3.2 Configure Security Auditing Flags per local organizational requirements - 'audit successful/failed file attribute modification events'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Auditing is the capture and maintenance of information about security-related events. Auditable events often depend on differing organizational requirements.

Rationale:

Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises or attacks that have occurred, have begun, or are about to begin. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised.

Depending on the governing authority, organizations can have vastly different auditing requirements. In this control we have selected a minimal set of audit flags that should be a part of any organizational requirements. The flags selected below may not adequately meet organizational requirements for users of this benchmark. The auditing checks for the flags proposed here will not impact additional flags that are selected.

Solution

Perform the following to set the require Security Auditing Flags:
Edit the /etc/security/audit_control file and add fm, ad, ex, aa, fr, lo, and fw flags or add -all to flags.

Additional Information:

OpenBSM auditing on Mac OS X

Guide to Securing macOS 10.12 Systems for IT Professionals Section 6.4

Real-time auditing on macOS with OpenBSM

AUDIT IN A OS X SYSTEM

NIST Recommendations for flags based on Protecting Controlled Unclassified Information 3.1.12, 3.3.1, 3.3.2, 3.3.7, and 3.3.8

See Also

https://workbench.cisecurity.org/files/3421