STIGQter: STIG Summary: Apple OS X 10.14 (Mojave) Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The macOS system must use replay-resistant authentication mechanisms and implement cryptographic mechanisms to protect the integrity of and verify remote disconnection at the termination of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions.

DISA Rule

SV-209544r610285_rule

Vulnerability Number

V-209544

Group Title

SRG-OS-000393-GPOS-00173

Rule Version

AOSX-14-000040

Severity

CAT II

CCI(s)

• CCI-002890 - The information system implements cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.
• CCI-003123 - The information system implements cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.
• CCI-001941 - The information system implements replay-resistant authentication mechanisms for network access to privileged accounts.
• CCI-001942 - The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts.

Weight

10

Fix Recommendation

To update SSHD to the minimum required version, run Software Update to update to the latest version of macOS.

To enable the SSHD service, run the following command:

/usr/bin/sudo /bin/launchctl enable system/com.openssh.sshd

The system may need to be restarted for the update to take effect.

Check Contents

To verify that the installed version of SSH is correct, run the following command:

ssh -V

If the string that is returned does not include "OpenSSH_7.9p1" or greater, this is a finding.

To check if the "SSHD" service is enabled, use the following commands:

/usr/bin/sudo launchctl print-disabled system | grep sshd

If the results do not show "com.openssh.sshd => false", this is a finding.

To check that "SSHD" is currently running, use the following command:

/usr/bin/sudo launchctl print system/com.openssh.sshd

If the result is the following, "Could not find service "com.openssh.sshd" in domain for system", this is a finding.

Vulnerability Number

V-209544

Documentable

False

Rule Version

AOSX-14-000040

Severity Override Guidance

To verify that the installed version of SSH is correct, run the following command:

ssh -V

If the string that is returned does not include "OpenSSH_7.9p1" or greater, this is a finding.

To check if the "SSHD" service is enabled, use the following commands:

/usr/bin/sudo launchctl print-disabled system | grep sshd

If the results do not show "com.openssh.sshd => false", this is a finding.

To check that "SSHD" is currently running, use the following command:

/usr/bin/sudo launchctl print system/com.openssh.sshd

If the result is the following, "Could not find service "com.openssh.sshd" in domain for system", this is a finding.

Check Content Reference

M

Target Key

2930

Comments