3.1 Ensure Security Auditing Is Enabled

Information

macOS's audit facility, auditd receives notifications from the kernel when certain system calls, such as open fork and exit are made. These notifications are captured and written to an audit log.

Apple has deprecated auditd as of macOS 11.0 Big Sur. In macOS 14.0 Sonoma it is no longer enabled by default and it is suggested to use an application that integrates with the EndpointSecurity API. These applications are third party and not built into the macOS. Until auditd is removed from macOS completely, running the binary is the best way to collect logging in macOS and the only one that is part of the OS.

Logs generated by auditd may be useful when investigating a security incident as they may help reveal the vulnerable application and the actions taken by a malicious actor.

Solution

Terminal Method:

Perform the following to enable security auditing:

Run the following command to load auditd and create the audit_control file:

% /usr/bin/sudo /bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist

% /usr/bin/sudo /bin/cp /etc/security/audit_control.example /etc/security/audit_control

See Also

https://workbench.cisecurity.org/benchmarks/18634