mirror of
https://github.com/usnistgov/macos_security.git
synced 2026-02-03 14:03:24 +00:00
125 lines
4.8 KiB
YAML
125 lines
4.8 KiB
YAML
id: os_sshd_fips_compliant
|
|
title: Limit SSHD to FIPS Compliant Connections
|
|
discussion: |
|
|
If SSHD is enabled then it _MUST_ be configured to limit the Ciphers, HostbasedAcceptedAlgorithms, HostKeyAlgorithms, KexAlgorithms, MACs, PubkeyAcceptedAlgorithms, CASignatureAlgorithms to algorithms that are FIPS 140 validated.
|
|
|
|
FIPS 140-3 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meet federal requirements.
|
|
|
|
Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules.
|
|
|
|
NOTE: For more information on FIPS compliance with the version of SSHD included in the macOS, the manual page apple_ssh_and_fips has additional information.
|
|
|
|
NOTE: On macOS 15.2 and higher the SSH configuration can be reset to the macOS default by running /usr/libexec/reset-ssh-configuration.
|
|
check: |
|
|
fips_sshd_config=("Ciphers aes128-gcm@openssh.com" "HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com" "HostKeyAlgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com" "KexAlgorithms ecdh-sha2-nistp256" "MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-256" "PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com" "CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com")
|
|
total=0
|
|
for config in $fips_sshd_config; do
|
|
total=$(expr $(/usr/sbin/sshd -G | /usr/bin/grep -i -c "$config") + $total)
|
|
done
|
|
|
|
echo $total
|
|
result:
|
|
integer: 7
|
|
fix: |
|
|
[source,bash]
|
|
----
|
|
if [ -f /etc/ssh/crypto.conf ] && /usr/bin/grep -q "Include /etc/ssh/crypto.conf" /etc/ssh/sshd_config.d/100-macos.conf 2>/dev/null; then
|
|
/bin/ln -fs /etc/ssh/crypto/fips.conf /etc/ssh/crypto.conf
|
|
fi
|
|
|
|
include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*')
|
|
|
|
if [[ -z $include_dir ]]; then
|
|
/usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config
|
|
fi
|
|
|
|
fips_sshd_config=("Ciphers aes128-gcm@openssh.com" "HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com" "HostKeyAlgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com" "KexAlgorithms ecdh-sha2-nistp256" "MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-256" "PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com" "CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com")
|
|
sshd_config=$(/usr/sbin/sshd -G)
|
|
for config in $fips_sshd_config; do
|
|
if ! echo $sshd_config | /usr/bin/grep -q -i "$config" 2>/dev/null; then
|
|
/usr/bin/grep -qxF "$config" "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "$config" >> "${include_dir}01-mscp-sshd.conf"
|
|
fi
|
|
done
|
|
|
|
for file in $(ls ${include_dir}); do
|
|
if [[ "$file" == "100-macos.conf" ]]; then
|
|
continue
|
|
fi
|
|
if [[ "$file" == "01-mscp-sshd.conf" ]]; then
|
|
break
|
|
fi
|
|
/bin/mv ${include_dir}${file} ${include_dir}20-${file}
|
|
done
|
|
----
|
|
references:
|
|
cce:
|
|
- CCE-95310-9
|
|
cci:
|
|
- CCI-000068
|
|
- CCI-000803
|
|
- CCI-001453
|
|
- CCI-002421
|
|
- CCI-002450
|
|
- CCI-002890
|
|
- CCI-003123
|
|
800-53r5:
|
|
- AC-17(2)
|
|
- IA-7
|
|
- SC-13
|
|
- SC-8(1)
|
|
800-53r4:
|
|
- AC-17(2)
|
|
- IA-7
|
|
- SC-8(1)
|
|
- SC-13
|
|
- MA-4(6)
|
|
srg:
|
|
- SRG-OS-000250-GPOS-00093
|
|
- SRG-OS-000120-GPOS-00061
|
|
- SRG-OS-000424-GPOS-00188
|
|
- SRG-OS-000394-GPOS-00174
|
|
- SRG-OS-000478-GPOS-00223
|
|
- SRG-OS-000033-GPOS-00014
|
|
- SRG-OS-000393-GPOS-00173
|
|
- SRG-OS-000396-GPOS-00176
|
|
disa_stig:
|
|
- APPL-26-000054
|
|
800-171r3:
|
|
- 03.13.08
|
|
- 03.13.11
|
|
cmmc:
|
|
- AC.L2-3.1.13
|
|
- MP.L2-3.8.6
|
|
- SC.L2-3.13.8
|
|
- SC.L2-3.13.11
|
|
macOS:
|
|
- '26.0'
|
|
tags:
|
|
- 800-53r5_moderate
|
|
- 800-53r5_high
|
|
- 800-53r5_low
|
|
- 800-53r4_low
|
|
- 800-53r4_moderate
|
|
- 800-53r4_high
|
|
- 800-171
|
|
- cnssi-1253_low
|
|
- cnssi-1253_high
|
|
- cmmc_lvl2
|
|
- stig
|
|
- cnssi-1253_moderate
|
|
severity: high
|
|
mobileconfig: false
|
|
mobileconfig_info:
|
|
ddm_info:
|
|
declarationtype: com.apple.configuration.services.configuration-files
|
|
service: com.apple.sshd
|
|
config_file: sshd_config
|
|
configuration_key: file
|
|
configuration_value: |
|
|
Ciphers aes128-gcm@openssh.com
|
|
HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com
|
|
HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com
|
|
KexAlgorithms ecdh-sha2-nistp256
|
|
MACs hmac-sha2-256
|
|
PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com
|
|
CASignatureAlgorithms ecdsa-sha2-nistp256 |