The macOS system must implement DoD-approved encryption to protect the confidentiality and integrity of remote access sessions including transmitted data and data during preparation for transmission. (Cat I impact)
Without confidentiality and integrity protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD non-public information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection (e.g., Remote Desktop Protocol [RDP]), thereby providing a degree of confidentiality. The encryption strength of a mechanism is selected based on the security categorization of the information. SSHD should be enabled to facilitate secure remote access. Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188
To verify that the installed version of SSH is correct, run the following command: ssh -V If the string that is returned does not include "OpenSSH_7.9p1" or greater, this is a finding. To check if the "SSHD" service is enabled, use the following commands: /usr/bin/sudo launchctl print-disabled system | grep sshd If the results do not show "com.openssh.sshd => false", this is a finding. To check that "SSHD" is currently running, use the following command: /usr/bin/sudo launchctl print system/com.openssh.sshd If the result is the following, "Could not find service "com.openssh.sshd" in domain for system", this is a finding.
To update SSHD to the minimum required version, run Software Update to update to the latest version of macOS. To enable the SSHD service, run the following command: /usr/bin/sudo /bin/launchctl enable system/com.openssh.sshd The system may need to be restarted for the update to take effect.
Rule ID: SV-209530r610285_rule
Vulnerability ID: V-209530
Group Title: SRG-OS-000250-GPOS-00093
The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions.
The information system implements cryptographic mechanisms to protect the integrity of remote access sessions.
The information system protects the confidentiality and/or integrity of transmitted information.
The information system maintains the confidentiality and/or integrity of information during preparation for transmission.
The information system implements cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by organization-defined alternative physical safeguards.
The information system maintains the confidentiality and/or integrity of information during reception.
Protection Of Confidentiality / Integrity Using Encryption
Transmission Confidentiality And Integrity
Cryptographic Or Alternate Physical Protection
Pre / Post Transmission Handling