The macOS system must be configured to audit all administrative action events.

An XCCDF Rule

Description

Administrative action events include changes made to the system (e.g., modifying authentication policies). If audit records do not include "ad" events, it is difficult to identify incidents and to correlate incidents to subsequent events. Audit records can be generated from various components within the information system (e.g., via a module or policy filter). Administrative and privileged access, including administrative use of the command line tools "kextload" and "kextunload" and changes to configuration settings, are logged by way of the "ad" flag. Satisfies: SRG-OS-000004-GPOS-00004,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000327-GPOS-00127,SRG-OS-000365-GPOS-00152,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000476-GPOS-00221

ID: SV-259452r1009583_rule
Version: APPL-14-001001
Severity: Medium
References: CCI-000018 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-001814 CCI-002234 CCI-002884 CCI-003938 CCI-004188
Updated: about 2 months ago

Remediation Templates

Configure the macOS system to audit privileged access with the following command:

/usr/bin/grep -qE "^flags.*[^-]ad" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control; /usr/sbin/audit -s

A text editor may also be used to implement the required updates to the "/etc/security/audit_control" file.

The macOS system must be configured to audit all administrative action events.

Description

Remediation Templates

A Manual Procedure