Catalina - Configure System to Audit All Authorization and Authentication Events

Information

The auditing system _MUST_ be configured to flag authorization and authentication (aa) events.

Authentication events contain information about the identity of a user, server, or client. Authorization events contain information about permissions, rights, and rules. If audit records do not include aa events, it is difficult to identify incidents and to correlate incidents to subsequent events.

Audit records can be generated from various components within the information system (e.g., via a module or policy filter).

Solution

[source,bash]
----
/usr/bin/grep -qE "^flags.*[^-]aa" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,aa/' /etc/security/audit_control; /usr/sbin/audit -s
----

See Also

https://github.com/usnistgov/macos_security

Item Details

Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT, MAINTENANCE

References: 800-53|AC-2(12), 800-53|AU-2, 800-53|AU-12, 800-53|CM-5(1), 800-53|MA-4(1), CCE|CCE-84711-1, STIG-ID|AOSX-15-001044

Plugin: Unix

Control ID: 993f1d8ecf33ec9c31f9ff1c7ba5f3991d50a79351f2e58d24b542729898abae