AOSX-09-000120 - The operating system must automatically audit account creation.


Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to create a new account. Auditing of account creation mitigates this risk. To address access requirements, many operating systems may be integrated with enterprise level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.


To make sure the appropriate flags are enabled for auditing, run the following command:

sudo sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control; sudo audit -s

A text editor may also be used to implement the required update to the /etc/security/audit_control file.

See Also

Item Details


References: 800-53|AU-12, CAT|II, CCI|CCI-000018, Group-ID|V-58287, Rule-ID|SV-72717r1_rule, STIG-ID|AOSX-09-000120

Plugin: Unix

Control ID: 58ea93fc7567651692eb513eb281a23c7618f69ce2f769767986ab4696104908