AOSX-14-000053 - The macOS system must be configured with the SSH daemon LoginGraceTime set to 30 or less.

Information

SSH should be configured to log users out after a 15-minute interval of inactivity and to wait only 30 seconds before timing out logon attempts. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session or an incomplete logon attempt will also free up resources committed by the managed network element.

Solution

To ensure that 'LoginGraceTime' is configured correctly, run the following command:

/usr/bin/sudo /usr/bin/sed -i.bak 's/.*LoginGraceTime.*/LoginGraceTime 30/' /etc/ssh/sshd_config

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_OS_X_10-14_V2R6_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-10, CAT|II, CCI|CCI-001133, Rule-ID|SV-209548r610285_rule, STIG-ID|AOSX-14-000053, STIG-Legacy|SV-104969, STIG-Legacy|V-95831, Vuln-ID|V-209548

Plugin: Unix

Control ID: 91129d2adb18d2ecf2c20def97b17897d90017a07db542d3784a7dd9438e3024