Information
The audit system must be configured to record enforcement actions of attempts to delete file attributes (fd).
***Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., denying modifications to a file by applying file permissions).
This configuration ensures that audit lists include events in which enforcement actions prevent attempts to delete a file.
Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation.
Satisfies: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000064-GPOS-00033,SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098,SRG-OS-000258-GPOS-00099,SRG-OS-000365-GPOS-00152,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212
Solution
Configure the macOS system to audit all deletions of object attributes with the following command:
/usr/bin/grep -qE "^flags.*-fd" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-fd/' /etc/security/audit_control;/usr/sbin/audit -s
Item Details
Category: AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT, MAINTENANCE
References: 800-53|AU-9, 800-53|AU-12c., 800-53|CM-5(1), 800-53|MA-4(1)(a), CAT|II, CCI|CCI-000162, CCI|CCI-000163, CCI|CCI-000164, CCI|CCI-000172, CCI|CCI-001493, CCI|CCI-001494, CCI|CCI-001495, CCI|CCI-001814, CCI|CCI-002884, CCI|CCI-003938, Rule-ID|SV-259462r1009585_rule, STIG-ID|APPL-14-001020, Vuln-ID|V-259462
Control ID: fd1d88ae444b90d2191d086dda02dfa8bde9e178bf833abad1653e7a003d75d1