An error occurred:

Check: APPL-15-000190

Apple macOS 15 (Sequoia) STIG: APPL-15-000190 (in versions v1 r3 through v1 r1)

Title

The macOS system must configure sudo to log events. (Cat II impact)

Discussion

Sudo must be configured to log privilege escalation. Without logging privilege escalation, it is difficult to identify attempted attacks because no audit trail is available for forensic investigation.

Check Content

Verify the macOS system is configured to log privilege escalation with the following command: /usr/bin/sudo /usr/bin/sudo -V | /usr/bin/grep -c "Log when a command is allowed by sudoers" If the result is not "1", this is a finding.

Fix Text

Configure the macOS system to log privilege escalation with the following command: /usr/bin/find /etc/sudoers* -type f -exec sed -i '' '/Defaults \!log_allowed/d' '{}' \; /bin/echo "Defaults log_allowed" >> /etc/sudoers.d/mscp

Additional Identifiers

Rule ID: SV-268451r1034293_rule

Vulnerability ID: V-268451

Group Title: SRG-OS-000064-GPOS-00033

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000172

Generate audit records for the event types defined in AU-2 c that include the audit record content defined in AU-3.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AU-12

Audit Generation