Vulnerability Discussion
If SSHD is enabled, then it must be configured to wait only 30 seconds before timing out logon attempts.
Note: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.
Check
Verify the macOS system is configured to set Login Grace Time to 30 with the following command:
/usr/sbin/sshd -G | /usr/bin/awk '/logingracetime/{print $2}'
If the result is not "30", this is a finding.
Fix
Configure the macOS system to set Login Grace Time to 30 with the following command:
include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*')
if [[ -z $include_dir ]]; then
/usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config
fi
/usr/bin/grep -qxF 'logingracetime 30' "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "logingracetime 30" >> "${include_dir}01-mscp-sshd.conf"
for file in $(ls ${include_dir}); do
if [[ "$file" == "100-macos.conf" ]]; then
continue
fi
if [[ "$file" == "01-mscp-sshd.conf" ]]; then
break
fi
/bin/mv ${include_dir}${file} ${include_dir}20-${file}
done