The macOS system must be configured to audit all failed read actions on the system.

Description

<VulnDiscussion>The audit system must be configured to record enforcement actions of access restrictions, including failed file read (-fr) attempts. Enforcement actions are the methods or mechanisms used to prevent unauthorized access and/or changes to configuration settings. One common and effective enforcement action method is using access restrictions (e.g., denying access to a file by applying file permissions). This configuration ensures that audit lists include events in which enforcement actions prevent attempts to read a file. Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation. Satisfies: SRG-OS-000463-GPOS-00207,SRG-OS-000057-GPOS-00027,SRG-OS-000465-GPOS-00209,SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>