1.20 APPL-14-000057

Information

The macOS system must limit SSH to FIPS-compliant connections.

GROUP ID: V-259439RULE ID: SV-259439r958408

SSH must be configured to limit the Ciphers, HostbasedAcceptedAlgorithms, HostKeyAlgorithms, KexAlgorithms, MACs, PubkeyAcceptedAlgorithms, CASignatureAlgorithms to algorithms that are FIPS 140 validated.

FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meet federal requirements.

Operating systems utilizing encryption must use FIPS-validated mechanisms for authenticating to cryptographic modules.

Note: For more information on FIPS compliance with the version of SSH included in the macOS, the manual page apple_ssh_and_fips has additional information.

Satisfies: SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061,SRG-OS-000250-GPOS-00093,SRG-OS-000396-GPOS-00176,SRG-OS-000424-GPOS-00188,SRG-OS-000478-GPOS-00223

Solution

Configure the macOS system to limit SSH to FIPS-compliant connections with the following command:

fips_ssh_config="Host *Ciphers [email protected] mailto:[email protected] HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256, [email protected] mailto:[email protected] HostKeyAlgorithms ecdsa-sha2-nistp256, [email protected] mailto:[email protected] KexAlgorithms ecdh-sha2-nistp256MACs hmac-sha2-256PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256, [email protected] mailto:[email protected] CASignatureAlgorithms ecdsa-sha2-nistp256"/bin/echo "${fips_ssh_config}" > /etc/ssh/ssh_config.d/fips_ssh_config

Item Details

Audit Name: CIS Apple macOS 14 (Sonoma) STIG v1.0.0 CAT I

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

Plugin: Unix

Control ID: 45c437748cace0e23ed58fb89e412d739804fe0b9682b8a1d8d2b31dd6c7341c

Detections

Analytics

1.20 APPL-14-000057

Information

Solution

See Also

Item Details