CCI-000068 in U Apple macOS 13 V1R4

ℹ️ The items you can view are limited because you do not have a subscription. Contact us at [email protected] to purchase one.

UNCLASSIFIED
Group Title
SRG-OS-000033-GPOS-00014
Group ID
V-257165
Rule Version
APPL-13-000054
Rule Title
The macOS system must implement approved ciphers within the SSH server configuration to protect the confidentiality of SSH connections.
Rule ID
SV-257165r919351_rule
Rule Severity
High
Rule Weight
10.0
Vuln Discussion

Operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to macOS.

For OpenSSH to utilize the Apple Corecrypto FIPS-validated algorithms, a specific configuration is required to leverage the shim implemented by macOS to bypass the non-FIPS validated LibreSSL crypto module packaged with OpenSSH. Information regarding this configuration can be found in the manual page "apple_ssh_and_fips".

Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174

Documentable
False
Check Content

Verify the macOS system is configured to use approved SSH ciphers within the SSH server configuration with the following command:

/usr/bin/sudo /usr/sbin/sshd -T | /usr/bin/grep "ciphers"

ciphers [email protected]

If any ciphers other than "[email protected]" are listed, or the "ciphers" keyword is missing, this is a finding.

Check System
C-60850r919350_chk
Fix Reference
F-60791r916570_fix
Fix Text

Configure the macOS system to use approved SSH ciphers by creating a plain text file in the /private/etc/ssh/sshd_config.d/ directory containing the following:

Ciphers [email protected]

The SSH service must be restarted for changes to take effect.

Identities
CCI-000068

Implement cryptographic mechanisms to protect the confidentiality of remote access sessions.

  • 800-53 :: AC-17 (2)
  • 800-53 Rev. 4 :: AC-17 (2)
  • 800-53 Rev. 5 :: AC-17 (2)
  • 800-53A :: AC-17 (2).1
CCI-000803

Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

  • 800-53 :: IA-7
  • 800-53 Rev. 4 :: IA-7
  • 800-53 Rev. 5 :: IA-7
  • 800-53A :: IA-7.1
CCI-000877

Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions.

  • 800-53 :: MA-4 c
  • 800-53 Rev. 4 :: MA-4 c
  • 800-53 Rev. 5 :: MA-4 c
  • 800-53A :: MA-4.1 (iv)
CCI-001453

Implement cryptographic mechanisms to protect the integrity of remote access sessions.

  • 800-53 :: AC-17 (2)
  • 800-53 Rev. 4 :: AC-17 (2)
  • 800-53 Rev. 5 :: AC-17 (2)
  • 800-53A :: AC-17 (2).1
CCI-002890

Implement organization-defined cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.

  • 800-53 Rev. 4 :: MA-4 (6)
  • 800-53 Rev. 5 :: MA-4 (6)
CCI-003123

Implement organization-defined cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.

  • 800-53 Rev. 4 :: MA-4 (6)
  • 800-53 Rev. 5 :: MA-4 (6)
Group Title
SRG-OS-000033-GPOS-00014
Group ID
V-257166
Rule Version
APPL-13-000055
Rule Title
The macOS system must implement approved Message Authentication Codes (MACs) within the SSH server configuration.
Rule ID
SV-257166r919353_rule
Rule Severity
High
Rule Weight
10.0
Vuln Discussion

Operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to macOS.

For OpenSSH to utilize the Apple Corecrypto FIPS-validated algorithms, a specific configuration is required to leverage the shim implemented by macOS to bypass the non-FIPS validated LibreSSL crypto module packaged with OpenSSH. Information regarding this configuration can be found in the manual page "apple_ssh_and_fips".

Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00175

Documentable
False
Check Content

Verify the macOS system is configured to use approved SSH MACs within the SSH server configuration with the following command:

/usr/bin/sudo /usr/sbin/sshd -T | /usr/bin/grep "macs"

macs hmac-sha2-256

If any hashes other than "hmac-sha2-256" are listed, or the "macs" keyword is missing, this is a finding.

Check System
C-60851r919352_chk
Fix Reference
F-60792r916573_fix
Fix Text

Configure the macOS system to use approved SSH MACs by creating a plain text file in the /private/etc/ssh/sshd_config.d/ directory containing the following:

MACs hmac-sha2-256

The SSH service must be restarted for changes to take effect.

