Detections
Analytics
APPL-15-001003 - The macOS system must enable security auditing.
Information
The information system must be configured to generate audit records.Audit records establish what types of events have occurred, when they occurred, and which users were involved. These records aid an organization in their efforts to establish, correlate, and investigate the events leading up to an outage or attack.
The content required to be captured in an audit record varies based on the impact level of an organization's system. Content that may be necessary to satisfy this requirement includes, for example, time stamps, source addresses, destination addresses, user identifiers, event descriptions, success/fail indications, filenames involved, and access or flow control rules invoked.
The information system initiates session audits at system startup.
NOTE: Security auditing is NOT enabled by default on macOS Sequoia.
Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00020, SRG-OS-000042-GPOS-00021, SRG-OS-000055-GPOS-00026, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000337-GPOS-00129, SRG-OS-000358-GPOS-00145, SRG-OS-000359-GPOS-00146, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000472-GPOS-00217, SRG-OS-000473-GPOS-00218, SRG-OS-000474-GPOS-00219, SRG-OS-000475-GPOS-00220, SRG-OS-000476-GPOS-00221, SRG-OS-000477-GPOS-00222, SRG-OS-000755-GPOS-00220
Solution
Configure the macOS system to enable the auditd service with the following command:if [[ ! -e /etc/security/audit_control ]] && [[ -e /etc/security/audit_control.example ]];then
/bin/cp /etc/security/audit_control.example /etc/security/audit_control
fi
/bin/launchctl enable system/com.apple.auditd
/bin/launchctl bootstrap system /System/Library/LaunchDaemons/com.apple.auditd.plist
/usr/sbin/audit -i
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_macOS_15_V1R1_STIG.zip
Item Details
Audit Name: DISA Apple macOS 15 (Sequoia) STIG v1r1
Category: AUDIT AND ACCOUNTABILITY, MAINTENANCE
References: 800-53|AU-3, 800-53|AU-3(1), 800-53|AU-8a., 800-53|AU-8b., 800-53|AU-9, 800-53|AU-12(3), 800-53|AU-12c., 800-53|AU-14(1), 800-53|MA-4(1)(a), CAT|II, CCI|CCI-000130, CCI|CCI-000131, CCI|CCI-000132, CCI|CCI-000133, CCI|CCI-000134, CCI|CCI-000135, CCI|CCI-000159, CCI|CCI-000172, CCI|CCI-001464, CCI|CCI-001487, CCI|CCI-001494, CCI|CCI-001495, CCI|CCI-001889, CCI|CCI-001890, CCI|CCI-001914, CCI|CCI-002884, CCI|CCI-003938, CCI|CCI-004188, Rule-ID|SV-268454r1034302_rule, STIG-ID|APPL-15-001003, Vuln-ID|V-268454
Plugin: Unix
Control ID: 75de01f3061c53ee03fe460c0fba24a11528da7c47899e4bf0f37121c36838bd