AOSX-15-001030 – The macOS system must provide an immediate warning to the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent of repository maximum audit record storage capacity.

Details

The audit service must be configured to require a minimum percentage of free disk space in order to run. This ensures that audit will notify the administrator that action is required to free up more disk space for audit logs.

When ‘minfree’ is set to 25 percent, security personnel are notified immediately when the storage volume is 75 percent full and are able to plan for audit record storage capacity expansion.

Solution

Edit the ‘/etc/security/audit_control’ file and change the value for ‘minfree’ to ’25’ using the following command:

/usr/bin/sudo /usr/bin/sed -i.bak ‘s/.*minfree.*/minfree:25/’ /etc/security/audit_control; /usr/bin/sudo /usr/sbin/audit -s

A text editor may also be used to implement the required updates to the ‘/etc/security/audit_control file’.

Supportive Information

The following resource is also helpful.

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_OS_X_10-15_V1R7_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Audit and Accountability.This control applies to the following type of system Unix.

References

800-53|AU-5(1)
CAT|II
CCI|CCI-001855
Rule-ID|SV-225154r610901_rule
STIG-ID|AOSX-15-001030
STIG-Legacy|SV-111687
STIG-Legacy|V-102725
Vuln-ID|V-225154

Source

Tenable.com/audits

Updated on July 16, 2022

Was this article helpful?

Yes No

Details

Solution

Supportive Information

References

Source

Related Articles