaver_password_enforce - sysprefs_gatekeeper_identified_developers_allowed diff --git a/baselines/cnssi-1253.yaml b/baselines/cnssi-1253.yaml index 8a58ed77..c8c48dfd 100644 --- a/baselines/cnssi-1253.yaml +++ b/baselines/cnssi-1253.yaml @@ -34,7 +34,7 @@ profile: - section: "macos" rules: - os_firewall_default_deny_require - - os_ssh_client_alive_count_max_configure + - os_ssh_server_alive_count_max_configure - os_firmware_password_require - os_gatekeeper_rearm - os_root_disable @@ -49,7 +49,6 @@ profile: - os_password_autofill_disable - os_password_sharing_disable - os_ssh_fips_140_ciphers - - os_ssh_login_grace_time_configure - os_sudoers_tty_configure - os_uucp_disable - os_policy_banner_loginwindow_enforce @@ -79,7 +78,7 @@ profile: - os_icloud_storage_prompt_disable - os_ir_support_disable - os_mail_app_disable - - os_ssh_client_alive_interval_configure + - os_ssh_server_alive_interval_configure - os_bonjour_disable - os_calendar_app_disable - section: "passwordpolicy" diff --git a/rules/os/os_required_crypto_module.yaml b/rules/os/os_required_crypto_module.yaml index 33e14442..7477be81 100644 --- a/rules/os/os_required_crypto_module.yaml +++ b/rules/os/os_required_crypto_module.yaml @@ -7,7 +7,7 @@ discussion: | MacOS Big Sur is in process of testing from an accredited laboratory to submit the National Institute of Standards and Technology (NIST) for FIPS validation. - link:https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Modules-In-Process/Modules-In-Process-List[] + link:https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/IUT-List[] link:https://support.apple.com/en-us/HT201159[] check: | diff --git a/rules/os/os_root_disable.yaml b/rules/os/os_root_disable.yaml index 16bd3551..cc41e762 100644 --- a/rules/os/os_root_disable.yaml +++ b/rules/os/os_root_disable.yaml @@ -20,6 +20,7 @@ references: - N/A 800-53r4: - IA-2 + - IA-2(5) 800-171r2: - 3.5.1 - 3.5.2 diff --git a/rules/os/os_ssh_fips_140_ciphers.yaml b/rules/os/os_ssh_fips_140_ciphers.yaml index 33a7ef4c..63ffed56 100644 --- a/rules/os/os_ssh_fips_140_ciphers.yaml +++ b/rules/os/os_ssh_fips_140_ciphers.yaml @@ -9,28 +9,28 @@ discussion: | NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. check: | - /usr/bin/grep -c "^Ciphers aes256-ctr,aes192-ctr,aes128-ctr" /etc/ssh/sshd_config + /usr/bin/grep -c "^Ciphers aes256-ctr,aes192-ctr,aes128-ctr" /etc/ssh/ssh_config result: integer: 1 fix: | [source,bash] ---- - /usr/bin/grep -q '^Ciphers' /etc/ssh/sshd_config && /usr/bin/sed -i.bak 's/.^Ciphers.*/Ciphers aes256-ctr,aes192-ctr,aes128-ctr/' /etc/ssh/sshd_config || /bin/echo 'Ciphers aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd + /usr/bin/grep -q '^Ciphers' /etc/ssh/ssh_config && /usr/bin/sed -i.bak 's/.^Ciphers.*/Ciphers aes256-ctr,aes192-ctr,aes128-ctr/' /etc/ssh/ssh_config || /bin/echo 'Ciphers aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/ssh_config ---- references: cce: - CCE-85382-0 cci: - - CCI-001133 + - N/A 800-53r4: - AC-17(2) - IA-7 - SC-8(1) - SC-13 srg: - - SRG-OS-000163-GPOS-00072 + - N/A disa_stig: - - AOSX-15-000053 + - N/A 800-171r2: - 3.1.13 - 3.13.8 diff --git a/rules/os/os_ssh_fips_140_macs.yaml b/rules/os/os_ssh_fips_140_macs.yaml index b0507667..490c1e02 100644 --- a/rules/os/os_ssh_fips_140_macs.yaml +++ b/rules/os/os_ssh_fips_140_macs.yaml @@ -7,30 +7,30 @@ discussion: | Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. - NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. + NOTE: /etc/ssh/ssh_config will be automatically modified to its original state following any update or major upgrade to the operating system. check: | - /usr/bin/grep -c "^MACs hmac-sha2-256,hmac-sha2-512" /etc/ssh/sshd_config + /usr/bin/grep -c "^MACs hmac-sha2-256,hmac-sha2-512" /etc/ssh/ssh_config result: integer: 1 fix: | [source,bash] ---- - /usr/bin/grep -q '^MACs' /etc/ssh/sshd_config && /usr/bin/sed -i.bak 's/.