3.2 Configure Security Auditing Flags per local organizational requirements - 'audit successful/failed file attribute modification events'

Information

Auditing is the capture and maintenance of information about security-related events. Auditable events often depend on differing organizational requirements.

Rationale:

Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises or attacks that have occurred, have begun, or are about to begin. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised.

Depending on the governing authority organizations can have vastly different auditing requirements. In order to make a specific decision on which flags to check for a single standard on flags would have to exist for the uses of this Benchmark. At this point I don't see one. Some have suggested the use of an 'any' flag, which would have to be an alternate check. It appears that many or statements would have to be used to make this a successfully scored control, and even this some will be dissatisfied. URL references to audit flag discussions are under references. Please follow best practices and organizational compliance requirements.

Solution

Perform the following to set the require Security Auditing Flags:
Edit the /etc/security/audit_control file and add lo, ad, fd, fm, -all to flags.

Additional Information:

OpenBSM auditing on Mac OS X

Guide to Securing macOS 10.12 Systems for IT Professionals Section 6.4

Real-time auditing on macOS with OpenBSM

AUDIT IN A OS X SYSTEM

See Also

https://workbench.cisecurity.org/files/3013

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12c.

Plugin: Unix

Control ID: fc0ba222611d38ff9c78a1e9689091a7bbef07d598c316a1bdb0de31fb1a1156