Check: AOSX-14-000056
Apple OS X 10.14 (Mojave) STIG:
AOSX-14-000056
(in versions v2 r6 through v2 r2)
Title
The macOS system must implement an approved Key Exchange Algorithm. (Cat II impact)
Discussion
Unapproved mechanisms for authentication to the cryptographic module are not verified, and therefore cannot be relied upon to provide confidentiality or integrity, resulting in the compromise of DoD data. Operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. The implementation of OpenSSH that is included with macOS does not utilize a FIPS 140-2 validated cryptographic module. While the listed Key Exchange Algorithms are FIPS 140-2 approved, the module implementing them has not been validated. By specifying a Key Exchange Algorithm list with the order of hashes being in a “strongest to weakest” orientation, the system will automatically attempt to use the strongest Key Exchange Algorithm for securing SSH connections. Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174
Check Content
If SSH is not being used, this is Not Applicable. Inspect the "KexAlgorithms" configuration with the following command: Note: The location of the "sshd_config" file may vary if a different daemon is in use. /usr/bin/grep "^KexAlgorithms" /etc/ssh/sshd_config KexAlgorithms diffie-hellman-group-exchange-sha256 If any algorithm other than "diffie-hellman-group-exchange-sha256" is listed or the "KexAlgorithms" keyword is missing, this is a finding.
Fix Text
Configure SSH to use a secure Key Exchange Algorithm. To ensure that "KexAlgorithms" set correctly, run the following command: /usr/bin/sudo /usr/bin/grep -q '^KexAlgorithms' /etc/ssh/sshd_config && /usr/bin/sudo /usr/bin/sed -i.bak 's/^KexAlgorithms.*/KexAlgorithms diffie-hellman-group-exchange-sha256/' /etc/ssh/sshd_config || /usr/bin/sudo /usr/bin/sed -i.bak '/.*Ciphers and keying.*/a\'$'\n''KexAlgorithms diffie-hellman-group-exchange-sha256'$'\n' /etc/ssh/sshd_config The SSH service must be restarted for changes to take effect.
Additional Identifiers
Rule ID: SV-233775r610285_rule
Vulnerability ID: V-233775
Group Title: SRG-OS-000033-GPOS-00014
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000068 |
The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions. |
CCI-000803 |
The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. |
CCI-000877 |
The organization employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions. |
CCI-002890 |
The information system implements cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications. |
CCI-003123 |
The information system implements cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications. |