Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The macOS system must set Login Grace Time to 30.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-259437 | APPL-14-000053 | SV-259437r970703_rule | Medium |
| Description |
|---|
| If SSHD is enabled, then it must be configured to wait only 30 seconds before timing out logon attempts. Note: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. |
| STIG | Date |
|---|---|
| Apple macOS 14 (Sonoma) Security Technical Implementation Guide | 2024-05-30 |
Details
| Check Text ( C-63176r940931_chk ) |
|---|
| Verify the macOS system is configured to set Login Grace Time to 30 with the following command: /usr/sbin/sshd -G | /usr/bin/awk '/logingracetime/{print $2}' If the result is not "30", this is a finding. |
| Fix Text (F-63084r940932_fix) |
|---|
| Configure the macOS system to set Login Grace Time to 30 with the following command: include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*') if [[ -z $include_dir ]]; then /usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config fi /usr/bin/grep -qxF 'logingracetime 30' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "logingracetime 30" >> "${include_dir}01-mscp-sshd.conf" for file in $(ls ${include_dir}); do if [[ "$file" == "100-macos.conf" ]]; then continue fi if [[ "$file" == "01-mscp-sshd.conf" ]]; then break fi /bin/mv ${include_dir}${file} ${include_dir}20-${file} done |