UCF STIG Viewer Logo

The operating system must generate audit records when successful/unsuccessful attempts to access privileges occur.


Overview

Finding ID Version Rule ID IA Controls Severity
V-59807 AOSX-10-002100 SV-74237r1_rule Medium
Description
Frequently, an attacker that successfully gains access to a system has only gained access to an account with limited privileges, such as a guest account or a service account. The attacker must attempt to change to another user account with normal or elevated privileges in order to proceed. Auditing successful and unsuccessful attempts to elevate privileges mitigates this risk.
STIG Date
Apple OS X 10.10 (Yosemite) Workstation Security Technical Implementation Guide 2017-04-06

Details

Check Text ( C-60563r1_chk )
The options to configure the audit daemon are located in the /etc/security/audit_control file. To view the current settings, run the following command:

sudo grep ^flags /etc/security/audit_control

If the 'lo', 'ad', and 'aa' options are not set, this is a finding.
Fix Text (F-65217r1_fix)
To set the audit flags to the recommended setting, run the following command to add the flags 'lo', 'ad', and 'aa' all at once:

sudo sed -i.bak '/^flags/ s/$/,lo,ad,aa/' /etc/security/audit_control; sudo audit -s

A text editor may also be used to implement the required updates to the /etc/security/audit_control file.