Details
macOS’s audit facility, auditd, receives notifications from the kernel when certain system calls, such as open, fork, and exit, are made. These notifications are captured and written to an audit log.
Rationale:
Logs generated by auditd may be useful when investigating a security incident as they may help reveal the vulnerable application and the actions taken by a malicious actor.
Solution
Perform the following to implement the prescribed state:
Run the following command in Terminal:
sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Audit and Accountability.This control applies to the following type of system Unix.