The operating system must protect audit tools from unauthorized deletion.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-51431 | OSX8-00-00390 | SV-65641r1_rule | Medium |
| Description |
|---|
| Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data. If the tools are deleted, it would affect the administrator's ability to access and review log data. |
| STIG | Date |
|---|---|
| Apple OS X 10.8 (Mountain Lion) Workstation STIG | 2015-02-10 |
Details
| Check Text ( C-53767r1_chk ) |
|---|
| The audit tools (audit, auditd, auditreduce, praudit) are installed by the Essentials package of the OS X installer. To verify the permissions for the files installed as part of this package, run the following command: sudo pkgutil --verify com.apple.pkg.Essentials Any inconsistencies from the original install and the current state will be displayed. If there are any inconsistencies, this is a finding. |
| Fix Text (F-56229r1_fix) |
|---|
| To repair permissions on files that are inconsistent with the original install state, run the following command: sudo pkgutil --repair com.apple.pkg.Essentials If ACLs are found on any of the files, run the command: sudo chmod -N [full path to file] |