*MACs.*/MACs hmac-sha2-256,hmac-sha2-512/' /etc/ssh/sshd_config || /bin/echo 'MACs hmac-sha2-256,hmac-sha2-512' >> /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd + /usr/bin/grep -q '^MACs' /etc/ssh/ssh_config && /usr/bin/sed -i.bak 's/.*MACs.*/MACs hmac-sha2-256,hmac-sha2-512/' /etc/ssh/ssh_config || /bin/echo 'MACs hmac-sha2-256,hmac-sha2-512' >> /etc/ssh/ssh_config ---- references: cce: - CCE-85383-8 cci: - - CCI-001133 + - N/A 800-53r4: - AC-17(2) - IA-7 - SC-8(1) - SC-13 srg: - - SRG-OS-000163-GPOS-00072 + - N/A disa_stig: - - AOSX-15-000053 + - N/A 800-171r2: - 3.1.13 - 3.13.8 diff --git a/rules/os/os_ssh_client_alive_count_max_configure.yaml b/rules/os/os_ssh_server_alive_count_max_configure.yaml similarity index 55% rename from rules/os/os_ssh_client_alive_count_max_configure.yaml rename to rules/os/os_ssh_server_alive_count_max_configure.yaml index d3684593..e7ab0166 100644 --- a/rules/os/os_ssh_client_alive_count_max_configure.yaml +++ b/rules/os/os_ssh_server_alive_count_max_configure.yaml @@ -1,29 +1,29 @@ -id: os_ssh_client_alive_count_max_configure -title: "Set SSH Active Client Alive Maximum to Zero" +id: os_ssh_server_alive_count_max_configure +title: "Set SSH Active Server Alive Maximum to Zero" discussion: | - SSH _MUST_ be configured with an Active Client Alive Maximum Count set to zero. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session or an incomplete login attempt will also free up resources committed by the managed network element. + SSH _MUST_ be configured with an Active Server Alive Maximum Count set to zero. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session or an incomplete login attempt will also free up resources committed by the managed network element. - NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. + NOTE: /etc/ssh/ssh_config will be automatically modified to its original state following any update or major upgrade to the operating system. check: | - /usr/bin/grep -c "^ClientAliveCountMax 0" /etc/ssh/sshd_config + /usr/bin/grep -c "^ServerAliveCountMax 0" /etc/ssh/ssh_config result: integer: 1 fix: | [source,bash] ---- - /usr/bin/sed -i.bak 's/.*ClientAliveCountMax.*/ClientAliveCountMax 0/' /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd + /usr/bin/sed -i.bak 's/.*ServerAliveCountMax.*/ServerAliveCountMax 0/' /etc/ssh/ssh_config ---- references: cce: - CCE-85380-4 cci: - - CCI-001133 + - N/A 800-53r4: - SC-10 srg: - - SRG-OS-000163-GPOS-00072 + - N/A disa_stig: - - AOSX-15-000052 + - N/A 800-171r2: - 3.13.9 macOS: diff --git a/rules/os/os_ssh_server_alive_interval_configure.yaml b/rules/os/os_ssh_server_alive_interval_configure.yaml new file mode 100644 index 00000000..031b1674 --- /dev/null +++ b/rules/os/os_ssh_server_alive_interval_configure.yaml @@ -0,0 +1,40 @@ +id: os_ssh_server_alive_interval_configure +title: "Configure SSH ServerAliveInterval option set to 900 or less" +discussion: | + SSH _MUST_ be configured with an Active Server Alive Maximum Count set to 900 or less. + + Setting the Active Server Alive Maximum Count to 900 (second) will log users out after a 15-minute interval of inactivity. + + NOTE: /etc/ssh/ssh_config will be automatically modified to its original state following any update or major upgrade to the operating system. +check: | + /usr/bin/grep -c "^ServerAliveInterval 900" /etc/ssh/ssh_config +result: + integer: 1 +fix: | + [source,bash] + ---- + /usr/bin/sed -i.bak 's/.