Detections
Analytics
Catalina - Configure System to Audit All Deletions of Object Attributes
Information
The audit system _MUST_ be configured to record enforcement actions of attempts to delete file attributes (fd).***Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., denying modifications to a file by applying file permissions).
This configuration ensures that audit lists include events in which enforcement actions prevent attempts to delete a file.
Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation.
Solution
[source,bash]----
/usr/bin/grep -qE "^flags.*-fd" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-fd/' /etc/security/audit_control;/usr/sbin/audit -s
----
See Also
Item Details
Audit Name: NIST macOS Catalina v1.5.0 - 800-53r5 Moderate
Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT, MAINTENANCE
References: 800-53|AC-2(12), 800-53|AU-2, 800-53|AU-9, 800-53|AU-12, 800-53|AU-12c., 800-53|CM-5(1), 800-53|MA-4(1), CCE|CCE-84922-4, CCI|CCI-000172, CCI|CCI-001814, STIG-ID|AOSX-15-001020
Plugin: Unix
Control ID: 008bbee49ec90d15890440987206a3e29cb8f2e0d00cad6ec92a1b6c3486a33b