The macOS system must configure sudo to log events.

An XCCDF Rule

Details
Profiles
Prose

Description

<VulnDiscussion>Sudo must be configured to log privilege escalation. Without logging privilege escalation, it is difficult to identify attempted attacks because no audit trail is available for forensic investigation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-268451r1034293_rule
Severity: Medium
References: CCI-000172
Updated: 17 days ago

Configure the macOS system to log privilege escalation with the following command:

/usr/bin/find /etc/sudoers* -type f -exec sed -i '' '/Defaults \!log_allowed/d' '{}' \;
/bin/echo "Defaults log_allowed" >> /etc/sudoers.d/mscp

The macOS system must configure sudo to log events.

Description

Remediation - Manual Procedure