STIGQter STIGQter: STIG Summary: Apple macOS 11 (Big Sur) Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021:

The macOS system must initiate session audits at system startup, using internal clocks with time stamps for audit records that meet a minimum granularity of one second and can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT), to generate audit records containing information to establish what type of events occurred, the identity of any individual or process associated with the event, including individual identities of group account users, establish where the events occurred, source of the event, and outcome of the events including all account enabling actions, full-text recording of privileged commands, and information about the use of encryption for access wireless access to and from the system.

DISA Rule

SV-230772r599842_rule

Vulnerability Number

V-230772

Group Title

SRG-OS-000037-GPOS-00015

Rule Version

APPL-11-001003

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

To enable the audit service, run the following command:

/usr/bin/sudo /bin/launchctl enable system/com.apple.auditd

The system may need to be restarted for the update to take effect.

Check Contents

To check if the audit service is running, use the following command:

launchctl print-disabled system| grep auditd

If the return is not:
"com.apple.auditd" => false"
the audit service is disabled, and this is a finding.

Vulnerability Number

V-230772

Documentable

False

Rule Version

APPL-11-001003

Severity Override Guidance

To check if the audit service is running, use the following command:

launchctl print-disabled system| grep auditd

If the return is not:
"com.apple.auditd" => false"
the audit service is disabled, and this is a finding.

Check Content Reference

M

Target Key

5246

Comments