Catalina - Configure System to Audit All Administrative Action Events

Information

The auditing system _MUST_ be configured to flag administrative action (ad) events.

Administrative action events include changes made to the system (e.g. modifying authentication policies). If audit records do not include ad events, it is difficult to identify incidents and to correlate incidents to subsequent events.

Audit records can be generated from various components within the information system (e.g., via a module or policy filter).

The information system audits the execution of privileged functions.

NOTE: We recommend changing the line "43127:AUE_MAC_SYSCALL:mac_syscall(2):ad" to "43127:AUE_MAC_SYSCALL:mac_syscall(2):zz" in the file /etc/security/audit_event. This will prevent sandbox violations from being audited by the ad flag.

Solution

[source,bash]
----
/usr/bin/grep -qE "^flags.*[^-]ad" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control; /usr/sbin/audit -s
----

See Also

https://github.com/usnistgov/macos_security

Item Details

Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT, MAINTENANCE

References: 800-53|AC-2(4), 800-53|AC-2(12), 800-53|AC-6(9), 800-53|AU-2, 800-53|AU-12, 800-53|AU-12c., 800-53|CM-5(1), 800-53|MA-4(1), 800-53|MA-4(1)(a), CCE|CCE-84712-9, CCI|CCI-000018, CCI|CCI-000172, CCI|CCI-001403, CCI|CCI-001404, CCI|CCI-001405, CCI|CCI-002234, CCI|CCI-002884, STIG-ID|AOSX-15-001001

Plugin: Unix

Control ID: 252749cc6f7b6a20d2a3159e18552e24309b1d28460c1f2a61d641ba64c3b7ee