Check: APPL-14-001003
Apple macOS 14 (Sonoma) STIG:
APPL-14-001003
(in versions v2 r2 through v1 r1)
Title
The macOS system must enable security auditing. (Cat II impact)
Discussion
Audit records establish what types of events have occurred, when they occurred, and which users were involved. These records aid an organization in their efforts to establish, correlate, and investigate the events leading up to an outage or attack. The content required to be captured in an audit record varies based on the impact level of an organization's system. Content that may be necessary to satisfy this requirement includes, for example, time stamps, source addresses, destination addresses, user identifiers, event descriptions, success/fail indications, filenames involved, and access or flow control rules invoked. The information system initiates session audits at system startup. Note: Security auditing is enabled by default on macOS. Satisfies: SRG-OS-000037-GPOS-00015,SRG-OS-000038-GPOS-00016,SRG-OS-000039-GPOS-00017,SRG-OS-000040-GPOS-00018,SRG-OS-000041-GPOS-00019,SRG-OS-000042-GPOS-00020,SRG-OS-000042-GPOS-00021,SRG-OS-000055-GPOS-00026,SRG-OS-000254-GPOS-00095,SRG-OS-000255-GPOS-00096,SRG-OS-000257-GPOS-00098,SRG-OS-000258-GPOS-00099,SRG-OS-000303-GPOS-00120,SRG-OS-000337-GPOS-00129,SRG-OS-000358-GPOS-00145,SRG-OS-000359-GPOS-00146,SRG-OS-000365-GPOS-00152,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000472-GPOS-00217,SRG-OS-000473-GPOS-00218,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000476-GPOS-00221,SRG-OS-000477-GPOS-00222
Check Content
Verify the macOS system is configured to enable the auditd service with the following command: LAUNCHD_RUNNING=$(/bin/launchctl list | /usr/bin/grep -c com.apple.auditd) if [[ $LAUNCHD_RUNNING == 1 ]] && [[ -e /etc/security/audit_control ]]; then echo "pass" else echo "fail" fi If the result is not "pass", this is a finding.
Fix Text
Configure the macOS system to enable the auditd service with the following command: LAUNCHD_RUNNING=$(/bin/launchctl list | /usr/bin/grep -c com.apple.auditd) if [[ ! $LAUNCHD_RUNNING == 1 ]]; then /bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist fi if [[ ! -e /etc/security/audit_control ]] && [[ -e /etc/security/audit_control.example ]];then /bin/cp /etc/security/audit_control.example /etc/security/audit_control else /usr/bin/touch /etc/security/audit_control fi
Additional Identifiers
Rule ID: SV-259454r1009584_rule
Vulnerability ID: V-259454
Group Title: SRG-OS-000037-GPOS-00015
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000130 |
Ensure that audit records contain information that establishes what type of event occurred. |
| CCI-000131 |
Ensure that audit records containing information that establishes when the event occurred. |
| CCI-000132 |
Ensure that audit records containing information that establishes where the event occurred. |
| CCI-000133 |
Ensure that audit records containing information that establishes the source of the event. |
| CCI-000134 |
Ensure that audit records containing information that establishes the outcome of the event. |
| CCI-000135 |
Generate audit records containing the organization-defined additional information that is to be included in the audit records. |
| CCI-000159 |
Use internal system clocks to generate time stamps for audit records. |
| CCI-000172 |
Generate audit records for the event types defined in AU-2 c that include the audit record content defined in AU-3. |
| CCI-001464 |
Initiates session audits automatically at system start-up. |
| CCI-001487 |
Ensure that audit records containing information that establishes the identity of any individuals, subjects, or objects/entities associated with the event. |
| CCI-001494 |
Protect audit tools from unauthorized modification. |
| CCI-001495 |
Protect audit tools from unauthorized deletion. |
| CCI-001814 |
The Information system supports auditing of the enforcement actions. |
| CCI-001889 |
Record time stamps for audit records that meet organization-defined granularity of time measurement. |
| CCI-001890 |
Record time stamps for audit records that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp. |
| CCI-001914 |
Provide the capability for organization-defined individuals or roles to change the logging to be performed on organization-defined system components based on organization-defined selectable event criteria within organization-defined time thresholds. |
| CCI-002130 |
Automatically audit account enabling actions. |
| CCI-002884 |
Log organization-defined audit events for nonlocal maintenance and diagnostic sessions. |
| CCI-003938 |
Automatically generate audit records of the enforcement actions. |
| CCI-004188 |
Monitor the use of maintenance tools that execute with increased privilege. |
Controls
| Number | Title |
|---|---|
| AC-2(4) |
Automated Audit Actions |
| AU-3 |
Content of Audit Records |
| AU-3(1) |
Additional Audit Information |
| AU-8 |
Time Stamps |
| AU-9 |
Protection of Audit Information |
| AU-12 |
Audit Generation |
| AU-12(3) |
Changes by Authorized Individuals |
| AU-14(1) |
System Start-up |
| CM-5(1) |
Automated Access Enforcement / Auditing |
| MA-4(1) |
Auditing and Review |