mirror of
https://github.com/usnistgov/macos_security.git
synced 2026-03-16 22:12:08 +00:00
2ab099bfcd
* chore[rules]: updated STIG tags Removed the stig tag from rules that weren't in the stig. Added 'srg' tag to rules that had SRG references, but not in stig Issue #356 * chore[baseline]: updated STIG baseline * chore[references]: updated CCI and SRG refs Updated severity where needed too * fix[rule]: yaml syntax for CCI * fix[rules]: added missing STIG ODVs --------- Co-authored-by: Dan Brodjieski <daniel.brodjieski@nasa.gov> Co-authored-by: Dan Brodjieski <dbrodjieski@icloud.com>
113 lines
2.5 KiB
YAML
113 lines
2.5 KiB
YAML
id: auth_ssh_password_authentication_disable
|
|
title: Disable Password Authentication for SSH
|
|
discussion: |
|
|
If remote login through SSH is enabled, password based authentication _MUST_ be disabled for user login.
|
|
|
|
All users _MUST_ go through multifactor authentication to prevent unauthenticated access and potential compromise to the system.
|
|
|
|
NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.
|
|
check: |
|
|
/usr/sbin/sshd -G | /usr/bin/grep -Ec '^(passwordauthentication\s+no|kbdinteractiveauthentication\s+no)'
|
|
result:
|
|
integer: 2
|
|
fix: |
|
|
[source,bash]
|
|
----
|
|
include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*')
|
|
if [[ -z $include_dir ]]; then
|
|
/usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config
|
|
fi
|
|
echo "passwordauthentication no" >> "${include_dir}01-mscp-sshd.conf"
|
|
echo "kbdinteractiveauthentication no" >> "${include_dir}01-mscp-sshd.conf"
|
|
|
|
for file in $(ls ${include_dir}); do
|
|
if [[ "$file" == "100-macos.conf" ]]; then
|
|
continue
|
|
fi
|
|
if [[ "$file" == "01-mscp-sshd.conf" ]]; then
|
|
break
|
|
fi
|
|
/bin/mv ${include_dir}${file} ${include_dir}20-${file}
|
|
done
|
|
----
|
|
references:
|
|
cce:
|
|
- CCE-92739-2
|
|
cci:
|
|
- CCI-000186
|
|
- CCI-000765
|
|
- CCI-000766
|
|
- CCI-000767
|
|
- CCI-000768
|
|
- CCI-000877
|
|
- CCI-001941
|
|
- CCI-001948
|
|
800-53r5:
|
|
- IA-2(1)
|
|
- IA-2(2)
|
|
- IA-2(6)
|
|
- IA-2
|
|
- IA-5(2)
|
|
- MA-4
|
|
- IA-2(8)
|
|
800-53r4:
|
|
- IA-2
|
|
- IA-2(1)
|
|
- IA-2(2)
|
|
- IA-2(3)
|
|
- IA-2(4)
|
|
- IA-2(6)
|
|
- IA-2(11)
|
|
- IA-5(2)
|
|
- IA-5(11)
|
|
- MA-4
|
|
srg:
|
|
- SRG-OS-000107-GPOS-00054
|
|
- SRG-OS-000112-GPOS-00057
|
|
- SRG-OS-000067-GPOS-00035
|
|
- SRG-OS-000108-GPOS-00055
|
|
- SRG-OS-000125-GPOS-00065
|
|
- SRG-OS-000106-GPOS-00053
|
|
- SRG-OS-000375-GPOS-00160
|
|
- SRG-OS-000105-GPOS-00052
|
|
disa_stig:
|
|
- APPL-14-001150
|
|
800-171r2:
|
|
- 3.5.1
|
|
- 3.5.2
|
|
- 3.5.3
|
|
- 3.7.5
|
|
cis:
|
|
benchmark:
|
|
- N/A
|
|
controls v8:
|
|
- 6.3
|
|
- 6.4
|
|
- 6.5
|
|
cmmc:
|
|
- IA.L1-3.5.1
|
|
- IA.L1-3.5.2
|
|
- IA.L2-3.5.3
|
|
- IA.L2-3.5.4
|
|
- MA.L2-3.7.5
|
|
macOS:
|
|
- '14.0'
|
|
tags:
|
|
- 800-53r5_low
|
|
- 800-53r5_moderate
|
|
- 800-53r5_high
|
|
- 800-53r4_low
|
|
- 800-53r4_moderate
|
|
- 800-53r4_high
|
|
- 800-171
|
|
- cisv8
|
|
- cnssi-1253_moderate
|
|
- cnssi-1253_low
|
|
- cnssi-1253_high
|
|
- cmmc_lvl2
|
|
- cmmc_lvl1
|
|
- stig
|
|
severity: high
|
|
mobileconfig: false
|
|
mobileconfig_info:
|