Information
The information system _MUST_ be configured to generate audit records.
Audit records establish what types of events have occurred, when they occurred, and which users were involved. These records aid an organization in their efforts to establish, correlate, and investigate the events leading up to an outage or attack.
The content required to be captured in an audit record varies based on the impact level of an organization's system. Content that may be necessary to satisfy this requirement includes, for example, time stamps, source addresses, destination addresses, user identifiers, event descriptions, success/fail indications, filenames involved, and access or flow control rules invoked.
The information system initiates session audits at system start-up.
NOTE: Security auditing is enabled by default on macOS.
Solution
[source,bash]
----
/bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist
----
Item Details
Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT, MAINTENANCE
References: 800-53|AC-2(4), 800-53|AU-3, 800-53|AU-3(1), 800-53|AU-8, 800-53|AU-8a., 800-53|AU-8b., 800-53|AU-12, 800-53|AU-12(1), 800-53|AU-12(3), 800-53|AU-14(1), 800-53|CM-5(1), 800-53|MA-4(1), CCE|CCE-85254-1, CCI|CCI-000130, CCI|CCI-000131, CCI|CCI-000132, CCI|CCI-000133, CCI|CCI-000134, CCI|CCI-000135, CCI|CCI-000159, CCI|CCI-001464, CCI|CCI-001487, CCI|CCI-001889, CCI|CCI-001890, CCI|CCI-001914, CCI|CCI-002130, STIG-ID|APPL-11-001003
Control ID: cf14c88d41cd2f36aeae5f4753650e230489e21b36ef594d1ddc5aa6a4fb61f3