CCI-000018 in U Apple macOS 15 V1R1

ℹ️ The items you can view are limited because you do not have a subscription. Contact us at [email protected] to purchase one.

UNCLASSIFIED
Group Title
SRG-OS-000004-GPOS-00004
Group ID
V-268452
Rule Version
APPL-15-001001
Rule Title
The macOS system must be configured to audit all administrative action events.
Rule ID
SV-268452r1034296_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

The auditing system must be configured to flag administrative action (ad) events.

Administrative action events include changes made to the system (e.g., modifying authentication policies). If audit records do not include ad events, it is difficult to identify incidents and to correlate incidents to subsequent events.

Audit records can be generated from various components within the information system (e.g., via a module or policy filter).

The information system audits the execution of privileged functions.

NOTE: Changing the line "43127:AUE_MAC_SYSCALL:mac_syscall(2):ad" to "43127:AUE_MAC_SYSCALL:mac_syscall(2):zz" in the file /etc/security/audit_event is recommended. This will prevent sandbox violations from being audited by the ad flag.

Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000327-GPOS-00127, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000476-GPOS-00221

Documentable
False
Check Content

Verify the macOS system is configured to audit privileged access with the following command:

/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'ad'

If "ad" is not listed in the output, this is a finding.

Check System
C-72482r1034294_chk
Fix Reference
F-72383r1034295_fix
Fix Text

Configure the macOS system to audit privileged access with the following command:

/usr/bin/grep -qE "^flags.*[^-]ad" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control; /usr/sbin/audit -s

A text editor may also be used to implement the required updates to the "/etc/security/audit_control" file.

Identities
CCI-000018

Automatically audit account creation actions.

  • 800-53 :: AC-2 (4)
  • 800-53 Rev. 4 :: AC-2 (4)
  • 800-53 Rev. 5 :: AC-2 (4)
  • 800-53A :: AC-2 (4).1 (i and ii)
CCI-000172

Generate audit records for the event types defined in AU-2 c that include the audit record content defined in AU-3.

  • 800-53 :: AU-12 c
  • 800-53 Rev. 4 :: AU-12 c
  • 800-53 Rev. 5 :: AU-12 c
  • 800-53A :: AU-12.1 (iv)
CCI-001403

Automatically audit account modification actions.

  • 800-53 :: AC-2 (4)
  • 800-53 Rev. 4 :: AC-2 (4)
  • 800-53 Rev. 5 :: AC-2 (4)
  • 800-53A :: AC-2 (4).1 (i and ii)
CCI-001404

Automatically audit account disabling actions.

  • 800-53 :: AC-2 (4)
  • 800-53 Rev. 4 :: AC-2 (4)
  • 800-53 Rev. 5 :: AC-2 (4)
  • 800-53A :: AC-2 (4).1 (i and ii)
CCI-001405

Automatically audit account removal actions.

  • 800-53 :: AC-2 (4)
  • 800-53 Rev. 4 :: AC-2 (4)
  • 800-53 Rev. 5 :: AC-2 (4)
  • 800-53A :: AC-2 (4).1 (i and ii)
CCI-002130

Automatically audit account enabling actions.

  • 800-53 Rev. 4 :: AC-2 (4)
  • 800-53 Rev. 5 :: AC-2 (4)
CCI-002234

Log the execution of privileged functions.

  • 800-53 Rev. 4 :: AC-6 (9)
  • 800-53 Rev. 5 :: AC-6 (9)
CCI-002884

Log organization-defined audit events for nonlocal maintenance and diagnostic sessions.

  • 800-53 Rev. 4 :: MA-4 (1) (a)
  • 800-53 Rev. 5 :: MA-4 (1) (a)
CCI-003938

Automatically generate audit records of the enforcement actions.

  • 800-53 Rev. 5 :: CM-5 (1) (b)
UNCLASSIFIED