STIGQter STIGQter: STIG Summary: Apple OS X 10.14 (Mojave) Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The macOS system must generate audit records for all account creations, modifications, disabling, and termination events; privileged activities or other system-level access; all kernel module load, unload, and restart actions; all program initiations; and organizationally defined events for all non-local maintenance and diagnostic sessions.

DISA Rule

SV-209549r610285_rule

Vulnerability Number

V-209549

Group Title

SRG-OS-000004-GPOS-00004

Rule Version

AOSX-14-001001

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

To ensure the appropriate flags are enabled for auditing, run the following command:

/usr/bin/sudo /usr/bin/sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control; /usr/bin/sudo /usr/sbin/audit -s

A text editor may also be used to implement the required updates to the "/etc/security/audit_control" file.

Check Contents

To view the currently configured flags for the audit daemon, run the following command:

/usr/bin/sudo /usr/bin/grep ^flags /etc/security/audit_control

Administrative and Privileged access, including administrative use of the command line tools "kextload" and "kextunload" and changes to configuration settings are logged by way of the "ad" flag.

If "ad" is not listed in the result of the check, this is a finding.

Vulnerability Number

V-209549

Documentable

False

Rule Version

AOSX-14-001001

Severity Override Guidance

To view the currently configured flags for the audit daemon, run the following command:

/usr/bin/sudo /usr/bin/grep ^flags /etc/security/audit_control

Administrative and Privileged access, including administrative use of the command line tools "kextload" and "kextunload" and changes to configuration settings are logged by way of the "ad" flag.

If "ad" is not listed in the result of the check, this is a finding.

Check Content Reference

M

Target Key

2930

Comments