The macOS system must configure sudo to log events.
An XCCDF Rule
Description
Sudo must be configured to log privilege escalation. Without logging privilege escalation, it is difficult to identify attempted attacks because no audit trail is available for forensic investigation.
- ID
- SV-268451r1034293_rule
- Version
- APPL-15-000190
- Severity
- Medium
- References
- Updated
Remediation Templates
A Manual Procedure
Configure the macOS system to log privilege escalation with the following command:
/usr/bin/find /etc/sudoers* -type f -exec sed -i '' '/Defaults \!log_allowed/d' '{}' \;
/bin/echo "Defaults log_allowed" >> /etc/sudoers.d/mscp