APPL-14-001022 - The macOS system must be configured to audit all failed read actions on the system.

Information

The audit system must be configured to record enforcement actions of access restrictions, including failed file read (-fr) attempts.

Enforcement actions are the methods or mechanisms used to prevent unauthorized access and/or changes to configuration settings. One common and effective enforcement action method is using access restrictions (e.g., denying access to a file by applying file permissions).

This configuration ensures that audit lists include events in which enforcement actions prevent attempts to read a file.

Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation.

Satisfies: SRG-OS-000463-GPOS-00207,SRG-OS-000057-GPOS-00027,SRG-OS-000465-GPOS-00209,SRG-OS-000474-GPOS-00219

Solution

Configure the macOS system to audit all failed read actions on the system with the following command:

/usr/bin/grep -qE "^flags.*-fr" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-fr/' /etc/security/audit_control;/usr/sbin/audit -s

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_macOS_14_V2R2_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-9, 800-53|AU-12c., CAT|II, CCI|CCI-000162, CCI|CCI-000172, Rule-ID|SV-259464r991573_rule, STIG-ID|APPL-14-001022, Vuln-ID|V-259464

Plugin: Unix

Control ID: fb6e48eff18af04312d730ad61f08c410b49142bd6ec5b827c2c243cb2ea6a10