Catalina - Configure the System to Notify upon Account Enabled Actions

Information

The macOS should be configured to automatically notify system administrators and Information System Security Officers (ISSOs) when accounts are enabled.

Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing and maintaining access by enabling a new or previously disabled account. Configuring the information system to send a notification when a new or disabled account is enabled is one method for mitigating this risk. A comprehensive account management process should not only notify when accounts are enabled, but also maintain an audit record of these actions. Such a process greatly reduces the risk that accounts will be surreptitiously enabled and provides logging that can be used for forensic purposes.

To enable notifications and audit logging of enabled accounts, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.

See Also

https://github.com/usnistgov/macos_security

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(4), CCE|CCE-84897-8, CCI|CCI-002132

Plugin: Unix

Control ID: 81f156e8d792505f06b3d4d8a1bb24400e095dd9a58a1ebaa013c327814fa200