STIGQter STIGQter: STIG Summary: Apple OS X 10.15 (Catalina) Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 23 Apr 2021:

The macOS system must audit the enforcement actions used to restrict access associated with changes to the system.

DISA Rule

SV-225152r610901_rule

Vulnerability Number

V-225152

Group Title

SRG-OS-000064-GPOS-00033

Rule Version

AOSX-15-001020

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

To set the audit flags to the recommended setting, run the following command to add the flags "fm", "-fr", "-fw", and "-fd" all at once:

/usr/bin/sudo /usr/bin/sed -i.bak '/^flags/ s/$/,fm,-fr,-fw,-fd/' /etc/security/audit_control; /usr/bin/sudo /usr/sbin/audit -s

A text editor may also be used to implement the required updates to the "/etc/security/audit_control" file.

Check Contents

To view the currently configured flags for the audit daemon, run the following command:

/usr/bin/sudo /usr/bin/grep ^flags /etc/security/audit_control

Enforcement actions are logged by way of the "fm" flag, which audits permission changes, and "-fr" and "-fw", which denote failed attempts to read or write to a file, and -fd, which audits failed file deletion.

If "fm", "-fr", "-fw", and "-fd" are not listed in the result of the check, this is a finding.

Vulnerability Number

V-225152

Documentable

False

Rule Version

AOSX-15-001020

Severity Override Guidance

To view the currently configured flags for the audit daemon, run the following command:

/usr/bin/sudo /usr/bin/grep ^flags /etc/security/audit_control

Enforcement actions are logged by way of the "fm" flag, which audits permission changes, and "-fr" and "-fw", which denote failed attempts to read or write to a file, and -fd, which audits failed file deletion.

If "fm", "-fr", "-fw", and "-fd" are not listed in the result of the check, this is a finding.

Check Content Reference

M

Target Key

4212

Comments