Apple macOS 13 (Ventura) STIG Version Comparison
Apple macOS 13 (Ventura) Security Technical Implementation Guide
Comparison
There are 12 differences between versions v1 r1 (May 4, 2023) (the "left" version) and v1 r3 (Oct. 25, 2023) (the "right" version).
Check APPL-13-000057 was added to the benchmark in the "right" version.
This check's original form is available here.
Text Differences
Title
The macOS system must implement approved ciphers within the SSH client configuration to protect the confidentiality of SSH connections.
Check Content
Verify the macOS system is configured to use approved SSH ciphers within the SSH client configuration with the following command: /usr/bin/sudo /usr/bin/grep -ir "ciphers" /etc/ssh/ssh_config* /etc/ssh/ssh_config.d/fips_ssh_config:Ciphers [email protected] If any ciphers other than "[email protected]" are listed, or the "ciphers" keyword is missing, this is a finding.
Discussion
Operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to macOS. For OpenSSH to utilize the Apple Corecrypto FIPS-validated algorithms, a specific configuration is required to leverage the shim implemented by macOS to bypass the non-FIPS validated LibreSSL crypto module packaged with OpenSSH. Information regarding this configuration can be found in the manual page "apple_ssh_and_fips". Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174
Fix
Configure the macOS system to use approved SSH ciphers by creating a plain text file in the /private/etc/ssh/ssh_config.d/ directory containing the following: Ciphers [email protected] The SSH service must be restarted for changes to take effect.