STIGQter: STIG Summary: Apple macOS 11 (Big Sur) Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021:

The macOS system must provide an immediate real-time alert to the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.

DISA Rule

SV-230783r599842_rule

Vulnerability Number

V-230783

Group Title

SRG-OS-000344-GPOS-00135

Rule Version

APPL-11-001031

Severity

CAT II

CCI(s)

• CCI-001858 - The information system provides a real-time alert in an organization-defined real-time period to organization-defined personnel, roles, and/or locations when organization-defined audit failure events requiring real-time alerts occur.

Weight

10

Fix Recommendation

To make "auditd" log errors to standard error as well as "syslogd", run the following command:

/usr/bin/sudo /usr/bin/sed -i.bak 's/logger -p/logger -s -p/' /etc/security/audit_warn; /usr/bin/sudo /usr/sbin/audit -s

Check Contents

By default, "auditd" only logs errors to "syslog". To see if audit has been configured to print error messages to the console, run the following command:

/usr/bin/sudo /usr/bin/grep logger /etc/security/audit_warn

If the argument "-s" is missing, or if "audit_warn" has not been otherwise modified to print errors to the console or send email alerts to the SA and ISSO, this is a finding.

Vulnerability Number

V-230783

Documentable

False

Rule Version

APPL-11-001031

Severity Override Guidance

By default, "auditd" only logs errors to "syslog". To see if audit has been configured to print error messages to the console, run the following command:

/usr/bin/sudo /usr/bin/grep logger /etc/security/audit_warn

If the argument "-s" is missing, or if "audit_warn" has not been otherwise modified to print errors to the console or send email alerts to the SA and ISSO, this is a finding.

Check Content Reference

M

Target Key

5246

Comments