AOSX-13-000720 - The macOS system must be configured with the SSH daemon ClientAliveInterval option set to 900 or less.

Information

SSH should be configured to log users out after a 15-minute interval of inactivity and to wait only 30 seconds before timing out logon attempts. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session or an incomplete logon attempt will also free up resources committed by the managed network element.

Solution

To ensure that 'ClientAliveInterval' is set correctly, run the following command:

/usr/bin/sudo /usr/bin/sed -i.bak 's/.*ClientAliveInterval.*/ClientAliveInterval 900/' /etc/ssh/sshd_config

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_OS_X_10-13_V2R5_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-10, CAT|II, CCI|CCI-001133, Rule-ID|SV-214886r609363_rule, STIG-ID|AOSX-13-000720, STIG-Legacy|SV-96365, STIG-Legacy|V-81651, Vuln-ID|V-214886

Plugin: Unix

Control ID: bf5ea4b5d7a9c738482ef7080575a488f65e4aa124dfebd3cd5a4ab300a57bcf