STIGQter: STIG Summary: Apple OS X 10.15 (Catalina) Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 23 Apr 2021:

The macOS system must implement DoD-approved encryption to protect the confidentiality and integrity of remote access sessions, including transmitted data and data during preparation for transmission, and use replay-resistant authentication mechanisms and implement cryptographic mechanisms to protect the integrity of and verify remote disconnection at the termination of nonlocal maintenance and diagnostic communications.

DISA Rule

SV-225126r610901_rule

Vulnerability Number

V-225126

Group Title

SRG-OS-000250-GPOS-00093

Rule Version

AOSX-15-000011

Severity

CAT II

CCI(s)

• CCI-001453 - The information system implements cryptographic mechanisms to protect the integrity of remote access sessions.
• CCI-000068 - The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions.
• CCI-001941 - The information system implements replay-resistant authentication mechanisms for network access to privileged accounts.
• CCI-001942 - The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts.
• CCI-002418 - The information system protects the confidentiality and/or integrity of transmitted information.
• CCI-002420 - The information system maintains the confidentiality and/or integrity of information during preparation for transmission.
• CCI-002421 - The information system implements cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by organization-defined alternative physical safeguards.
• CCI-002422 - The information system maintains the confidentiality and/or integrity of information during reception.
• CCI-002890 - The information system implements cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.
• CCI-003123 - The information system implements cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.

Weight

10

Fix Recommendation

To update SSHD to the minimum required version, run Software Update to update to the latest version of macOS.

To enable the SSHD service, run the following command:

/usr/bin/sudo /bin/launchctl enable system/com.openssh.sshd

The system may need to be restarted for the update to take effect.

Check Contents

To verify that the installed version of SSH is correct, run the following command:

ssh -V

If the string that is returned does not include "OpenSSH_7.9p1" or greater, this is a finding.

To check if the "SSHD" service is enabled, use the following commands:

/usr/bin/sudo launchctl print-disabled system | grep sshd

If the results do not "com.openssh.sshd => false", this is a finding:

To check that "SSHD" is currently running, use the following command:

/usr/bin/sudo launchctl print system/com.openssh.sshd

If the result is the following, this is a finding:

"Could not find service "com.openssh.sshd" in domain for system"

Vulnerability Number

V-225126

Documentable

False

Rule Version

AOSX-15-000011

Severity Override Guidance

To verify that the installed version of SSH is correct, run the following command:

ssh -V

If the string that is returned does not include "OpenSSH_7.9p1" or greater, this is a finding.

To check if the "SSHD" service is enabled, use the following commands:

/usr/bin/sudo launchctl print-disabled system | grep sshd

If the results do not "com.openssh.sshd => false", this is a finding:

To check that "SSHD" is currently running, use the following command:

/usr/bin/sudo launchctl print system/com.openssh.sshd

If the result is the following, this is a finding:

"Could not find service "com.openssh.sshd" in domain for system"

Check Content Reference

M

Target Key

4212

Comments