The macOS system must disable the SSHD service.
DISA Rule
SV-230751r599842_rule
Vulnerability Number
V-230751
Group Title
SRG-OS-000250-GPOS-00093
Rule Version
APPL-11-000011
Severity
CAT II
CCI(s)
- CCI-001453 - The information system implements cryptographic mechanisms to protect the integrity of remote access sessions.
- CCI-000068 - The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions.
- CCI-002420 - The information system maintains the confidentiality and/or integrity of information during preparation for transmission.
- CCI-002421 - The information system implements cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by organization-defined alternative physical safeguards.
- CCI-002422 - The information system maintains the confidentiality and/or integrity of information during reception.
- CCI-002418 - The information system protects the confidentiality and/or integrity of transmitted information.
- CCI-001941 - The information system implements replay-resistant authentication mechanisms for network access to privileged accounts.
- CCI-001942 - The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts.
- CCI-002890 - The information system implements cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.
- CCI-003123 - The information system implements cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.
Weight
10
Fix Recommendation
Disable the "SSHD" service by using the following command:
usr/bin/sudo /bin/launchctl disable system/com.openssh.sshd
The system may need to be restarted for the update to take effect.
Check Contents
Verify the "SSHD" service is disabled by using the following command:
/bin/launchctl print-disabled system | grep sshd
If the results do not show "com.openssh.sshd => true", this is a finding.
Vulnerability Number
V-230751
Documentable
False
Rule Version
APPL-11-000011
Severity Override Guidance
Verify the "SSHD" service is disabled by using the following command:
/bin/launchctl print-disabled system | grep sshd
If the results do not show "com.openssh.sshd => true", this is a finding.
Check Content Reference
M
Target Key
5246
Comments
STIGQter: STIG Summary: Apple macOS 11 (Big Sur) Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021: