STIG ID: APPL-14-000053 | SRG: SRG-OS-000163-GPOS-00072 | Severity: medium | CCI: | Vulnerability Id: V-259437
If SSHD is enabled, then it must be configured to wait only 30 seconds before timing out logon attempts.
Note: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.
Configure the macOS system to set Login Grace Time to 30 with the following command:
include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*')
if [[ -z $include_dir ]]; then
/usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config
fi
/usr/bin/grep -qxF 'logingracetime 30' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "logingracetime 30" >> "${include_dir}01-mscp-sshd.conf"
for file in $(ls ${include_dir}); do
if [[ "$file" == "100-macos.conf" ]]; then
continue
fi
if [[ "$file" == "01-mscp-sshd.conf" ]]; then
break
fi
/bin/mv ${include_dir}${file} ${include_dir}20-${file}
done
Verify the macOS system is configured to set Login Grace Time to 30 with the following command:
/usr/sbin/sshd -G | /usr/bin/awk '/logingracetime/{print $2}'
If the result is not "30", this is a finding.