STIGQter STIGQter: STIG Summary: Apple OS X 10.14 (Mojave) Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The macOS system must be configured with system log files set to mode 640 or less permissive.

DISA Rule

SV-209630r610285_rule

Vulnerability Number

V-209630

Group Title

SRG-OS-000206-GPOS-00084

Rule Version

AOSX-14-004002

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

For any log file that returns an incorrect permission value, run the following command:

/usr/bin/sudo chmod 640 [log file]

[log file] is the full path to the log file in question. If the file is managed by "newsyslog", find the configuration line in the directory "/etc/newsyslog.d/" or the file "/etc/newsyslog.conf" and edit the mode column to be "640" or less permissive.

If the file is managed by "aslmanager", find the configuration line in the directory "/etc/asl/" or the file "/etc/asl.conf" and add or edit the mode option to be "mode=0640" or less permissive.

Check Contents

These commands check for log files that exist on the system and print out the log with corresponding permissions. Run them from inside "/var/log":

/usr/bin/sudo stat -f '%A:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | awk '{ print $1 }') 2> /dev/null
/usr/bin/sudo stat -f '%A:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | awk '{ print $2 }') 2> /dev/null

The correct permissions on log files should be "640" or less permissive for system logs.

Any file with more permissive settings is a finding.

Vulnerability Number

V-209630

Documentable

False

Rule Version

AOSX-14-004002

Severity Override Guidance

These commands check for log files that exist on the system and print out the log with corresponding permissions. Run them from inside "/var/log":

/usr/bin/sudo stat -f '%A:%N' $(/usr/bin/grep -v '^#' /etc/newsyslog.conf | awk '{ print $1 }') 2> /dev/null
/usr/bin/sudo stat -f '%A:%N' $(/usr/bin/grep -e '^>' /etc/asl.conf /etc/asl/* | awk '{ print $2 }') 2> /dev/null

The correct permissions on log files should be "640" or less permissive for system logs.

Any file with more permissive settings is a finding.

Check Content Reference

M

Target Key

2930

Comments