1.19 APPL-14-000054

Information

The macOS system must limit SSHD to FIPS-compliant connections.

GROUP ID: V-259438RULE ID: SV-259438r958408

If SSHD is enabled then it must be configured to limit the Ciphers, HostbasedAcceptedAlgorithms, HostKeyAlgorithms, KexAlgorithms, MACs, PubkeyAcceptedAlgorithms, CASignatureAlgorithms to algorithms that are FIPS 140 validated.

FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meet federal requirements.

Operating systems utilizing encryption must use FIPS validated mechanisms for authenticating to cryptographic modules.

Note: For more information on FIPS compliance with the version of SSHD included in the macOS, the manual page apple_ssh_and_fips has additional information.

Satisfies: SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061,SRG-OS-000250-GPOS-00093,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174,SRG-OS-000396-GPOS-00176,SRG-OS-000424-GPOS-00188,SRG-OS-000478-GPOS-00223

Solution

Configure the macOS system to limit SSHD to FIPS-compliant connections with the following command:

fips_sshd_config="Ciphers [email protected] mailto:[email protected] HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256, [email protected] mailto:[email protected] HostKeyAlgorithms ecdsa-sha2-nistp256, [email protected] mailto:[email protected] KexAlgorithms ecdh-sha2-nistp256MACs hmac-sha2-256PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256, [email protected] mailto:[email protected] CASignatureAlgorithms ecdsa-sha2-nistp256"/bin/echo "${fips_sshd_config}" > /etc/ssh/sshd_config.d/fips_sshd_config

Item Details

Audit Name: CIS Apple macOS 14 (Sonoma) STIG v1.0.0 CAT I

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, MAINTENANCE, SYSTEM AND COMMUNICATIONS PROTECTION

Plugin: Unix

Control ID: 8c34a555ca7111c68c1ae033948af00bbf41b80fc568d731e3401ac7c85094f4

Detections

Analytics

1.19 APPL-14-000054

Information

Solution

See Also

Item Details