Enable audit Service

An XCCDF Rule

Description

The audit service is an essential userspace component of the auditing system, as it is responsible for writing audit records to disk.

Rationale

Without establishing what type of events occurred, when they occurred, and by whom, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.

Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.

Associating event types with detected events in the operating system audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured operating system.

ID: xccdf_org.ssgproject.content_rule_service_com_apple_auditd_enabled
Severity: High
References: CCI-000130 CCI-000131 CCI-000132 CCI-000133 CCI-000134 CCI-000135 CCI-000159 CCI-001464 CCI-001487 CCI-001889 CCI-001890 CCI-001914 CCI-002130

AU-12(3) AU-14(1) AU-3 AU-3(1) AU-8(a) AU-8(b)

SRG-OS-000037-GPOS-00015 SRG-OS-000038-GPOS-00016 SRG-OS-000039-GPOS-00017 SRG-OS-000040-GPOS-00018 SRG-OS-000041-GPOS-00019 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000055-GPOS-00026 SRG-OS-000254-GPOS-00095 SRG-OS-000255-GPOS-00096 SRG-OS-000303-GPOS-00120 SRG-OS-000337-GPOS-00129 SRG-OS-000358-GPOS-00145 SRG-OS-000359-GPOS-00146

AOSX-14-001013
Updated: about 1 year ago


launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist

Enable audit Service

Description

Rationale

Remediation - Shell Script