Catalina - Configure Audit Log Folders to Mode 700 or Less Permissive

Information

The audit log folder _MUST_ be configured to mode 700 or less permissive so that only the root user is able to read, write, and execute changes to folders.

Because audit logs contain sensitive data about the system and users, the audit service _MUST_ be configured to mode 700 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs.

Solution

[source,bash]
----
/bin/chmod 700 $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}')
----

See Also

https://github.com/usnistgov/macos_security

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-9, CCE|CCE-84705-3, CCI|CCI-000162, CCI|CCI-000163, CCI|CCI-000164, STIG-ID|AOSX-15-001017

Plugin: Unix

Control ID: 7d59e2ec7769c1db2c6c1f9a54370e6e3cac4b79672db3726dfd955d74e9bdc2