Check: APPL-15-000054
Apple macOS 15 (Sequoia) STIG:
APPL-15-000054
(in versions v1 r3 through v1 r1)
Title
The macOS system must limit SSHD to FIPS-compliant connections. (Cat I impact)
Discussion
If SSHD is enabled, it must be configured to limit the Ciphers, HostbasedAcceptedAlgorithms, HostKeyAlgorithms, KexAlgorithms, MACs, PubkeyAcceptedAlgorithms, CASignatureAlgorithms to algorithms that are FIPS-140 validated. FIPS 140-2/140-3 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets federal requirements. Operating systems using encryption must use FIPS-validated mechanisms for authenticating to cryptographic modules. NOTE: For more information on FIPS compliance with the version of SSHD included in the macOS, the manual page apple_ssh_and_fips has additional information. Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000396-GPOS-00176, SRG-OS-000424-GPOS-00188, SRG-OS-000478-GPOS-00223
Check Content
Verify the macOS system is configured to limit SSHD to FIPS-compliant connections with the following command: fips_sshd_config=("Ciphers aes128-gcm@openssh.com" "HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com" "HostKeyAlgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com" "KexAlgorithms ecdh-sha2-nistp256" "MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-256" "PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com" "CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com") total=0 for config in $fips_sshd_config; do total=$(expr $(/usr/sbin/sshd -G | /usr/bin/grep -i -c "$config") + $total) done echo $total If the result is not "7", this is a finding.
Fix Text
Configure the macOS system to limit SSHD to FIPS-compliant connections with the following command: /bin/ln -fs /etc/ssh/crypto/fips.conf /etc/ssh/crypto.conf
Additional Identifiers
Rule ID: SV-268438r1034254_rule
Vulnerability ID: V-268438
Group Title: SRG-OS-000033-GPOS-00014
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000068 |
Implement cryptographic mechanisms to protect the confidentiality of remote access sessions. |
| CCI-000803 |
Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. |
| CCI-001453 |
Implement cryptographic mechanisms to protect the integrity of remote access sessions. |
| CCI-002421 |
Implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission. |
| CCI-002450 |
Implement organization-defined types of cryptography for each specified cryptography use. |
| CCI-002890 |
Implement organization-defined cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications. |
| CCI-003123 |
Implement organization-defined cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications. |
Controls
| Number | Title |
|---|---|
| AC-17(2) |
Protection of Confidentiality / Integrity Using Encryption |
| IA-7 |
Cryptographic Module Authentication |
| MA-4(6) |
Cryptographic Protection |
| SC-8(1) |
Cryptographic or Alternate Physical Protection |
| SC-13 |
Cryptographic Protection |