Check: APPL-14-001031
Apple macOS 14 (Sonoma) STIG:
APPL-14-001031
(in versions v1 r2 through v1 r1)
Title
The macOS system must configure audit failure notification. (Cat II impact)
Discussion
The audit service must be configured to immediately print messages to the console or email administrator users when an auditing failure occurs. It is critical for the appropriate personnel to be made aware immediately if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of a potentially harmful failure in the auditing system's capability, and system operation may be adversely affected. Satisfies: SRG-OS-000047-GPOS-00023,SRG-OS-000344-GPOS-00135
Check Content
Verify the macOS system is configured to produce audit failure notification with the following command: /usr/bin/grep -c "logger -s -p" /etc/security/audit_warn If the result is not "1", this is a finding.
Fix Text
Configure the macOS system to produce audit failure notification with the following command: /usr/bin/sed -i.bak 's/logger -p/logger -s -p/' /etc/security/audit_warn; /usr/sbin/audit -s
Additional Identifiers
Rule ID: SV-259469r941029_rule
Vulnerability ID: V-259469
Group Title: SRG-OS-000047-GPOS-00023
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000140 |
The information system takes organization-defined actions upon audit failure (e.g., shut down information system, overwrite oldest audit records, stop generating audit records). |
| CCI-001858 |
The information system provides a real-time alert in an organization-defined real-time period to organization-defined personnel, roles, and/or locations when organization-defined audit failure events requiring real-time alerts occur. |