Detections
Analytics
APPL-14-000057 - The macOS system must limit SSH to FIPS-compliant connections.
Information
SSH must be configured to limit the Ciphers, HostbasedAcceptedAlgorithms, HostKeyAlgorithms, KexAlgorithms, MACs, PubkeyAcceptedAlgorithms, CASignatureAlgorithms to algorithms that are FIPS 140 validated.FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meet federal requirements.
Operating systems utilizing encryption must use FIPS-validated mechanisms for authenticating to cryptographic modules.
Note: For more information on FIPS compliance with the version of SSH included in the macOS, the manual page apple_ssh_and_fips has additional information.
Satisfies: SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061,SRG-OS-000250-GPOS-00093,SRG-OS-000396-GPOS-00176,SRG-OS-000424-GPOS-00188,SRG-OS-000478-GPOS-00223
Solution
Configure the macOS system to limit SSH to FIPS-compliant connections with the following command:fips_ssh_config="Host *
Ciphers [email protected]
HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,[email protected]
HostKeyAlgorithms ecdsa-sha2-nistp256,[email protected]
KexAlgorithms ecdh-sha2-nistp256
MACs hmac-sha2-256
PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,[email protected]
CASignatureAlgorithms ecdsa-sha2-nistp256"
/bin/echo "${fips_ssh_config}" > /etc/ssh/ssh_config.d/fips_ssh_config
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_macOS_14_V2R4_STIG.zip
Item Details
Audit Name: DISA Apple macOS 14 Sonoma STIG v2r4
Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|AC-17(2), 800-53|IA-7, 800-53|SC-8(1), 800-53|SC-13, CAT|I, CCI|CCI-000068, CCI|CCI-000803, CCI|CCI-001453, CCI|CCI-002421, CCI|CCI-002450, Rule-ID|SV-259439r958408_rule, STIG-ID|APPL-14-000057, Vuln-ID|V-259439
Plugin: Unix
Control ID: b934a5a28a49b0ae60ce9a376e67023d8e8e5e6633f6e91cf12cf83eb1da5d5d