CCI-000134 in U Apple macOS 15 V1R1

ℹ️ The items you can view are limited because you do not have a subscription. Contact us at [email protected] to purchase one.

UNCLASSIFIED
Group Title
SRG-OS-000037-GPOS-00015
Group ID
V-268454
Rule Version
APPL-15-001003
Rule Title
The macOS system must enable security auditing.
Rule ID
SV-268454r1034302_rule
Rule Severity
Medium
Rule Weight
10.0
Vuln Discussion

The information system must be configured to generate audit records.

Audit records establish what types of events have occurred, when they occurred, and which users were involved. These records aid an organization in their efforts to establish, correlate, and investigate the events leading up to an outage or attack.

The content required to be captured in an audit record varies based on the impact level of an organization's system. Content that may be necessary to satisfy this requirement includes, for example, time stamps, source addresses, destination addresses, user identifiers, event descriptions, success/fail indications, filenames involved, and access or flow control rules invoked.

The information system initiates session audits at system startup.

NOTE: Security auditing is NOT enabled by default on macOS Sequoia.

Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00020, SRG-OS-000042-GPOS-00021, SRG-OS-000055-GPOS-00026, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000337-GPOS-00129, SRG-OS-000358-GPOS-00145, SRG-OS-000359-GPOS-00146, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000472-GPOS-00217, SRG-OS-000473-GPOS-00218, SRG-OS-000474-GPOS-00219, SRG-OS-000475-GPOS-00220, SRG-OS-000476-GPOS-00221, SRG-OS-000477-GPOS-00222, SRG-OS-000755-GPOS-00220

Documentable
False
Check Content

Verify the macOS system is configured to enable the auditd service with the following command:

LAUNCHD_RUNNING=$(/bin/launchctl list | /usr/bin/grep -c com.apple.auditd)

AUDITD_RUNNING=$(/usr/sbin/audit -c | /usr/bin/grep -c "AUC_AUDITING")

if [[ $LAUNCHD_RUNNING == 1 ]] && [[ -e /etc/security/audit_control ]] && [[ $AUDITD_RUNNING == 1 ]]; then

echo "pass"

else

echo "fail"

fi

If the result is not "pass", this is a finding.

Check System
C-72484r1034300_chk
Fix Reference
F-72385r1034301_fix
Fix Text

Configure the macOS system to enable the auditd service with the following command:

if [[ ! -e /etc/security/audit_control ]] && [[ -e /etc/security/audit_control.example ]];then

/bin/cp /etc/security/audit_control.example /etc/security/audit_control

fi

/bin/launchctl enable system/com.apple.auditd

/bin/launchctl bootstrap system /System/Library/LaunchDaemons/com.apple.auditd.plist

/usr/sbin/audit -i

Identities
CCI-000130

Ensure that audit records containing information that establishes what type of event occurred.

  • 800-53 :: AU-3
  • 800-53 Rev. 4 :: AU-3
  • 800-53 Rev. 5 :: AU-3 a
  • 800-53A :: AU-3.1
CCI-000131

Ensure that audit records containing information that establishes when the event occurred.

  • 800-53 :: AU-3
  • 800-53 Rev. 4 :: AU-3
  • 800-53 Rev. 5 :: AU-3 b
  • 800-53A :: AU-3.1
CCI-000132

Ensure that audit records containing information that establishes where the event occurred.

  • 800-53 :: AU-3
  • 800-53 Rev. 4 :: AU-3
  • 800-53 Rev. 5 :: AU-3 c
  • 800-53A :: AU-3.1
CCI-000133

Ensure that audit records containing information that establishes the source of the event.

  • 800-53 :: AU-3
  • 800-53 Rev. 4 :: AU-3
  • 800-53 Rev. 5 :: AU-3 d
  • 800-53A :: AU-3.1
CCI-000134

Ensure that audit records containing information that establishes the outcome of the event.

  • 800-53 :: AU-3
  • 800-53 Rev. 4 :: AU-3
  • 800-53 Rev. 5 :: AU-3 e
  • 800-53A :: AU-3.1
CCI-000135

Generate audit records containing the organization-defined additional information that is to be included in the audit records.

  • 800-53 :: AU-3 (1)
  • 800-53 Rev. 4 :: AU-3 (1)
  • 800-53 Rev. 5 :: AU-3 (1)
  • 800-53A :: AU-3 (1).1 (ii)
CCI-000159

Use internal system clocks to generate time stamps for audit records.

  • 800-53 :: AU-8
  • 800-53 Rev. 4 :: AU-8 a
  • 800-53 Rev. 5 :: AU-8 a
  • 800-53A :: AU-8.1
CCI-000172

Generate audit records for the event types defined in AU-2 c that include the audit record content defined in AU-3.

  • 800-53 :: AU-12 c
  • 800-53 Rev. 4 :: AU-12 c
  • 800-53 Rev. 5 :: AU-12 c
  • 800-53A :: AU-12.1 (iv)
CCI-001464

Initiates session audits automatically at system start-up.

  • 800-53 :: AU-14 (1)
  • 800-53 Rev. 4 :: AU-14 (1)
  • 800-53 Rev. 5 :: AU-14 (1)
  • 800-53A :: AU-14 (1).1
CCI-001487

Ensure that audit records containing information that establishes the identity of any individuals, subjects, or objects/entities associated with the event.

  • 800-53 :: AU-3
  • 800-53 Rev. 4 :: AU-3
  • 800-53 Rev. 5 :: AU-3 f
  • 800-53A :: AU-3.1
CCI-001494

Protect audit tools from unauthorized modification.

  • 800-53 :: AU-9
  • 800-53 Rev. 4 :: AU-9
  • 800-53 Rev. 5 :: AU-9
  • 800-53A :: AU-9.1
CCI-001495

Protect audit tools from unauthorized deletion.

  • 800-53 :: AU-9
  • 800-53 Rev. 4 :: AU-9
  • 800-53 Rev. 5 :: AU-9
  • 800-53A :: AU-9.1
CCI-001889

Record time stamps for audit records that meet organization-defined granularity of time measurement.

  • 800-53 Rev. 4 :: AU-8 b
  • 800-53 Rev. 5 :: AU-8 b
CCI-001890

Record time stamps for audit records that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp.

  • 800-53 Rev. 4 :: AU-8 b
  • 800-53 Rev. 5 :: AU-8 b
CCI-001914

Provide the capability for organization-defined individuals or roles to change the logging to be performed on organization-defined system components based on organization-defined selectable event criteria within organization-defined time thresholds.

  • 800-53 Rev. 4 :: AU-12 (3)
  • 800-53 Rev. 5 :: AU-12 (3)
CCI-002884

Log organization-defined audit events for nonlocal maintenance and diagnostic sessions.

  • 800-53 Rev. 4 :: MA-4 (1) (a)
  • 800-53 Rev. 5 :: MA-4 (1) (a)
CCI-003938

Automatically generate audit records of the enforcement actions.

  • 800-53 Rev. 5 :: CM-5 (1) (b)
CCI-004188

Monitor the use of maintenance tools that execute with increased privilege.

  • 800-53 Rev. 5 :: MA-3 (5)
UNCLASSIFIED