The macOS system must limit SSH to FIPS-compliant connections.

An XCCDF Rule

Description

<VulnDiscussion>SSH must be configured to limit the Ciphers, HostbasedAcceptedAlgorithms, HostKeyAlgorithms, KexAlgorithms, MACs, PubkeyAcceptedAlgorithms, CASignatureAlgorithms to algorithms that are FIPS-140 validated. FIPS 140-3 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets federal requirements. Operating systems using encryption must use FIPS-validated mechanisms for authenticating to cryptographic modules. NOTE: For more information on FIPS compliance with the version of SSH included in the macOS, the manual page apple_ssh_and_fips has additional information. Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000250-GPOS-00093, SRG-OS-000396-GPOS-00176, SRG-OS-000424-GPOS-00188, SRG-OS-000478-GPOS-00223</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-268439r1034803_rule
Severity: High
References: CCI-000068 CCI-000803 CCI-001453 CCI-002421 CCI-002450
Updated: 16 days ago

Configure the macOS system to limit SSH to FIPS-compliant connections with the following command:

  if [ -f /etc/ssh/crypto.conf ] && /usr/bin/grep -q "Include /etc/ssh/crypto.conf" /etc/ssh/ssh_config.d/100-macos.conf 2>/dev/null; then
    /bin/ln -fs /etc/ssh/crypto/fips.conf /etc/ssh/crypto.conf
  fi
  include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/ssh_config | /usr/bin/tr -d '*')  
  fips_ssh_config=("Ciphers aes128-gcm@openssh.com" "HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com" "HostKeyAlgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com" "KexAlgorithms ecdh-sha2-nistp256" "MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-256" "PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com" "CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com")
  for ssh_config in $fips_ssh_config; do
    ssh_setting=$(echo $ssh_config | /usr/bin/cut -d " " -f1)
    /usr/bin/grep -qEi "^$ssh_setting" "${include_dir}01-mscp-ssh.conf" && /usr/bin/sed -i "" "s/^$ssh_setting.*/${ssh_config}/" "${include_dir}01-mscp-ssh.conf" || echo "$ssh_config" >> "${include_dir}01-mscp-ssh.conf"
    for u in $(/usr/bin/dscl . list /users shell | /usr/bin/egrep -v '(^_)|(root)|(/usr/bin/false)' | /usr/bin/awk '{print $1}'); do
      config=$(/usr/bin/sudo -u $u /usr/bin/ssh -Gv . 2>&1)
      configfiles=$(echo "$config" | /usr/bin/awk '/Reading configuration data/ {print $NF}'| /usr/bin/tr -d '\r')
      configarray=( ${(f)configfiles} )
      if ! echo $config | /usr/bin/grep -q -i "$ssh_config" ; then
        for c in $configarray; do
          if [[ "$c" == "/etc/ssh/crypto.conf" ]]; then
            continue
          fi
          
          /usr/bin/sudo -u $u /usr/bin/grep -qEi "^$ssh_setting" "$c" && /usr/bin/sed -i "" "s/^$ssh_setting.*/${ssh_config}/I" "$c"
          if [[ "$c" =~ ".ssh/config" ]]; then
            if /usr/bin/grep -qEi "$ssh_setting" "$c" 2> /dev/null; then
              old_file=$(cat ~$u/.ssh/config)
              echo "$ssh_config" > ~$u/.ssh/config
              echo "$old_file" >> ~$u/.ssh/config
            fi
          fi
        done
      fi
    done
  done

The macOS system must limit SSH to FIPS-compliant connections.

Description

Remediation - Manual Procedure