mirror of
https://github.com/usnistgov/macos_security.git
synced 2026-02-12 09:32:04 +00:00
71 lines
1.6 KiB
YAML
71 lines
1.6 KiB
YAML
id: system_settings_ssh_disable
|
|
title: Disable SSH Server for Remote Access Sessions
|
|
discussion: |
|
|
SSH service _MUST_ be disabled for remote access.
|
|
references:
|
|
nist:
|
|
cce:
|
|
macos_15:
|
|
- CCE-94399-3
|
|
macos_14:
|
|
- CCE-92994-3
|
|
macos_13:
|
|
- CCE-91984-5
|
|
800-53r5:
|
|
- CM-7
|
|
- CM-7(1)
|
|
- AC-17
|
|
800-171r3:
|
|
- 03.01.02
|
|
- 03.04.06
|
|
disa:
|
|
cmmc:
|
|
- AC.L1-3.1.1
|
|
- CM.L2-3.4.6
|
|
- CM.L2-3.4.7
|
|
cis:
|
|
benchmark:
|
|
macos_15:
|
|
- 2.3.3.5 (level 1)
|
|
macos_14:
|
|
- 2.3.3.5 (level 1)
|
|
macos_13:
|
|
- 2.3.3.5 (level 1)
|
|
controls_v8:
|
|
- 4.1
|
|
- 4.8
|
|
platforms:
|
|
macOS:
|
|
'15.0':
|
|
benchmarks:
|
|
- name: cis_lvl1
|
|
- name: cis_lvl2
|
|
'14.0':
|
|
benchmarks:
|
|
- name: cis_lvl1
|
|
- name: cis_lvl2
|
|
'13.0':
|
|
benchmarks:
|
|
- name: cis_lvl1
|
|
- name: cis_lvl2
|
|
enforcement_info:
|
|
check:
|
|
shell: /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.openssh.sshd" => disabled'
|
|
result:
|
|
integer: 1
|
|
fix:
|
|
shell: |-
|
|
/usr/sbin/systemsetup -f -setremotelogin off >/dev/null
|
|
/bin/launchctl disable system/com.openssh.sshd
|
|
additional_info: 'NOTE: Systemsetup with -setremotelogin flag will fail unless you grant Full Disk Access to systemsetup or its parent process. Requires supervision.'
|
|
tags:
|
|
- cisv8
|
|
- cnssi-1253_low
|
|
- cnssi-1253_high
|
|
- cmmc_lvl2
|
|
- cmmc_lvl1
|
|
- cnssi-1253_moderate
|
|
- 800-53r5_low
|
|
- 800-53r5_moderate
|
|
- 800-53r5_high
|