Identities
CCI-000068

Implement cryptographic mechanisms to protect the confidentiality of remote access sessions.

  • 800-53 :: AC-17 (2)
  • 800-53 Rev. 4 :: AC-17 (2)
  • 800-53 Rev. 5 :: AC-17 (2)
  • 800-53A :: AC-17 (2).1
CCI-000803

Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

  • 800-53 :: IA-7
  • 800-53 Rev. 4 :: IA-7
  • 800-53 Rev. 5 :: IA-7
  • 800-53A :: IA-7.1
CCI-000877

Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions.

  • 800-53 :: MA-4 c
  • 800-53 Rev. 4 :: MA-4 c
  • 800-53 Rev. 5 :: MA-4 c
  • 800-53A :: MA-4.1 (iv)
CCI-001453

Implement cryptographic mechanisms to protect the integrity of remote access sessions.

  • 800-53 :: AC-17 (2)
  • 800-53 Rev. 4 :: AC-17 (2)
  • 800-53 Rev. 5 :: AC-17 (2)
  • 800-53A :: AC-17 (2).1
CCI-002890

Implement organization-defined cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.

  • 800-53 Rev. 4 :: MA-4 (6)
  • 800-53 Rev. 5 :: MA-4 (6)
CCI-003123

Implement organization-defined cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.

  • 800-53 Rev. 4 :: MA-4 (6)
  • 800-53 Rev. 5 :: MA-4 (6)
Group Title
SRG-OS-000033-GPOS-00014
Group ID
V-257167
Rule Version
APPL-13-000056
Rule Title
The macOS system must implement approved Key Exchange Algorithms within the SSH server configuration.
Rule ID
SV-257167r919355_rule
Rule Severity
High
Rule Weight
10.0
Vuln Discussion

Operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to macOS.

For OpenSSH to utilize the Apple Corecrypto FIPS-validated algorithms, a specific configuration is required to leverage the shim implemented by macOS to bypass the non-FIPS validated LibreSSL crypto module packaged with OpenSSH. Information regarding this configuration can be found in the manual page "apple_ssh_and_fips".

Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00176

Documentable
False
Check Content

Verify the macOS system is configured to use approved SSH Key Exchange Algorithms within the SSH server configuration with the following command:

/usr/bin/sudo /usr/sbin/sshd -T | /usr/bin/grep "kexalgorithms"

kexalgorithms ecdh-sha2-nistp256

If any algorithms other than "ecdh-sha2-nistp256" are listed, or the "kexalgorithms" keyword is missing, this is a finding.

Check System
C-60852r919354_chk
Fix Reference
F-60793r916576_fix
Fix Text

Configure the macOS system to use approved SSH Key Exchange Algorithms by creating a plain text file in the /private/etc/ssh/sshd_config.d/ directory containing the following:

KexAlgorithms ecdh-sha2-nistp256

The SSH service must be restarted for changes to take effect.

Identities
CCI-000068

Implement cryptographic mechanisms to protect the confidentiality of remote access sessions.

  • 800-53 :: AC-17 (2)
  • 800-53 Rev. 4 :: AC-17 (2)
  • 800-53 Rev. 5 :: AC-17 (2)
  • 800-53A :: AC-17 (2).1
CCI-000803

Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

  • 800-53 :: IA-7
  • 800-53 Rev. 4 :: IA-7
  • 800-53 Rev. 5 :: IA-7
  • 800-53A :: IA-7.1
CCI-000877

Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions.

  • 800-53 :: MA-4 c
  • 800-53 Rev. 4 :: MA-4 c
  • 800-53 Rev. 5 :: MA-4 c
  • 800-53A :: MA-4.1 (iv)
CCI-001453

Implement cryptographic mechanisms to protect the integrity of remote access sessions.

  • 800-53 :: AC-17 (2)
  • 800-53 Rev. 4 :: AC-17 (2)
  • 800-53 Rev. 5 :: AC-17 (2)
  • 800-53A :: AC-17 (2).1
CCI-002890

Implement organization-defined cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.

  • 800-53 Rev. 4 :: MA-4 (6)
  • 800-53 Rev. 5 :: MA-4 (6)
CCI-003123

Implement organization-defined cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.

