Detections
Analytics
APPL-26-001020 - The macOS system must be configured to audit all deletions of object attributes.
Warning! Audit Deprecated
This audit has been deprecated and will be removed in a future update.
View Next Audit VersionInformation
The audit system must be configured to record enforcement actions of attempts to delete file attributes (fd).Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., denying modifications to a file by applying file permissions).
This configuration ensures that audit lists include events in which enforcement actions prevent attempts to delete a file.
Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks because no audit trail is available for forensic investigation.
Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000064-GPOS-00033, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212
Solution
Configure the macOS system to audit all deletions of object attributes with the following command:/usr/bin/grep -qE "^flags.*-fd" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-fd/' /etc/security/audit_control;/usr/sbin/audit -s
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_macOS_26_V1R1_STIG.zip
Item Details
Audit Name: DISA Apple macOS 26 Tahoe STIG v1r1
References: CAT|II, CCI|CCI-000162, CCI|CCI-000163, CCI|CCI-000164, CCI|CCI-000172, CCI|CCI-001493, CCI|CCI-001494, CCI|CCI-001495, CCI|CCI-002884, CCI|CCI-003938, Rule-ID|SV-277069r1148659_rule, STIG-ID|APPL-26-001020, Vuln-ID|V-277069
Plugin: Unix
Control ID: 875637c4cb2d3bd0c1f01ce6ec0fd623c6c76865e7b193d927b603f8076f40ed