Detections
Analytics

1.52 APPL-14-001100

Information

The macOS system must disable root logon for SSH.

GROUP ID: V-259472RULE ID: SV-259472r1009590

If SSH is enabled to ensure individual accountability and prevent unauthorized access, logging in as root via SSH must be disabled.

The macOS system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator, and administrator users must never log in directly as root.

Note: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.

Satisfies: SRG-OS-000109-GPOS-00056,SRG-OS-000364-GPOS-00151

Solution

Configure the macOS system to disable root login for SSH with the following command:

include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*')

if [[ -z $include_dir ]]; then/usr/bin/sed -i.bk "1s/.*/Include /etc/ssh/sshd_config.d/*/" /etc/ssh/sshd_configfi

/usr/bin/grep -qxF 'permitrootlogin no' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "permitrootlogin no" >> "${include_dir}01-mscp-sshd.conf"

for file in $(ls ${include_dir}); doif [[ "$file" == "100-macos.conf" ]]; thencontinuefiif [[ "$file" == "01-mscp-sshd.conf" ]]; thenbreakfi/bin/mv ${include_dir}${file} ${include_dir}20-${file}done

See Also

https://workbench.cisecurity.org/benchmarks/24070

Item Details

Category: CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

References: 800-53|CM-5(1), 800-53|IA-2(5), CAT|II, CCI|CCI-000770, CCI|CCI-001813, CCI|CCI-004045, Rule-ID|SV-259472r1009590_rule, STIG-ID|APPL-14-001100, Vuln-ID|V-259472

Plugin: Unix

Control ID: e48333af26a5d3c741732c9eb34367b7a1767d17efb456c1136932ef67ad9b42