*ServerAliveInterval.*/ServerAliveInterval 900/' /etc/ssh/ssh_config + ---- +references: + cce: + - CCE-85381-2 + cci: + - N/A + 800-53r4: + - SC-10 + srg: + - N/A + disa_stig: + - N/A + 800-171r2: + - 3.13.9 +macOS: + - "11.0" +tags: + - 800-171 + - cnssi-1253 + - 800-53r4_moderate + - 800-53r4_high + - STIG +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_sshd_client_alive_count_max_configure.yaml b/rules/os/os_sshd_client_alive_count_max_configure.yaml new file mode 100644 index 00000000..e87a0cd6 --- /dev/null +++ b/rules/os/os_sshd_client_alive_count_max_configure.yaml @@ -0,0 +1,34 @@ +id: os_sshd_client_alive_count_max_configure +title: "Set SSHD Active Client Alive Maximum to Zero" +discussion: | + SSHD _MUST_ be configured with an Active Client Alive Maximum Count set to zero. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session or an incomplete login attempt will also free up resources committed by the managed network element. + + NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. +check: | + /usr/bin/grep -c "^ClientAliveCountMax 0" /etc/ssh/sshd_config +result: + integer: 1 +fix: | + [source,bash] + ---- + /usr/bin/sed -i.bak 's/.*ClientAliveCountMax.*/ClientAliveCountMax 0/' /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd + ---- +references: + cce: + - N/A + cci: + - CCI-001133 + 800-53r4: + - N/A + srg: + - SRG-OS-000163-GPOS-00072 + disa_stig: + - AOSX-15-000052 + 800-171r2: + - N/A +macOS: + - "11.0" +tags: + - STIG +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_ssh_client_alive_interval_configure.yaml b/rules/os/os_sshd_client_alive_interval_configure.yaml similarity index 71% rename from rules/os/os_ssh_client_alive_interval_configure.yaml rename to rules/os/os_sshd_client_alive_interval_configure.yaml index f8dfc3e8..0473c961 100644 --- a/rules/os/os_ssh_client_alive_interval_configure.yaml +++ b/rules/os/os_sshd_client_alive_interval_configure.yaml @@ -1,7 +1,7 @@ -id: os_ssh_client_alive_interval_configure -title: "Configure SSH ClientAliveInterval option set to 900 or less" +id: os_sshd_client_alive_interval_configure +title: "Configure SSHD ClientAliveInterval option set to 900 or less" discussion: | - SSH _MUST_ be configured with an Active Client Alive Maximum Count set to 900 or less. + SSHD _MUST_ be configured with an Active Client Alive Maximum Count set to 900 or less. Setting the Active Client Alive Maximum Count to 900 (second) will log users out after a 15-minute interval of inactivity. @@ -17,24 +17,20 @@ fix: | ---- references: cce: - - CCE-85381-2 + - N/A cci: - CCI-001133 800-53r4: - - SC-10 + - N/A srg: - SRG-OS-000163-GPOS-00072 disa_stig: - AOSX-15-000051 800-171r2: - - 3.13.9 + - N/A macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 - - 800-53r4_moderate - - 800-53r4_high - STIG mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_sshd_fips_140_ciphers.yaml b/rules/os/os_sshd_fips_140_ciphers.yaml new file mode 100644 index 00000000..4b26c9ee --- /dev/null +++ b/rules/os/os_sshd_fips_140_ciphers.yaml @@ -0,0 +1,38 @@ +id: os_sshd_fips_140_ciphers +title: "Limit SSHD to FIPS 140 Validated Ciphers" +discussion: | + SSH _MUST_ be configured to limit the ciphers to algorithms that are FIPS 140 validated. + + FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meet federal requirements. + + Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. + + NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. +check: | + /usr/bin/grep -c "^Ciphers aes256-ctr,aes192-ctr,aes128-ctr" /etc/ssh/sshd_config +result: + integer: 1 +fix: | + [source,bash] + ---- + /usr/bin/grep -q '^Ciphers' /etc/ssh/sshd_config && /usr/bin/sed -i.bak 's/.^Ciphers.*/Ciphers aes256-ctr,aes192-ctr,aes128-ctr/' /etc/ssh/sshd_config || /bin/echo 'Ciphers aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd + ---- +references: + cce: + - N/A + cci: + - CCI-001133 + 800-53r4: + - N/A + srg: + - SRG-OS-000163-GPOS-00072 + disa_stig: + - AOSX-15-000053 + 800-171r2: + - N/A +macOS: + - "11.0" +tags: + - STIG +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_sshd_fips_140_macs.yaml b/rules/os/os_sshd_fips_140_macs.yaml new file mode 100644 index 00000000..e715ede6 --- /dev/null +++ b/rules/os/os_sshd_fips_140_macs.yaml @@ -0,0 +1,38 @@ +id: os_sshd_fips_140_macs +title: "Limit SSHD to FIPS 140 Validated Message Authentication Code Algorithms" +discussion: | + SSHD _MUST_ be configured to limit the Message Authentication Codes (MACs) to algorithms that are FIPS 140 validated. + + FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets federal requirements. + + Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. + + NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. +check: | + /usr/bin/grep -c "^MACs hmac-sha2-256,hmac-sha2-512" /etc/ssh/sshd_config +result: + integer: 1 +fix: | + [source,bash] + ---- + /usr/bin/grep -q '^MACs' /etc/ssh/sshd_config && /usr/bin/sed -i.bak 's/.*MACs.*/MACs hmac-sha2-256,hmac-sha2-512/' /etc/ssh/sshd_config || /bin/echo 'MACs hmac-sha2-256,hmac-sha2-512' >> /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd + ---- +references: + cce: + - N/A + cci: + - CCI-001133 + 800-53r4: + - N/A + srg: + - SRG-OS-000163-GPOS-00072 + disa_stig: + - AOSX-15-000053 + 800-171r2: + - N/A +macOS: + - "11.0" +tags: + - STIG +mobileconfig: false +mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_ssh_login_grace_time_configure.yaml b/rules/os/os_sshd_login_grace_time_configure.yaml similarity index 76% rename from rules/os/os_ssh_login_grace_time_configure.yaml rename to rules/os/os_sshd_login_grace_time_configure.yaml index 7818314e..51fcc4bd 100644 --- a/rules/os/os_ssh_login_grace_time_configure.yaml +++ b/rules/os/os_sshd_login_grace_time_configure.yaml @@ -1,7 +1,7 @@ -id: os_ssh_login_grace_time_configure +id: os_sshd_login_grace_time_configure title: "Set Login Grace Time to 30 or Less" discussion: | - SSH _MUST_ be configured to wait only 30 seconds before timing out logon attempts. + SSHD _MUST_ be configured to wait only 30 seconds before timing out logon attempts. NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. check: | @@ -19,20 +19,16 @@ references: cci: - CCI-001133 800-53r4: - - SC-10 + - N/A srg: - SRG-OS-000163-GPOS-00072 disa_stig: - AOSX-15-000053 800-171r2: - - 3.13.9 + - N/A macOS: - "11.0" tags: - - 800-171 - - cnssi-1253 - - 800-53r4_moderate - - 800-53r4_high - STIG mobileconfig: false mobileconfig_info: \ No newline