Check: APPL-15-001110
Apple macOS 15 (Sequoia) STIG:
APPL-15-001110
(in versions v1 r3 through v1 r1)
Title
The macOS system must configure audit_control group to wheel. (Cat II impact)
Discussion
/etc/security/audit_control must have the group set to wheel. The audit service must be configured with the correct group ownership to prevent normal users from manipulating audit log configurations. Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000063-GPOS-00032, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099
Check Content
Verify the macOS system is configured with the audit_control group to wheel with the following command: /bin/ls -dn /etc/security/audit_control | /usr/bin/awk '{print $4}' If the result is not "0", this is a finding.
Fix Text
Configure the macOS system with the audit_control group to wheel with the following command: /usr/bin/chgrp wheel /etc/security/audit_control
Additional Identifiers
Rule ID: SV-268473r1034359_rule
Vulnerability ID: V-268473
Group Title: SRG-OS-000057-GPOS-00027
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000162 |
Protect audit information from unauthorized access. |
| CCI-000163 |
Protect audit information from unauthorized modification. |
| CCI-000164 |
Protect audit information from unauthorized deletion. |
| CCI-000171 |
Allow organization-defined personnel or roles to select the event types that are to be logged by specific components of the system. |
| CCI-001493 |
Protect audit tools from unauthorized access. |
| CCI-001494 |
Protect audit tools from unauthorized modification. |
| CCI-001495 |
Protect audit tools from unauthorized deletion. |