Detections
Analytics

APPL-26-001021 - The macOS system must be configured to audit all changes of object attributes.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The audit system must be configured to record enforcement actions of attempts to modify file attributes (fm).

Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., modifications to a file by applying file permissions).

This configuration ensures that audit lists include events in which enforcement actions attempt to modify a file.

Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks because no audit trail is available for forensic investigation.

Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000064-GPOS-00033, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212

Solution

Configure the macOS system to audit all changes of object attributes with the following command:

/usr/bin/grep -qE "^flags.*fm" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,fm/' /etc/security/audit_control;/usr/sbin/audit -s

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_macOS_26_V1R1_STIG.zip

Item Details

References: CAT|II, CCI|CCI-000162, CCI|CCI-000163, CCI|CCI-000164, CCI|CCI-000172, CCI|CCI-001493, CCI|CCI-001494, CCI|CCI-001495, CCI|CCI-002884, CCI|CCI-003938, Rule-ID|SV-277070r1148662_rule, STIG-ID|APPL-26-001021, Vuln-ID|V-277070

Plugin: Unix

Control ID: e147fbff697ce88c9667c1f590866e91449fe78408bf0ac30fe9948ebd8ceb0c