Monterey - Configure the System to Notify upon Account Modified Actions

Information

The macOS should be configured to automatically notify system administrators and Information System Security Officers (ISSOs) when accounts are modified.

Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing and maintaining access by modifying an existing account. Configuring the information system to send a notification when accounts are modified is one method for mitigating this risk. A comprehensive account management process should not only notify when new accounts are modified, but also maintain an audit record of these actions. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes.

To enable notifications and audit logging of modified account, many operating systems can be integrated with enterprise-level auditing mechanisms that meet or exceed this requirement.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.

See Also

https://github.com/usnistgov/macos_security

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(4), CCE|CCE-90962-2, CCI|CCI-001684

Plugin: Unix

Control ID: e421ec0e881f91ce5b0eb3a71755ca01e80ed5f2d6b58f43f0e9774985e4b81a