Navigate

Check: APPL-11-000054

Apple macOS 11 (Big Sur) STIG: APPL-11-000054 (in versions v1 r8 through v1 r1)

Title

The macOS system must implement approved ciphers to protect the confidentiality of SSH connections. (Cat II impact)

Discussion

Unapproved mechanisms for authentication to the cryptographic module are not verified, and therefore cannot be relied upon to provide confidentiality or integrity, resulting in the compromise of DoD data. Operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. The implementation of OpenSSH that is included with macOS does not use a FIPS 140-2 validated cryptographic module. While the listed ciphers are FIPS 140-2 approved algorithms, the module implementing them has not been validated. By specifying a cipher list with the order of ciphers being in a “strongest to weakest” orientation, the system will automatically attempt to use the strongest cipher for securing SSH connections. Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174

Check Content

If SSH is not being used, this is Not Applicable. Inspect the "Ciphers" configuration with the following command: Note: The location of the "sshd_config" file may vary if a different daemon is in use. # /usr/bin/grep "^Ciphers" /etc/ssh/sshd_config Ciphers aes256-ctr,aes192-ctr,aes128-ctr If any ciphers other than "aes256-ctr", "aes192-ctr", or "aes128-ctr" are listed, the order differs from the example above, or the "Ciphers" keyword is missing, this is a finding.

Fix Text

Configure SSH to use secure cryptographic algorithms. To ensure that "Ciphers" set correctly, run the following command: /usr/bin/sudo /usr/bin/grep -q '^Ciphers' /etc/ssh/sshd_config && /usr/bin/sudo /usr/bin/sed -i.bak 's/^Ciphers.*/Ciphers aes256-ctr,aes192-ctr,aes128-ctr/' /etc/ssh/sshd_config || /usr/bin/sudo /usr/bin/sed -i.bak '/.*Ciphers and keying.*/a\'$'\n''Ciphers aes256-ctr,aes192-ctr,aes128-ctr'$'\n' /etc/ssh/sshd_config The SSH service must be restarted for changes to take effect.

Additional Identifiers

Rule ID: SV-230767r877398_rule

Vulnerability ID: V-230767

Group Title: SRG-OS-000033-GPOS-00014

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000068	The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions.
CCI-000087	The organization disables information system functionality that provides the capability for automatic execution of code on mobile devices without user direction.
CCI-000803	The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
CCI-002890	The information system implements cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.
CCI-003123	The information system implements cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
AC-17 (2)	Protection Of Confidentiality / Integrity Using Encryption
IA-7	Cryptographic Module Authentication
MA-4 (6)	Cryptographic Protection