Big Sur - Configure System to Audit All Failed Read Actions on the System

Information

The audit system _MUST_ be configured to record enforcement actions of access restrictions, including failed file read (-fr) attempts.

Enforcement actions are the methods or mechanisms used to prevent unauthorized access and/or changes to configuration settings. One common and effective enforcement action method is using access restrictions (e.g., denying access to a file by applying file permissions).

This configuration ensures that audit lists include events in which enforcement actions prevent attempts to read a file.

Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation.

Solution

[source,bash]
----
/usr/bin/grep -qE "^flags.*-fr" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-fr/' /etc/security/audit_control;/usr/sbin/audit -s
----

See Also

https://github.com/usnistgov/macos_security

Item Details

Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT, MAINTENANCE

References: 800-53|AC-2(12), 800-53|AU-2, 800-53|AU-9, 800-53|AU-12, 800-53|AU-12c., 800-53|CM-5(1), 800-53|MA-4(1), CCE|CCE-85265-7, CCI|CCI-000172, CCI|CCI-001814, STIG-ID|APPL-11-001020

Plugin: Unix

Control ID: 0dcd6f521c6ca66d6e8fb5e65356e70f66ce08a380eee206e36f554c1c9e5842