at end of file diff --git a/rules/os/os_ssh_permit_root_login_configure.yaml b/rules/os/os_sshd_permit_root_login_configure.yaml similarity index 95% rename from rules/os/os_ssh_permit_root_login_configure.yaml rename to rules/os/os_sshd_permit_root_login_configure.yaml index 01aa63b3..042e98a5 100644 --- a/rules/os/os_ssh_permit_root_login_configure.yaml +++ b/rules/os/os_sshd_permit_root_login_configure.yaml @@ -1,4 +1,4 @@ -id: os_ssh_permit_root_login_configure +id: os_sshd_permit_root_login_configure title: "Disable Root Login for SSH" discussion: | To assure individual accountability and prevent unauthorized access, logging in as root via SSH _MUST_ be disabled. @@ -22,7 +22,7 @@ references: cci: - CCI-000770 800-53r4: - - IA-2(5) + - N/A srg: - SRG-OS-000109-GPOS-00056 disa_stig: diff --git a/rules/sysprefs/sysprefs_ssh_disable.yaml b/rules/sysprefs/sysprefs_ssh_disable.yaml index be01ff8b..038ecc37 100644 --- a/rules/sysprefs/sysprefs_ssh_disable.yaml +++ b/rules/sysprefs/sysprefs_ssh_disable.yaml @@ -1,5 +1,5 @@ id: sysprefs_ssh_disable -title: "Disable SSH for Remote Access Sessions" +title: "Disable SSH Server for Remote Access Sessions" discussion: | SSH service _MUST_ be disabled for remote access. @@ -17,50 +17,15 @@ references: cce: - CCE-85447-1 cci: - - CCI-001941 - - CCI-001942 - - CCI-002890 - - CCI-002420 - - CCI-002421 - - CCI-002422 - - CCI-003123 - - CCI-001453 - - CCI-000068 - - CCI-002418 + - N/A 800-53r4: - - AC-17(2) - - AC-17(4) - - IA-2(8) - - IA-2(9) - - MA-4(6) - - MA-4 - - SC-8 - - SC-8(1) - - SC-8(2) + - N/A srg: - - SRG-OS-000393-GPOS-00173 - - SRG-OS-000394-GPOS-00174 - - SRG-OS-000112-GPOS-00057 - - SRG-OS-000113-GPOS-00058 - - SRG-OS-000033-GPOS-00014 - - SRG-OS-000423-GPOS-00187 - - SRG-OS-000424-GPOS-00188 - - SRG-OS-000425-GPOS-00189 - - SRG-OS-000426-GPOS-00190 - - SRG-OS-000033-GPOS-00014 - - SRG-OS-000250-GPOS-00093 + - N/A disa_stig: - - AOSX-15-000040 - - AOSX-15-004011 - - AOSX-15-004010 - - AOSX-15-000011 - - AOSX-15-000010 + - N/A 800-171r2: - - 3.1.13 - - 3.1.15 - - 3.5.4 - - 3.7.5 - - 3.13.8 + - N/A macOS: - "11.0" tags: diff --git a/rules/sysprefs/sysprefs_ssh_enable.yaml b/rules/sysprefs/sysprefs_ssh_enable.yaml new file mode 100644 index 00000000..281a56ee --- /dev/null +++ b/rules/sysprefs/sysprefs_ssh_enable.yaml @@ -0,0 +1,55 @@ +id: sysprefs_ssh_enable +title: "Enable SSH Server for Remote Access Sessions" +discussion: | + SSH service _MUST_ be enabled for remote access. +check: | + /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.openssh.sshd" => true' +result: + integer: 1 +fix: | + [source,bash] + ---- + /bin/launchctl disable system/com.openssh.sshd + ---- +references: + cce: + - CCE-85447-1 + cci: + - CCI-001941 + - CCI-001942 + - CCI-002890 + - CCI-002420 + - CCI-002421 + - CCI-002422 + - CCI-003123 + - CCI-001453 + - CCI-000068 + - CCI-002418 + 800-53r4: + - N/A + srg: + - SRG-OS-000393-GPOS-00173 + - SRG-OS-000394-GPOS-00174 + - SRG-OS-000112-GPOS-00057 + - SRG-OS-000113-GPOS-00058 + - SRG-OS-000033-GPOS-00014 + - SRG-OS-000423-GPOS-00187 + - SRG-OS-000424-GPOS-00188 + - SRG-OS-000425-GPOS-00189 + - SRG-OS-000426-GPOS-00190 + - SRG-OS-000033-GPOS-00014 + - SRG-OS-000250-GPOS-00093 + disa_stig: + - AOSX-15-000040 + - AOSX-15-004011 + - AOSX-15-004010 + - AOSX-15-000011 + - AOSX-15-000010 + 800-171r2: + - N/A +macOS: + - "11.0" +tags: + - STIG +mobileconfig: false +mobileconfig_info: \ No newline at end of file