usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-03 14:03:24 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

system_settings_ssh_disable (Commands discrepancy) #43

New Issue
Closed
opened 2026-01-19 18:29:01 +00:00 by michael · 2 comments
michael commented 2026-01-19 18:29:01 +00:00
Owner
Copy Link

Originally created by @narender34 on GitHub.

Originally assigned to: @robertgendler on GitHub.

observed that the CIS Benchmark guidance and the macOS Security Project utilize different commands to verify the same control. Specifically, for the control 2.3.3.5-Ensure Remote Login is Disabled system_settings_ssh_disable, the CIS Benchmark recommends using the following command to verify the status:
/usr/bin/sudo /usr/sbin/systemsetup -getremotelogin
However, when using Jamf Compliance Editor and its associated scripts, a different command is used for verification:
/bin/launchctl print-disabled system | /usr/bin/grep -c '"com.openssh.sshd" => disabled'
This discrepancy led to situations where other security products, which reference CIS Benchmark controls, flag control as non-compliant because they expect the CIS-recommended verification method.

Originally created by @narender34 on GitHub. Originally assigned to: @robertgendler on GitHub. observed that the CIS Benchmark guidance and the macOS Security Project utilize different commands to verify the same control. Specifically, for the control 2.3.3.5-Ensure Remote Login is Disabled _system_settings_ssh_disable_, the CIS Benchmark recommends using the following command to verify the status: `/usr/bin/sudo /usr/sbin/systemsetup -getremotelogin` However, when using Jamf Compliance Editor and its associated scripts, a different command is used for verification: `/bin/launchctl print-disabled system | /usr/bin/grep -c '"com.openssh.sshd" => disabled'` This discrepancy led to situations where other security products, which reference CIS Benchmark controls, flag control as non-compliant because they expect the CIS-recommended verification method.
michael commented 2026-01-19 18:29:02 +00:00
Author
Owner
Copy Link

@robertgendler commented on GitHub:

This has been discussed with CIS, DISA, and the team. Checks (basically any service [screen sharing, ssh, smb, etc]) will get updated to also kill the service if found running.

@robertgendler commented on GitHub: This has been discussed with CIS, DISA, and the team. Checks (basically any service [screen sharing, ssh, smb, etc]) will get updated to also kill the service if found running.
michael commented 2026-01-19 18:29:02 +00:00
Author
Owner
Copy Link

@robertgendler commented on GitHub:

This was solved and added.

Slightly different but same result, killing all the services if running..

@robertgendler commented on GitHub: This was solved and added. Slightly different but same result, killing all the services if running..
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
michael
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: usnistgov/macos_security#43
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?