SV-225152r610901_rule
V-225152
SRG-OS-000064-GPOS-00033
AOSX-15-001020
CAT II
10
To set the audit flags to the recommended setting, run the following command to add the flags "fm", "-fr", "-fw", and "-fd" all at once:
/usr/bin/sudo /usr/bin/sed -i.bak '/^flags/ s/$/,fm,-fr,-fw,-fd/' /etc/security/audit_control; /usr/bin/sudo /usr/sbin/audit -s
A text editor may also be used to implement the required updates to the "/etc/security/audit_control" file.
To view the currently configured flags for the audit daemon, run the following command:
/usr/bin/sudo /usr/bin/grep ^flags /etc/security/audit_control
Enforcement actions are logged by way of the "fm" flag, which audits permission changes, and "-fr" and "-fw", which denote failed attempts to read or write to a file, and -fd, which audits failed file deletion.
If "fm", "-fr", "-fw", and "-fd" are not listed in the result of the check, this is a finding.
V-225152
False
AOSX-15-001020
To view the currently configured flags for the audit daemon, run the following command:
/usr/bin/sudo /usr/bin/grep ^flags /etc/security/audit_control
Enforcement actions are logged by way of the "fm" flag, which audits permission changes, and "-fr" and "-fw", which denote failed attempts to read or write to a file, and -fd, which audits failed file deletion.
If "fm", "-fr", "-fw", and "-fd" are not listed in the result of the check, this is a finding.
M
4212