STIGQter: STIG Summary: Apple OS X 10.15 (Catalina) Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 23 Apr 2021:

The macOS system must implement approved Ciphers to protect the confidentiality of SSH connections..

DISA Rule

SV-233776r610901_rule

Vulnerability Number

V-233776

Group Title

SRG-OS-000033-GPOS-00014

Rule Version

AOSX-15-000054

Severity

CAT II

CCI(s)

• CCI-000068 - The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions.
• CCI-000877 - The organization employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.
• CCI-000803 - The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
• CCI-002890 - The information system implements cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.
• CCI-003123 - The information system implements cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.

Weight

10

Fix Recommendation

Configure SSH to use secure cryptographic algorithms.

To ensure that "Ciphers" set correctly, run the following command:

/usr/bin/sudo /usr/bin/grep -q '^Ciphers' /etc/ssh/sshd_config && /usr/bin/sudo /usr/bin/sed -i.bak 's/^Ciphers.*/Ciphers aes256-ctr,aes192-ctr,aes128-ctr/' /etc/ssh/sshd_config || /usr/bin/sudo /usr/bin/sed -i.bak '/.*Ciphers and keying.*/a\'$'\n''Ciphers aes256-ctr,aes192-ctr,aes128-ctr'$'\n' /etc/ssh/sshd_config

The SSH service must be restarted for changes to take effect.

Check Contents

If SSH is not being used, this is Not Applicable.

Inspect the "Ciphers" configuration with the following command:
Note: The location of the "sshd_config" file may vary if a different daemon is in use.

# /usr/bin/grep "^Ciphers" /etc/ssh/sshd_config

Ciphers aes256-ctr,aes192-ctr,aes128-ctr

If any ciphers other than "aes256-ctr", "aes192-ctr", or "aes128-ctr" are listed, the order differs from the example above, or the "Ciphers" keyword is missing, this is a finding.

Vulnerability Number

V-233776

Documentable

False

Rule Version

AOSX-15-000054

Severity Override Guidance

If SSH is not being used, this is Not Applicable.

Inspect the "Ciphers" configuration with the following command:
Note: The location of the "sshd_config" file may vary if a different daemon is in use.

# /usr/bin/grep "^Ciphers" /etc/ssh/sshd_config

Ciphers aes256-ctr,aes192-ctr,aes128-ctr

If any ciphers other than "aes256-ctr", "aes192-ctr", or "aes128-ctr" are listed, the order differs from the example above, or the "Ciphers" keyword is missing, this is a finding.

Check Content Reference

M

Target Key

4212

Comments