APPL-26-001001 - The macOS system must be configured to audit all administrative action events.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

Information

The auditing system must be configured to flag administrative action (ad) events.

Administrative action events include changes made to the system (e.g., modifying authentication policies). If audit records do not include ad events, it is difficult to identify incidents and to correlate incidents to subsequent events.

Audit records can be generated from various components within the information system (e.g., via a module or policy filter).

The information system audits the execution of privileged functions.

Note: Changing the line "43127:AUE_MAC_SYSCALL:mac_syscall(2):ad" to "43127:AUE_MAC_SYSCALL:mac_syscall(2):zz" in the file /etc/security/audit_event is recommended. This will prevent sandbox violations from being audited by the ad flag.

Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000327-GPOS-00127, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000476-GPOS-00221

Solution

Configure the macOS system to audit privileged access with the following command:

/usr/bin/grep -qE "^flags.*[^-]ad" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control; /usr/sbin/audit -s

A text editor may also be used to implement the required updates to the "/etc/security/audit_control" file.

Item Details

Audit Name: DISA Apple macOS 26 Tahoe STIG v1r1

Plugin: Unix

Control ID: 3d8b264f9cba947f5d9e7f318167d614e461ce39d14e5a4d38a5d10b29eec7c8

Detections

Analytics

APPL-26-001001 - The macOS system must be configured to audit all administrative action events.

Warning! Audit Deprecated

Information

Solution

See Also

Item Details