AOSX-10-000120 - The operating system must automatically audit account creation.


Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to create a new account. Auditing of account creation mitigates this risk.

To address access requirements, many operating systems may be integrated with enterprise level authentication/access/auditing mechanisms that meet or exceed access control policy requirements


To make sure the appropriate flags are enabled for auditing, run the following command:

sudo sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control; sudo audit -s

A text editor may also be used to implement the required updates to the /etc/security/audit_control file.

See Also

Item Details


References: 800-53|AU-12, CAT|II, CCI|CCI-000018, Rule-ID|SV-73989r1_rule, STIG-ID|AOSX-10-000120, Vuln-ID|V-59559

Plugin: Unix

Control ID: db839df785b8b3a18cf9593192707b6b5fc1e3df3d136623f11258cc6e01dc6e