The macOS system must use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-230768	APPL-11-000055	SV-230768r599842_rule		Medium

Description
Unapproved mechanisms for authentication to the cryptographic module are not verified, and therefore cannot be relied upon to provide confidentiality or integrity, resulting in the compromise of DoD data. Operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. The implementation of OpenSSH that is included with macOS does not use a FIPS 140-2 validated cryptographic module. While the listed MACs are FIPS 140-2 approved algorithms, the module implementing them has not been validated. By specifying a Keyed-Hash Message Authentication Code list with the order of hashes being in a “strongest to weakest” orientation, the system will automatically attempt to use the strongest hash for securing SSH connections. Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174

Description

Unapproved mechanisms for authentication to the cryptographic module are not verified, and therefore cannot be relied upon to provide confidentiality or integrity, resulting in the compromise of DoD data. Operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. The implementation of OpenSSH that is included with macOS does not use a FIPS 140-2 validated cryptographic module. While the listed MACs are FIPS 140-2 approved algorithms, the module implementing them has not been validated. By specifying a Keyed-Hash Message Authentication Code list with the order of hashes being in a “strongest to weakest” orientation, the system will automatically attempt to use the strongest hash for securing SSH connections. Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174

STIG	Date
Apple macOS 11 (Big Sur) Security Technical Implementation Guide	2022-02-16

Details

Check Text ( C-33713r648706_chk )
If SSH is not being used, this is Not Applicable. Inspect the "MACs" configuration with the following command: Note: The location of the "sshd_config" file may vary if a different daemon is in use. /usr/bin/grep "^MACs" /etc/ssh/sshd_config MACs hmac-sha2-512,hmac-sha2-256 If any hashes other than "hmac-sha2-512" and/or "hmac-sha2-256" are listed, the order differs from the example above, or the "MACs" keyword is missing, this is a finding.

Check Text ( C-33713r648706_chk )

If SSH is not being used, this is Not Applicable.

Inspect the "MACs" configuration with the following command:
Note: The location of the "sshd_config" file may vary if a different daemon is in use.

/usr/bin/grep "^MACs" /etc/ssh/sshd_config

MACs hmac-sha2-512,hmac-sha2-256

If any hashes other than "hmac-sha2-512" and/or "hmac-sha2-256" are listed, the order differs from the example above, or the "MACs" keyword is missing, this is a finding.

Fix Text (F-33686r607566_fix)
Configure SSH to use secure Keyed-Hash Message Authentication Codes. To ensure that "MACs" set correctly, run the following command: /usr/bin/sudo /usr/bin/grep -q '^MACs' /etc/ssh/sshd_config && /usr/bin/sudo /usr/bin/sed -i.bak 's/^MACs./MACs hmac-sha2-256,hmac-sha2-512/' /etc/ssh/sshd_config \|\| /usr/bin/sudo /usr/bin/sed -i.bak '/.Ciphers and keying.*/a\'$'\n''MACs hmac-sha2-512,hmac-sha2-256'$'\n' /etc/ssh/sshd_config The SSH service must be restarted for changes to take effect.

Fix Text (F-33686r607566_fix)

Configure SSH to use secure Keyed-Hash Message Authentication Codes.

To ensure that "MACs" set correctly, run the following command:

/usr/bin/sudo /usr/bin/grep -q '^MACs' /etc/ssh/sshd_config && /usr/bin/sudo /usr/bin/sed -i.bak 's/^MACs.*/MACs hmac-sha2-256,hmac-sha2-512/' /etc/ssh/sshd_config || /usr/bin/sudo /usr/bin/sed -i.bak '/.*Ciphers and keying.*/a\'$'\n''MACs hmac-sha2-512,hmac-sha2-256'$'\n' /etc/ssh/sshd_config

The SSH service must be restarted for changes to take effect.