Details
Auditing is the capture and maintenance of information about security-related events. Auditable events often depend on differing organizational requirements.
Rationale:
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises or attacks that have occurred, have begun, or are about to begin. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised.
Depending on the governing authority, organizations can have vastly different auditing requirements. In this control we have selected a minimal set of audit flags that should be a part of any organizational requirements. The flags selected below may not adequately meet organizational requirements for users of this benchmark. The auditing checks for the flags proposed here will not impact additional flags that are selected.
Solution
Perform the following to set the require Security Auditing Flags:
Edit the /etc/security/audit_control file and add fm, ad, ex, aa, fr, lo, and fw flags or add -all to flags.
Additional Information:
OpenBSM auditing on Mac OS X
Guide to Securing macOS 10.12 Systems for IT Professionals Section 6.4
Real-time auditing on macOS with OpenBSM
AUDIT IN A OS X SYSTEM
NIST Recommendations for flags based on Protecting Controlled Unclassified Information 3.1.12, 3.3.1, 3.3.2, 3.3.7, and 3.3.8
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Audit and Accountability, System and Information Integrity.This control applies to the following type of system Unix.