macos_security/rules/system_settings/system_settings_ssh_disable.yaml

id: system_settings_ssh_disable
title: "Disable SSH Server for Remote Access Sessions"
discussion: |
  SSH service _MUST_ be disabled for remote access.
check: |
  /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.openssh.sshd" => disabled'
result:
  integer: 1
fix: |
  [source,bash]
  ----
  /usr/sbin/systemsetup -f -setremotelogin off >/dev/null
  /bin/launchctl disable system/com.openssh.sshd
  ----
  NOTE: Systemsetup with -setremotelogin flag will fail unless you grant Full Disk Access to systemsetup or it's parent process. Requires supervision.
references:
  cce:
    - CCE-92994-3
  cci:
    - CCI-000068
    - CCI-001453
    - CCI-001941
    - CCI-001942
    - CCI-001967
    - CCI-002418
    - CCI-002420
    - CCI-002421
    - CCI-002422
    - CCI-002890
    - CCI-003123
  800-53r5:
    - CM-7
    - CM-7(1)
    - AC-17
  800-53r4:
    - AC-3
    - CM-7
    - CM-7(1)
  srg:
    - SRG-OS-000033-GPOS-00014
    - SRG-OS-000112-GPOS-00057
    - SRG-OS-000113-GPOS-00058
    - SRG-OS-000250-GPOS-00093
    - SRG-OS-000379-GPOS-00164
    - SRG-OS-000393-GPOS-00173
    - SRG-OS-000394-GPOS-00174
    - SRG-OS-000423-GPOS-00187
    - SRG-OS-000424-GPOS-00188
    - SRG-OS-000425-GPOS-00189
    - SRG-OS-000426-GPOS-00190
  disa_stig:
    - N/A
  800-171r2:
    - 3.1.1
    - 3.1.2
    - 3.4.6
  cis:
    benchmark:
      - 2.3.3.5 (level 1)
    controls v8:
      - 4.1
      - 4.8
  cmmc:
    - AC.L1-3.1.1
    - CM.L2-3.4.6
    - CM.L2-3.4.7
macOS:
  - "14.0"
tags:
  - cis_lvl1
  - cis_lvl2
  - cisv8
  - cnssi-1253_moderate
  - cnssi-1253_low
  - cnssi-1253_high
  - cmmc_lvl2
  - cmmc_lvl1
severity: "high"
mobileconfig: false
mobileconfig_info: