Shutdown System When Auditing Failures Occur

An XCCDF Rule

Details
Profiles
Prose

Description

The macOS system must shut down by default upon audit failure unless availability is an overriding concern.

Rationale

The audit service should shut down the computer if it is unable to audit system events. Once audit failure occurs, user and system activity is no longer recorded and malicious activity could go undetected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Responses to audit failure depend on the nature of the failure mode.

ID: xccdf_org.ssgproject.content_rule_audit_failure_halt
Severity: Medium
References: CCI-000140

AU-5(b)

SRG-OS-000047-GPOS-00023

AOSX-14-001010
Updated: about 1 year ago


/usr/bin/sed -i.bak '/^policy/ s/$/,ahlt/' /etc/security/audit_control; sudo /usr/sbin/audit -s

Shutdown System When Auditing Failures Occur

Description

Rationale

Remediation - Shell Script