  • 800-53 Rev. 4 :: MA-4 (6)
  • 800-53 Rev. 5 :: MA-4 (6)
Group Title
SRG-OS-000033-GPOS-00014
Group ID
V-257293
Rule Version
APPL-13-000057
Rule Title
The macOS system must implement approved ciphers within the SSH client configuration to protect the confidentiality of SSH connections.
Rule ID
SV-257293r919358_rule
Rule Severity
High
Rule Weight
10.0
Vuln Discussion

Operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to macOS.

For OpenSSH to utilize the Apple Corecrypto FIPS-validated algorithms, a specific configuration is required to leverage the shim implemented by macOS to bypass the non-FIPS validated LibreSSL crypto module packaged with OpenSSH. Information regarding this configuration can be found in the manual page "apple_ssh_and_fips".

Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174

Documentable
False
Check Content

Verify the macOS system is configured to use approved SSH ciphers within the SSH client configuration with the following command:

/usr/bin/sudo /usr/bin/grep -ir "ciphers" /etc/ssh/ssh_config*

/etc/ssh/ssh_config.d/fips_ssh_config:Ciphers [email protected]

If any ciphers other than "[email protected]" are listed, or the "ciphers" keyword is missing, this is a finding.

Check System
C-60980r919356_chk
Fix Reference
F-60907r919357_fix
Fix Text

Configure the macOS system to use approved SSH ciphers by creating a plain text file in the /private/etc/ssh/ssh_config.d/ directory containing the following:

Ciphers [email protected]

The SSH service must be restarted for changes to take effect.

Identities
CCI-000068

Implement cryptographic mechanisms to protect the confidentiality of remote access sessions.

  • 800-53 :: AC-17 (2)
  • 800-53 Rev. 4 :: AC-17 (2)
  • 800-53 Rev. 5 :: AC-17 (2)
  • 800-53A :: AC-17 (2).1
CCI-000803

Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

  • 800-53 :: IA-7
  • 800-53 Rev. 4 :: IA-7
  • 800-53 Rev. 5 :: IA-7
  • 800-53A :: IA-7.1
CCI-000877

Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions.

  • 800-53 :: MA-4 c
  • 800-53 Rev. 4 :: MA-4 c
  • 800-53 Rev. 5 :: MA-4 c
  • 800-53A :: MA-4.1 (iv)
CCI-001453

Implement cryptographic mechanisms to protect the integrity of remote access sessions.

  • 800-53 :: AC-17 (2)
  • 800-53 Rev. 4 :: AC-17 (2)
  • 800-53 Rev. 5 :: AC-17 (2)
  • 800-53A :: AC-17 (2).1
CCI-002890

Implement organization-defined cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.

  • 800-53 Rev. 4 :: MA-4 (6)
  • 800-53 Rev. 5 :: MA-4 (6)
CCI-003123

Implement organization-defined cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.

  • 800-53 Rev. 4 :: MA-4 (6)
  • 800-53 Rev. 5 :: MA-4 (6)
Group Title
SRG-OS-000033-GPOS-00014
Group ID
V-257294
Rule Version
APPL-13-000058
Rule Title
The macOS system must implement approved Message Authentication Codes (MACs) within the SSH client configuration.
Rule ID
SV-257294r919361_rule
Rule Severity
High
Rule Weight
10.0
Vuln Discussion

Operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to macOS.

For OpenSSH to utilize the Apple Corecrypto FIPS-validated algorithms, a specific configuration is required to leverage the shim implemented by macOS to bypass the non-FIPS validated LibreSSL crypto module packaged with OpenSSH. Information regarding this configuration can be found in the manual page "apple_ssh_and_fips".

Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00175

Documentable
False
Check Content

Verify the macOS system is configured to use approved SSH MACs within the SSH client configuration with the following command:

/usr/bin/sudo /usr/bin/grep -ir "macs" /etc/ssh/ssh_config*

/etc/ssh/ssh_config.d/fips_ssh_config:Macs hmac-sha2-256

If any hashes other than "hmac-sha2-256" are listed, or the "macs" keyword is missing, this is a finding.

Check System
C-60981r919359_chk
Fix Reference
F-60908r919360_fix
Fix Text

Configure the macOS system to use approved SSH MACs by creating a plain text file in the /private/etc/ssh/ssh_config.d/ directory containing the following:

MACs hmac-sha2-256

The SSH service must be restarted for changes to take effect.

Identities
CCI-000068

Implement cryptographic mechanisms to protect the confidentiality of remote access sessions.

