3.4 Control access to audit records - /var/audit

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The audit system on macOS writes important operational and security information that can be both useful for an attacker and a place for an attacker to attempt to obfuscate unwanted changes that were recorded. As part of defense-in-depth the /etc/security/audit_control configuration and the files in /var/audit should be owned only by root with group wheel with read only rights and no other access allowed. macOS ACLs should not be used for these files.

Rationale:

Audit records should never be changed except by the system daemon posting events. Records may be viewed or extracts manipulated but the authoritative files should be protected from unauthorized changes.

Solution

If the system has different access controls on the audit logs and the changes cannot be traced a new install may be prudent. Check for signs of file tampering as well as unapproved OS changes.

See Also

https://workbench.cisecurity.org/files/2105

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-9, CSCv6|3.1

Plugin: Unix

Control ID: e87c169476f24c6aac3f1767cfbad7c816973a0a3c3757a7310bbd714fa42550