Detections
Analytics

1.50 APPL-14-001044

Information

The macOS system must configure the system to audit all authorization and authentication events.

GROUP ID: V-259470RULE ID: SV-259470r1009588

The auditing system must be configured to flag authorization and authentication (aa) events.

Authentication events contain information about the identity of a user, server, or client. Authorization events contain information about permissions, rights, and rules. If audit records do not include aa events, it is difficult to identify incidents and to correlate incidents to subsequent events.

Audit records can be generated from various components within the information system (e.g., via a module or policy filter).

Satisfies: SRG-OS-000365-GPOS-00152,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000475-GPOS-00220,SRG-OS-000477-GPOS-00222

Solution

Configure the macOS system to audit logon events with the following command:

/usr/bin/grep -qE "^flags.*[^-]aa" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,aa/' /etc/security/audit_control; /usr/sbin/audit -s

See Also

https://workbench.cisecurity.org/benchmarks/24070

Item Details

Category: AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT, MAINTENANCE

References: 800-53|AU-12c., 800-53|CM-5(1), 800-53|MA-4(1), CAT|II, CCI|CCI-000172, CCI|CCI-001814, CCI|CCI-002884, CCI|CCI-003938, Rule-ID|SV-259470r1009588_rule, STIG-ID|APPL-14-001044, Vuln-ID|V-259470

Plugin: Unix

Control ID: 32a613c9451c77d992c0a6a558d6bd7f62038590122ad50052ccc0c9aa070bc3