AOSX-14-000052 - The macOS system must be configured with the SSH daemon ClientAliveCountMax option set to 0.

Information

SSH should be configured with an Active Client Alive Maximum Count of 0. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session or an incomplete logon attempt will also free up resources committed by the managed network element.

Solution

To ensure that the SSH idle timeout occurs precisely when the 'ClientAliveCountMax' is set, run the following command:

/usr/bin/sudo /usr/bin/sed -i.bak 's/.*ClientAliveCountMax.*/ClientAliveCountMax 0/' /etc/ssh/sshd_config

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_OS_X_10-14_V2R6_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-10, CAT|II, CCI|CCI-001133, Rule-ID|SV-209547r610285_rule, STIG-ID|AOSX-14-000052, STIG-Legacy|SV-104967, STIG-Legacy|V-95829, Vuln-ID|V-209547

Plugin: Unix

Control ID: dafe437348835f78981ae6fa5b1199706017aa2a461c421953f9f555c663fa74