mirror of
https://github.com/usnistgov/macos_security.git
synced 2026-03-17 06:12:10 +00:00
64 lines
1.5 KiB
YAML
64 lines
1.5 KiB
YAML
id: system_settings_ssh_disable
|
|
title: "Disable SSH Server for Remote Access Sessions"
|
|
discussion: |
|
|
SSH service _MUST_ be disabled for remote access.
|
|
|
|
Remote access sessions _MUST_ use FIPS validated encrypted methods to protect unauthorized individuals from gaining access.
|
|
check: |
|
|
/bin/launchctl print-disabled system | /usr/bin/grep -c '"com.openssh.sshd" => disabled'
|
|
result:
|
|
integer: 1
|
|
fix: |
|
|
[source,bash]
|
|
----
|
|
/usr/sbin/systemsetup -f -setremotelogin off
|
|
/bin/launchctl disable system/com.openssh.sshd
|
|
----
|
|
NOTE: Systemsetup with -setremotelogin flag will fail unless you grant Full Disk Access to systemsetup or it's parent process. Requires supervision.
|
|
references:
|
|
cce:
|
|
- CCE-91984-5
|
|
cci:
|
|
- N/A
|
|
800-53r5:
|
|
- CM-7
|
|
- CM-7(1)
|
|
- AC-17
|
|
800-53r4:
|
|
- AC-3
|
|
- CM-7
|
|
- CM-7(1)
|
|
srg:
|
|
- SRG-OS-000250-GPOS-00093
|
|
- SRG-OS-000033-GPOS-00014
|
|
- SRG-OS-000319-GPOS-00164
|
|
- SRG-OS-000393-GPOS-00173
|
|
- SRG-OS-000394-GPOS-00174
|
|
- SRG-OS-000112-GPOS-00057
|
|
- SRG-OS-000113-GPOS-00058
|
|
- SRG-OS-000423-GPOS-00187
|
|
- SRG-OS-000424-GPOS-00188
|
|
- SRG-OS-000425-GPOS-00189
|
|
- SRG-OS-000426-GPOS-00190
|
|
disa_stig:
|
|
- APPL-12-000011
|
|
800-171r2:
|
|
- 3.1.1
|
|
- 3.1.2
|
|
- 3.4.6
|
|
cis:
|
|
benchmark:
|
|
- 2.4.5 (level 1)
|
|
controls v8:
|
|
- 4.1
|
|
- 4.8
|
|
macOS:
|
|
- "13.0"
|
|
tags:
|
|
- cis_lvl1
|
|
- cis_lvl2
|
|
- cisv8
|
|
- stig
|
|
severity: "medium"
|
|
mobileconfig: false
|
|
mobileconfig_info: |