usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-09 08:12:18 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

os_sshd_fips_compliant remediate issue #212

New Issue
Closed
opened 2026-01-19 18:29:40 +00:00 by michael · 3 comments
michael commented 2026-01-19 18:29:40 +00:00
Owner
Copy Link

Originally created by @K1jaff on GitHub.

Originally assigned to: @brodjieski on GitHub.

Summary

The remediate part of the os_sshd_fips_compliant item will add duplicate lines for MAC & Ciphers if these lines already there but the config from /usr/sbin/sshd -T will only honour the first lines present.

Steps to reproduce

Run the --fix for os_sshd_fips_compliant item which runs:

`include_dir=$(/usr/bin/awk '"'"'/^Include/ {print $2}'"'"' /etc/ssh/sshd_config | /usr/bin/tr -d '"'"'*'"'"')

if -z $include_dir ; then
/usr/bin/sed -i.bk "1s/.*/Include /etc/ssh/sshd_config.d/*/" /etc/ssh/sshd_config
fi

fips_sshd_config=("Ciphers aes128-gcm@openssh.com" "HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com" "HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com" "KexAlgorithms ecdh-sha2-nistp256" "MACs hmac-sha2-256" "PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com" "CASignatureAlgorithms ecdsa-sha2-nistp256")

for config in $fips_sshd_config; do
echo "$config" >> "${include_dir}01-mscp-sshd.conf"
done`

Operating System version

Operating System Version:
13.0.1
Operating System Build:
22A400

Apple Silicon

What is the current bug behavior?

The os_sshd_fips config is applied over and over again to /private/etc/ssh/sshd_config.d/01-mscp-sshd.conf

What is the expected correct behavior?

The os_sshd_fips config is applied to /private/etc/ssh/sshd_config.d/01-mscp-sshd.conf and reflected in /usr/sbin/sshd -T

Relevant logs and/or screenshots

`<key>os_sshd_fips_compliant</key>
<dict>
	<key>finding</key>
	<true/>
</dict>`

Output of checks

(Paste any output that occurs with the bug)

Possible fixes

Replace existing lines for Ciphers & MACs

Originally created by @K1jaff on GitHub. Originally assigned to: @brodjieski on GitHub. ### Summary The remediate part of the os_sshd_fips_compliant item will add duplicate lines for MAC & Ciphers if these lines already there but the config from /usr/sbin/sshd -T will only honour the first lines present. ### Steps to reproduce Run the --fix for os_sshd_fips_compliant item which runs: `include_dir=$(/usr/bin/awk '"'"'/^Include/ {print $2}'"'"' /etc/ssh/sshd_config | /usr/bin/tr -d '"'"'*'"'"') if [[ -z $include_dir ]]; then /usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config fi fips_sshd_config=("Ciphers aes128-gcm@openssh.com" "HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com" "HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com" "KexAlgorithms ecdh-sha2-nistp256" "MACs hmac-sha2-256" "PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com" "CASignatureAlgorithms ecdsa-sha2-nistp256") for config in $fips_sshd_config; do echo "$config" >> "${include_dir}01-mscp-sshd.conf" done` ### Operating System version Operating System Version: 13.0.1 Operating System Build: 22A400 Apple Silicon ### What is the current *bug* behavior? The os_sshd_fips config is applied over and over again to /private/etc/ssh/sshd_config.d/01-mscp-sshd.conf ### What is the expected *correct* behavior? The os_sshd_fips config is applied to /private/etc/ssh/sshd_config.d/01-mscp-sshd.conf and reflected in /usr/sbin/sshd -T ### Relevant logs and/or screenshots `<key>os_sshd_fips_compliant</key> <dict> <key>finding</key> <true/> </dict>` ### Output of checks (Paste any output that occurs with the bug) ### Possible fixes Replace existing lines for Ciphers & MACs
michael commented 2026-01-19 18:29:40 +00:00
Author
Owner
Copy Link

@robertgendler commented on GitHub:

This is now merged into ventura

@robertgendler commented on GitHub: This is now merged into `ventura`
michael commented 2026-01-19 18:29:40 +00:00
Author
Owner
Copy Link

@brodjieski commented on GitHub:

Currently, our remediation appends config settings to the 01-mscp-sshd.conf file... The remediation should only run if the check fails... but if it does run multiple times, then the config file will have duplicate entries.

To fix this, we need to clear out the config file prior to appending the values.

Adding rm -f "${include_dir}01-mscp-sshd.conf" just prior to the for config loop should address this.

@brodjieski commented on GitHub: Currently, our remediation appends config settings to the 01-mscp-sshd.conf file... The remediation should only run if the check fails... but if it does run multiple times, then the config file will have duplicate entries. To fix this, we need to clear out the config file prior to appending the values. Adding `rm -f "${include_dir}01-mscp-sshd.conf"` just prior to the `for config` loop should address this.
michael commented 2026-01-19 18:29:40 +00:00
Author
Owner
Copy Link

@robertgendler commented on GitHub:

This was merged into main. closing the issue.

@robertgendler commented on GitHub: This was merged into main. closing the issue.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
michael
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: usnistgov/macos_security#212
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?