Check: APPL-14-001031
Apple macOS 14 (Sonoma) STIG:
APPL-14-001031
(in versions v2 r2 through v1 r1)
Title
The macOS system must configure audit failure notification. (Cat II impact)
Discussion
The audit service must be configured to immediately print messages to the console or email administrator users when an auditing failure occurs. It is critical for the appropriate personnel to be made aware immediately if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of a potentially harmful failure in the auditing system's capability, and system operation may be adversely affected. Satisfies: SRG-OS-000047-GPOS-00023,SRG-OS-000344-GPOS-00135
Check Content
Verify the macOS system is configured to produce audit failure notification with the following command: /usr/bin/grep -c "logger -s -p" /etc/security/audit_warn If the result is not "1", this is a finding.
Fix Text
Configure the macOS system to produce audit failure notification with the following command: /usr/bin/sed -i.bak 's/logger -p/logger -s -p/' /etc/security/audit_warn; /usr/sbin/audit -s
Additional Identifiers
Rule ID: SV-259469r958426_rule
Vulnerability ID: V-259469
Group Title: SRG-OS-000047-GPOS-00023
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000140 |
Take organization-defined actions upon audit failure include, shutting down the system, overwriting oldest audit records, and stopping the generation of audit records. |
| CCI-001858 |
Provide an alert in an organization-defined real-time-period to organization-defined personnel, roles, and/or locations when organization-defined audit failure events requiring real-time alerts occur. |