The macOS system must enable security auditing.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-259454	APPL-14-001003	SV-259454r940984_rule		Medium

Description
Audit records establish what types of events have occurred, when they occurred, and which users were involved. These records aid an organization in their efforts to establish, correlate, and investigate the events leading up to an outage or attack. The content required to be captured in an audit record varies based on the impact level of an organization's system. Content that may be necessary to satisfy this requirement includes, for example, time stamps, source addresses, destination addresses, user identifiers, event descriptions, success/fail indications, filenames involved, and access or flow control rules invoked. The information system initiates session audits at system startup. Note: Security auditing is enabled by default on macOS. Satisfies: SRG-OS-000037-GPOS-00015,SRG-OS-000038-GPOS-00016,SRG-OS-000039-GPOS-00017,SRG-OS-000040-GPOS-00018,SRG-OS-000041-GPOS-00019,SRG-OS-000042-GPOS-00020,SRG-OS-000042-GPOS-00021,SRG-OS-000055-GPOS-00026,SRG-OS-000254-GPOS-00095,SRG-OS-000255-GPOS-00096,SRG-OS-000257-GPOS-00098,SRG-OS-000258-GPOS-00099,SRG-OS-000303-GPOS-00120,SRG-OS-000337-GPOS-00129,SRG-OS-000358-GPOS-00145,SRG-OS-000359-GPOS-00146,SRG-OS-000365-GPOS-00152,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000472-GPOS-00217,SRG-OS-000473-GPOS-00218,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000476-GPOS-00221,SRG-OS-000477-GPOS-00222

Description

Audit records establish what types of events have occurred, when they occurred, and which users were involved. These records aid an organization in their efforts to establish, correlate, and investigate the events leading up to an outage or attack. The content required to be captured in an audit record varies based on the impact level of an organization's system. Content that may be necessary to satisfy this requirement includes, for example, time stamps, source addresses, destination addresses, user identifiers, event descriptions, success/fail indications, filenames involved, and access or flow control rules invoked. The information system initiates session audits at system startup. Note: Security auditing is enabled by default on macOS. Satisfies: SRG-OS-000037-GPOS-00015,SRG-OS-000038-GPOS-00016,SRG-OS-000039-GPOS-00017,SRG-OS-000040-GPOS-00018,SRG-OS-000041-GPOS-00019,SRG-OS-000042-GPOS-00020,SRG-OS-000042-GPOS-00021,SRG-OS-000055-GPOS-00026,SRG-OS-000254-GPOS-00095,SRG-OS-000255-GPOS-00096,SRG-OS-000257-GPOS-00098,SRG-OS-000258-GPOS-00099,SRG-OS-000303-GPOS-00120,SRG-OS-000337-GPOS-00129,SRG-OS-000358-GPOS-00145,SRG-OS-000359-GPOS-00146,SRG-OS-000365-GPOS-00152,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000472-GPOS-00217,SRG-OS-000473-GPOS-00218,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000476-GPOS-00221,SRG-OS-000477-GPOS-00222

STIG	Date
Apple macOS 14 (Sonoma) Security Technical Implementation Guide	2024-01-10

Details

Check Text ( C-63193r940982_chk )
Verify the macOS system is configured to enable the auditd service with the following command: LAUNCHD_RUNNING=$(/bin/launchctl list \| /usr/bin/grep -c com.apple.auditd) if [[ $LAUNCHD_RUNNING == 1 ]] && [[ -e /etc/security/audit_control ]]; then echo "pass" else echo "fail" fi If the result is not "pass", this is a finding.

Fix Text (F-63101r940983_fix)
Configure the macOS system to enable the auditd service with the following command: LAUNCHD_RUNNING=$(/bin/launchctl list \| /usr/bin/grep -c com.apple.auditd) if [[ ! $LAUNCHD_RUNNING == 1 ]]; then /bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist fi if [[ ! -e /etc/security/audit_control ]] && [[ -e /etc/security/audit_control.example ]];then /bin/cp /etc/security/audit_control.example /etc/security/audit_control else /usr/bin/touch /etc/security/audit_control fi

Fix Text (F-63101r940983_fix)

Configure the macOS system to enable the auditd service with the following command:

LAUNCHD_RUNNING=$(/bin/launchctl list | /usr/bin/grep -c com.apple.auditd)

if [[ ! $LAUNCHD_RUNNING == 1 ]]; then
/bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist
fi

if [[ ! -e /etc/security/audit_control ]] && [[ -e /etc/security/audit_control.example ]];then
/bin/cp /etc/security/audit_control.example /etc/security/audit_control
else
/usr/bin/touch /etc/security/audit_control
fi