  • 800-53 :: AC-17 (2)
  • 800-53 Rev. 4 :: AC-17 (2)
  • 800-53 Rev. 5 :: AC-17 (2)
  • 800-53A :: AC-17 (2).1
CCI-000803

Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

  • 800-53 :: IA-7
  • 800-53 Rev. 4 :: IA-7
  • 800-53 Rev. 5 :: IA-7
  • 800-53A :: IA-7.1
CCI-000877

Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions.

  • 800-53 :: MA-4 c
  • 800-53 Rev. 4 :: MA-4 c
  • 800-53 Rev. 5 :: MA-4 c
  • 800-53A :: MA-4.1 (iv)
CCI-001453

Implement cryptographic mechanisms to protect the integrity of remote access sessions.

  • 800-53 :: AC-17 (2)
  • 800-53 Rev. 4 :: AC-17 (2)
  • 800-53 Rev. 5 :: AC-17 (2)
  • 800-53A :: AC-17 (2).1
CCI-002890

Implement organization-defined cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.

  • 800-53 Rev. 4 :: MA-4 (6)
  • 800-53 Rev. 5 :: MA-4 (6)
CCI-003123

Implement organization-defined cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.

  • 800-53 Rev. 4 :: MA-4 (6)
  • 800-53 Rev. 5 :: MA-4 (6)
Group Title
SRG-OS-000033-GPOS-00014
Group ID
V-257295
Rule Version
APPL-13-000059
Rule Title
The macOS system must implement approved Key Exchange Algorithms within the SSH client configuration.
Rule ID
SV-257295r919364_rule
Rule Severity
High
Rule Weight
10.0
Vuln Discussion

Operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to macOS.

For OpenSSH to utilize the Apple Corecrypto FIPS-validated algorithms, a specific configuration is required to leverage the shim implemented by macOS to bypass the non-FIPS validated LibreSSL crypto module packaged with OpenSSH. Information regarding this configuration can be found in the manual page "apple_ssh_and_fips".

Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00176

Documentable
False
Check Content

Verify the macOS system is configured to use approved SSH Key Exchange Algorithms within the SSH client configuration with the following command:

/usr/bin/sudo /usr/bin/grep -ir "kexalgorithms" /etc/ssh/ssh_config*

/etc/ssh/ssh_config.d/fips_ssh_config:KexAlgorithms ecdh-sha2-nistp256

If any algorithms other than "ecdh-sha2-nistp256" are listed, or the "kexalgorithms" keyword is missing, this is a finding.

Check System
C-60982r919362_chk
Fix Reference
F-60909r919363_fix
Fix Text

Configure the macOS system to use approved SSH Key Exchange Algorithms by creating a plain text file in the /private/etc/ssh/ssh_config.d/ directory containing the following:

KexAlgorithms ecdh-sha2-nistp256

The SSH service must be restarted for changes to take effect.

Identities
CCI-000068

Implement cryptographic mechanisms to protect the confidentiality of remote access sessions.

  • 800-53 :: AC-17 (2)
  • 800-53 Rev. 4 :: AC-17 (2)
  • 800-53 Rev. 5 :: AC-17 (2)
  • 800-53A :: AC-17 (2).1
CCI-000803

Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

  • 800-53 :: IA-7
  • 800-53 Rev. 4 :: IA-7
  • 800-53 Rev. 5 :: IA-7
  • 800-53A :: IA-7.1
CCI-000877

Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions.

  • 800-53 :: MA-4 c
  • 800-53 Rev. 4 :: MA-4 c
  • 800-53 Rev. 5 :: MA-4 c
  • 800-53A :: MA-4.1 (iv)
CCI-001453

Implement cryptographic mechanisms to protect the integrity of remote access sessions.

  • 800-53 :: AC-17 (2)
  • 800-53 Rev. 4 :: AC-17 (2)
  • 800-53 Rev. 5 :: AC-17 (2)
  • 800-53A :: AC-17 (2).1
CCI-002890

Implement organization-defined cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.

  • 800-53 Rev. 4 :: MA-4 (6)
  • 800-53 Rev. 5 :: MA-4 (6)
CCI-003123

Implement organization-defined cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.

  • 800-53 Rev. 4 :: MA-4 (6)
  • 800-53 Rev. 5 :: MA-4 (6)
UNCLASSIFIED