Title

The macOS system must be configured to audit all failed program execution on the system. (Cat II impact)

Discussion

The audit system must be configured to record enforcement actions of access restrictions, including failed program execute (-ex) attempts. Enforcement actions are the methods or mechanisms used to prevent unauthorized access and/or changes to configuration settings. One common and effective enforcement action method is using program execution restrictions (e.g., denying users access to execute certain processes). This configuration ensures that audit lists include events in which program execution has failed. Without auditing the enforcement of program execution, it is difficult to identify attempted attacks because no audit trail is available for forensic investigation. Satisfies: SRG-OS-000365-GPOS-00152, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209

Check Content

Verify the macOS system is configured to audit all failed program execution on the system with the following command: /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '\-ex' If the result is not "1", this is a finding.

Fix Text

Configure the macOS system to audit all failed program execution on the system with the following command: /usr/bin/grep -qE "^flags.*-ex" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-ex/' /etc/security/audit_control; /usr/sbin/audit -s

Additional Identifiers

Rule ID: SV-269094r1034757_rule

Vulnerability ID: V-269094

Group Title: SRG-OS-000365-GPOS-00152

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.