mirror of
https://github.com/usnistgov/macos_security.git
synced 2026-06-11 03:20:29 +01:00
75 lines
1.5 KiB
YAML
75 lines
1.5 KiB
YAML
id: system_settings_ssh_disable
|
|
title: Disable SSH Server for Remote Access Sessions
|
|
discussion: |
|
|
SSH service _MUST_ be disabled for remote access.
|
|
check: |
|
|
result="FAIL"
|
|
enabled=$(/bin/launchctl print-disabled system | /usr/bin/grep '"com.openssh.sshd" => enabled')
|
|
running=$(/bin/launchctl print system/com.openssh.sshd 2>/dev/null)
|
|
|
|
if [[ -z "$running" ]] && [[ -z "$enabled" ]]; then
|
|
result="PASS"
|
|
elif [[ -n "$running" ]]; then
|
|
result=result+" RUNNING"
|
|
elif [[ -n "$enabled" ]]; then
|
|
result=result+" ENABLED"
|
|
fi
|
|
echo $result
|
|
result:
|
|
string: PASS
|
|
fix: |
|
|
[source,bash]
|
|
----
|
|
/usr/sbin/systemsetup -f -setremotelogin off >/dev/null
|
|
/bin/launchctl disable system/com.openssh.sshd
|
|
----
|
|
NOTE: Systemsetup with -setremotelogin flag will fail unless you grant Full Disk Access to systemsetup or its parent process. Requires supervision.
|
|
references:
|
|
cce:
|
|
- CCE-95406-5
|
|
cci:
|
|
- N/A
|
|
800-53r5:
|
|
- CM-7
|
|
- CM-7(1)
|
|
- AC-17
|
|
800-53r4:
|
|
- AC-3
|
|
- CM-7
|
|
- CM-7(1)
|
|
srg:
|
|
- N/A
|
|
disa_stig:
|
|
- N/A
|
|
800-171r3:
|
|
- 03.01.02
|
|
- 03.04.06
|
|
cis:
|
|
benchmark:
|
|
- 2.3.3.4 (level 1)
|
|
controls v8:
|
|
- 4.1
|
|
- 4.8
|
|
cmmc:
|
|
- AC.L1-3.1.1
|
|
- CM.L2-3.4.6
|
|
- CM.L2-3.4.7
|
|
macOS:
|
|
- '26.0'
|
|
tags:
|
|
- 800-53r5_low
|
|
- 800-53r5_moderate
|
|
- 800-53r5_high
|
|
- 800-171
|
|
- cis_lvl1
|
|
- cis_lvl2
|
|
- cisv8
|
|
- cnssi-1253_low
|
|
- cnssi-1253_high
|
|
- cmmc_lvl2
|
|
- cmmc_lvl1
|
|
- cnssi-1253_moderate
|
|
severity: high
|
|
mobileconfig: false
|
|
mobileconfig_info:
|