The operating system must generate audit records for all kernel module load, unload, and restart actions, and also for all program initiations.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-58483 | AOSX-09-002065 | SV-72913r1_rule | Medium |
| Description |
|---|
| Kernel modules, called kernel extensions in Mac OS X, are compiled segments of code that are dynamically loaded into the kernel as required to support specific pieces of hardware or functionality. Privileged users are permitted to load or unload kernel extensions manually. An attacker might attempt to load a kernel extension that is known to be insecure to increase the attack surface of the system, or a user might plug in an unauthorized device that then triggers a kernel extension to be loaded. Auditing administrative actions, which include the loading or unloading of kernel extensions, mitigates this risk. |
| STIG | Date |
|---|---|
| Apple OS X 10.9 (Mavericks) Workstation Security Technical Implementation Guide | 2017-01-05 |
Details
| Check Text ( C-59333r1_chk ) |
|---|
| In order to view the currently configured flags for the audit daemon, run the following command: sudo grep ^flags /etc/security/audit_control Privileged access, including administrative use of the command line tools kextload and kextunload, is logged via the 'ad' flag. If 'ad' is not listed in the result of the check, this is a finding. |
| Fix Text (F-63821r1_fix) |
|---|
| To make sure the appropriate flags are enabled for auditing, run the following command: sudo sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control; sudo audit -s A text editor may also be used to implement the required update to the /etc/security/audit_control file. |