Catalina - Configure System to Audit All Failed Change of Object Attributes

Information

The audit system _MUST_ be configured to record enforcement actions of failed attempts to modify file attributes (fm).

Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., denying modifications to a file by applying file permissions).

This configuration ensures that audit lists include events in which enforcement actions prevent attempts to modify a file.

Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation.

Solution

[source,bash]
----
/usr/bin/grep -qE "^flags.*-fm" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-fm/' /etc/security/audit_control;/usr/sbin/audit -s
----

See Also

https://github.com/usnistgov/macos_security

Item Details

Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT, MAINTENANCE

References: 800-53|AC-2(12), 800-53|AU-2, 800-53|AU-9, 800-53|AU-12, 800-53|AU-12c., 800-53|CM-5(1), 800-53|MA-4(1), CCE|CCE-84715-2, CCI|CCI-000172, CCI|CCI-001814, STIG-ID|AOSX-15-001020

Plugin: Unix

Control ID: 263c9646f04a448596c9e3e5ecd0460e4a43db59b8f25e113dddf514e24f5578