← Back to Apple macOS 14 (Sonoma) Security Technical Implementation Guide

V-259437

CAT II (Medium)

The macOS system must set Login Grace Time to 30.

Rule ID

SV-259437r970703_rule

STIG

Apple macOS 14 (Sonoma) Security Technical Implementation Guide

Version

V2R3

CCIs

CCI-001133

Discussion

If SSHD is enabled, then it must be configured to wait only 30 seconds before timing out logon attempts. Note: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.

Check Content

Verify the macOS system is configured to set Login Grace Time to 30 with the following command:

/usr/sbin/sshd -G | /usr/bin/awk '/logingracetime/{print $2}'

If the result is not "30", this is a finding.

Fix Text

Configure the macOS system to set Login Grace Time to 30 with the following command:

include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*')

if [[ -z $include_dir ]]; then
  /usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config
fi

/usr/bin/grep -qxF 'logingracetime 30' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "logingracetime 30" >> "${include_dir}01-mscp-sshd.conf"

for file in $(ls ${include_dir}); do
  if [[ "$file" == "100-macos.conf" ]]; then
      continue
  fi
  if [[ "$file" == "01-mscp-sshd.conf" ]]; then
      break
  fi
  /bin/mv ${include_dir}${file} ${include_dir}20-${file}
done