ℹ️ The items you can view are limited because you do not have a subscription. Contact us at [email protected] to purchase one.
- Group Title
- SRG-OS-000004-GPOS-00004
- Group ID
- V-259452
- Rule Version
- APPL-14-001001
- Rule Title
- The macOS system must be configured to audit all administrative action events.
- Rule ID
- SV-259452r1009583_rule
- Rule Severity
- ● Medium
- Rule Weight
- 10.0
- Vuln Discussion
-
Administrative action events include changes made to the system (e.g., modifying authentication policies). If audit records do not include "ad" events, it is difficult to identify incidents and to correlate incidents to subsequent events. Audit records can be generated from various components within the information system (e.g., via a module or policy filter).
Administrative and privileged access, including administrative use of the command line tools "kextload" and "kextunload" and changes to configuration settings, are logged by way of the "ad" flag.
Satisfies: SRG-OS-000004-GPOS-00004,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000327-GPOS-00127,SRG-OS-000365-GPOS-00152,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000476-GPOS-00221
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to audit privileged access with the following command:
/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'ad'
If "ad" is not listed in the output, this is a finding.
- Check System
- C-63191r940976_chk
- Fix Reference
- F-63099r940977_fix
- Fix Text
-
Configure the macOS system to audit privileged access with the following command:
/usr/bin/grep -qE "^flags.*[^-]ad" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control; /usr/sbin/audit -s
A text editor may also be used to implement the required updates to the "/etc/security/audit_control" file.
- Identities
-
CCI-000018
Automatically audit account creation actions.
- 800-53 :: AC-2 (4)
- 800-53 Rev. 4 :: AC-2 (4)
- 800-53 Rev. 5 :: AC-2 (4)
- 800-53A :: AC-2 (4).1 (i and ii)
CCI-000172Generate audit records for the event types defined in AU-2 c that include the audit record content defined in AU-3.
- 800-53 :: AU-12 c
- 800-53 Rev. 4 :: AU-12 c
- 800-53 Rev. 5 :: AU-12 c
- 800-53A :: AU-12.1 (iv)
CCI-001403Automatically audit account modification actions.
- 800-53 :: AC-2 (4)
- 800-53 Rev. 4 :: AC-2 (4)
- 800-53 Rev. 5 :: AC-2 (4)
- 800-53A :: AC-2 (4).1 (i and ii)
CCI-001404Automatically audit account disabling actions.
- 800-53 :: AC-2 (4)
- 800-53 Rev. 4 :: AC-2 (4)
- 800-53 Rev. 5 :: AC-2 (4)
- 800-53A :: AC-2 (4).1 (i and ii)
CCI-001405Automatically audit account removal actions.
- 800-53 :: AC-2 (4)
- 800-53 Rev. 4 :: AC-2 (4)
- 800-53 Rev. 5 :: AC-2 (4)
- 800-53A :: AC-2 (4).1 (i and ii)
CCI-001814The Information system supports auditing of the enforcement actions.
- 800-53 Rev. 4 :: CM-5 (1)
CCI-002234Log the execution of privileged functions.
- 800-53 Rev. 4 :: AC-6 (9)
- 800-53 Rev. 5 :: AC-6 (9)
CCI-002884Log organization-defined audit events for nonlocal maintenance and diagnostic sessions.
- 800-53 Rev. 4 :: MA-4 (1) (a)
- 800-53 Rev. 5 :: MA-4 (1) (a)
CCI-003938Automatically generate audit records of the enforcement actions.
- 800-53 Rev. 5 :: CM-5 (1) (b)
CCI-004188Monitor the use of maintenance tools that execute with increased privilege.
- 800-53 Rev. 5 :: MA-3 (5)