The macOS system must be configured with the SSH daemon LoginGraceTime set to 30 or less.

STIG ID: APPL-13-000053  |  SRG: SRG-OS-000163-GPOS-00072 |  Severity: medium |  CCI: CCI-001133 |  Vulnerability Id: V-257164

Vulnerability Discussion

SSH must be configured to log users out after a 15-minute interval of inactivity and to wait only 30 seconds before timing out logon attempts. Terminating an idle session within a short time reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session or an incomplete logon attempt will also free up resources committed by the managed network element.

Check

If SSH is not being used, this is not applicable.

Verify the macOS system is configured with the SSH daemon "LoginGraceTime" option set to "30" or less with the following command:

/usr/bin/grep -r ^LoginGraceTime /etc/ssh/sshd_config*

If "LoginGraceTime" is not configured or has a value of "0", this is a finding.

If "LoginGraceTime" is not set to "30" or less, this is a finding.

If conflicting results are returned, this is a finding.

Fix

Configure the macOS system to set the SSH daemon "LoginGraceTime" option to "30" with the following command:

/usr/bin/sudo /usr/bin/sed -i.bak 's/.*LoginGraceTime.*/LoginGraceTime 30/' /etc/ssh/sshd_config
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.