AOSX-15-001031 – The macOS system must provide an immediate real-time alert to the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.

Details

The audit service should be configured to immediately print messages to the console or email administrator users when an auditing failure occurs. It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected.

Solution

To make ‘auditd’ log errors to standard error as well as ‘syslogd’, run the following command:

/usr/bin/sudo /usr/bin/sed -i.bak ‘s/logger -p/logger -s -p/’ /etc/security/audit_warn; /usr/bin/sudo /usr/sbin/audit -s

Supportive Information

The following resource is also helpful.

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_OS_X_10-15_V1R7_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Audit and Accountability.This control applies to the following type of system Unix.

References

800-53|AU-5(2)
CAT|II
CCI|CCI-001858
Rule-ID|SV-225155r610901_rule
STIG-ID|AOSX-15-001031
STIG-Legacy|SV-111691
STIG-Legacy|V-102729
Vuln-ID|V-225155

Source

Tenable.com/audits

Updated on July 16, 2022

Was this article helpful?

Yes No

Details

Solution

Supportive Information

References

Source

Related Articles