STIGQter: STIG Summary: Apple OS X 10.14 (Mojave) Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 24 Jan 2020: The macOS system must generate audit records for all account creations, modifications, disabling, and termination events; privileged activities or other system-level access; all kernel module load, unload, and restart actions; all program initiations; and organizationally defined events for all non-local maintenance and diagnostic sessions.DISA Rule
SV-104971r1_rule
Vulnerability Number
V-95833
Group Title
SRG-OS-000004-GPOS-00004
Rule Version
AOSX-14-001001
Severity
CAT II
CCI(s)
- CCI-000018 - The information system automatically audits account creation actions.
- CCI-000172 - The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3.
- CCI-001403 - The information system automatically audits account modification actions.
- CCI-001404 - The information system automatically audits account disabling actions.
- CCI-001405 - The information system automatically audits account removal actions.
- CCI-002234 - The information system audits the execution of privileged functions.
- CCI-002884 - The organization audits nonlocal maintenance and diagnostic sessions^ organization-defined audit events.
Weight
10
Fix Recommendation
To ensure the appropriate flags are enabled for auditing, run the following command:
/usr/bin/sudo /usr/bin/sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control; /usr/bin/sudo /usr/sbin/audit -s
A text editor may also be used to implement the required updates to the "/etc/security/audit_control" file.
Check Contents
To view the currently configured flags for the audit daemon, run the following command:
/usr/bin/sudo /usr/bin/grep ^flags /etc/security/audit_control
Administrative and Privileged access, including administrative use of the command line tools "kextload" and "kextunload" and changes to configuration settings are logged by way of the "ad" flag.
If "ad" is not listed in the result of the check, this is a finding.
Vulnerability Number
V-95833
Documentable
False
Rule Version
AOSX-14-001001
Severity Override Guidance
To view the currently configured flags for the audit daemon, run the following command:
/usr/bin/sudo /usr/bin/grep ^flags /etc/security/audit_control
Administrative and Privileged access, including administrative use of the command line tools "kextload" and "kextunload" and changes to configuration settings are logged by way of the "ad" flag.
If "ad" is not listed in the result of the check, this is a finding.
Check Content Reference
M
Target Key
3429
Comments