os_ssh_fips_compliant Failing #321
Replies: 2 comments 2 replies
-
FIPS is a complicated thing. You'd have to post more on how the check is failing the os_ssh_fips_compliant. But actual fips compliance validation has nothing to do with that. You can be strict FIPS compliant to a tee or you can be up to date and secured. You cannot be both due to the backlogs of in the validation system. Most CISOS will understand this and grant waivers, especially for a company like Apple or Microsoft who have a history going back a decade of getting FIPS validation. |
Beta Was this translation helpful? Give feedback.
-
Thank you for the reply! The check for this control is: fips_sshd_config=("Ciphers aes128-gcm@openssh.com" "HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com" "HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com" "KexAlgorithms ecdh-sha2-nistp256" "MACs hmac-sha2-256" "PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com" "CASignatureAlgorithms ecdsa-sha2-nistp256") echo $total Expected value is 7. We are returning a value of 0. |
Beta Was this translation helpful? Give feedback.
-
We are currently using the mSCP to configure our security baseline for our Jamf pro instance. We have been failing the os_ssh_fips_compliant check. We have Silicon M1 macs running macOS 13 that were released in 2021. According to https://support.apple.com/guide/certifications/macos-security-certifications-apc35eb3dc4fa/web
Our current and future mac fleet will not be validated against FIPS 140-2, instead will be FIPS 140-3 due to our current baseline OS (macOS Ventura) and hardware specs (Apple Silicon, M1….future M2)
Summary of current certification status
macOS 13 Ventura user space, kernel space, and secure key store are undergoing laboratory testing. They are listed on the Implementation Under Test List and, when testing is complete, on the Modules in Process List.
macOS 12 Monterey user space, kernel space, and secure key store are undergoing laboratory testing. They are listed on the Implementation Under Test List and, when testing is complete, on the Modules in Process List.
macOS 11 Big Sur user space, kernel space, and secure key store have completed laboratory testing and have been recommended by the laboratory to the CMVP for validation. They are listed on the Modules in Process List.
The table below shows the Apple cryptographic modules that are currently being tested by a laboratory, that have been recommended by a laboratory for validation by the CMVP, or that have been validated and certified as conformant to FIPS 140-3 by the CMVP.
How are others with newer hardware and running newer os passing this check?
Any help is greatly appreciated!!
Beta Was this translation helpful? Give feedback.
All reactions