Merge branch 'dev_sequoia_issue468' into sequoia

2026-02-03 14:03:24 +00:00 · 2025-04-14 11:45:37 -04:00
parent cb4e3db988 d85688f7a1
commit f98126bbcf
8 changed files with 75 additions and 0 deletions
--- a/baselines/800-53r5_high.yaml
+++ b/baselines/800-53r5_high.yaml
@@ -122,6 +122,7 @@ profile:
      - os_sshd_client_alive_count_max_configure
      - os_sshd_client_alive_interval_configure
      - os_sshd_fips_compliant
+      - os_sshd_per_source_penalties_configure
      - os_sshd_permit_root_login_configure
      - os_sshd_unused_connection_timeout_configure
      - os_sudo_log_enforce
--- a/baselines/800-53r5_low.yaml
+++ b/baselines/800-53r5_low.yaml
@@ -101,6 +101,7 @@ profile:
      - os_skip_unlock_with_watch_enable
      - os_ssh_fips_compliant
      - os_sshd_fips_compliant
+      - os_sshd_per_source_penalties_configure
      - os_sudo_timeout_configure
      - os_sudoers_timestamp_type_configure
      - os_tftpd_disable
--- a/baselines/800-53r5_moderate.yaml
+++ b/baselines/800-53r5_moderate.yaml
@@ -120,6 +120,7 @@ profile:
      - os_sshd_client_alive_count_max_configure
      - os_sshd_client_alive_interval_configure
      - os_sshd_fips_compliant
+      - os_sshd_per_source_penalties_configure
      - os_sshd_unused_connection_timeout_configure
      - os_sudo_log_enforce
      - os_sudo_timeout_configure
--- a/baselines/all_rules.yaml
+++ b/baselines/all_rules.yaml
@@ -172,6 +172,7 @@ profile:
      - os_sshd_client_alive_interval_configure
      - os_sshd_fips_compliant
      - os_sshd_login_grace_time_configure
+      - os_sshd_per_source_penalties_configure
      - os_sshd_permit_root_login_configure
      - os_sshd_unused_connection_timeout_configure
      - os_sudo_log_enforce
--- a/baselines/cnssi-1253_high.yaml
+++ b/baselines/cnssi-1253_high.yaml
@@ -149,6 +149,7 @@ profile:
      - os_sshd_client_alive_interval_configure
      - os_sshd_fips_compliant
      - os_sshd_login_grace_time_configure
+      - os_sshd_per_source_penalties_configure
      - os_sshd_permit_root_login_configure
      - os_sshd_unused_connection_timeout_configure
      - os_sudo_log_enforce
--- a/baselines/cnssi-1253_low.yaml
+++ b/baselines/cnssi-1253_low.yaml
@@ -147,6 +147,7 @@ profile:
      - os_sshd_client_alive_interval_configure
      - os_sshd_fips_compliant
      - os_sshd_login_grace_time_configure
+      - os_sshd_per_source_penalties_configure
      - os_sshd_permit_root_login_configure
      - os_sshd_unused_connection_timeout_configure
      - os_sudo_log_enforce
--- a/baselines/cnssi-1253_moderate.yaml
+++ b/baselines/cnssi-1253_moderate.yaml
@@ -147,6 +147,7 @@ profile:
      - os_sshd_client_alive_interval_configure
      - os_sshd_fips_compliant
      - os_sshd_login_grace_time_configure
+      - os_sshd_per_source_penalties_configure
      - os_sshd_permit_root_login_configure
      - os_sshd_unused_connection_timeout_configure
      - os_sudo_log_enforce
--- a/rules/os/os_sshd_per_source_penalties_configure.yaml
+++ b/rules/os/os_sshd_per_source_penalties_configure.yaml
@@ -0,0 +1,68 @@
+id: os_sshd_per_source_penalties_configure
+title: Configure SSHD PerSourcePenalties
+discussion: |
+  If SSHD is enabled then it _MUST_ be configured with the Per Source Penalties configured.
+
+  Per Source Penalities controls penalties for various conditions that may represent attacks on sshd.
+
+  Penalties are enabled by default.
+
+  NOTE: On macOS 15.2 and higher the SSH configuration can be reset to the macOS default by running /usr/libexec/reset-ssh-configuration.
+check: |
+  /usr/sbin/sshd -G | /usr/bin/grep -q "persourcepenalties no" && echo "no" || echo "yes"
+result:
+  string: "yes"
+fix: |
+  [source,bash]
+  ----
+  include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*')
+
+  if [[ -z $include_dir ]]; then
+    /usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config
+  fi
+
+  /usr/bin/grep -qxF 'persourcepenalties yes' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "persourcepenalties yes" >> "${include_dir}01-mscp-sshd.conf"
+
+  for file in $(ls ${include_dir}); do
+    if [[ "$file" == "100-macos.conf" ]]; then
+        continue
+    fi
+    if [[ "$file" == "01-mscp-sshd.conf" ]]; then
+        break
+    fi
+    /bin/mv ${include_dir}${file} ${include_dir}20-${file}
+  done
+  ----
+references:
+  cce:
+    - N/A
+  cci:
+    - N/A
+  800-53r5:
+    - SC-5
+  srg:
+    - N/A
+  disa_stig:
+    - N/A
+  800-171r3:
+    - N/A
+  cmmc:
+    - N/A
+macOS:
+  - '15.0'
+tags:
+  - 800-53r5_low
+  - 800-53r5_moderate
+  - 800-53r5_high
+  - cnssi-1253_low
+  - cnssi-1253_high
+  - cnssi-1253_moderate
+severity: medium
+mobileconfig: false
+mobileconfig_info:
+ddm_info:
+  declarationtype: com.apple.configuration.services.configuration-files
+  service: com.apple.sshd
+  config_file: sshd_config
+  configuration_key: persourcepenalties
+  configuration_value: "yes"