Check: AOSX-10-000125
Apple OS X 10-10 Workstation STIG:
AOSX-10-000125
(in versions v1 r5 through v1 r4)
Title
The operating system must automatically audit account modification. (Cat II impact)
Discussion
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to create a new account or modify an existing one. Auditing of account creation and modification is one method for mitigating this risk. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.
Check Content
In order to view the currently configured flags for the audit daemon, run the following command: sudo grep ^flags /etc/security/audit_control The account creation events are logged by way of the 'ad' flag. If 'ad' is not listed in the result of the check, this is a finding.
Fix Text
To make sure the appropriate flags are enabled for auditing, run the following command: sudo sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control; sudo audit -s A text editor may also be used to implement the required updates to the /etc/security/audit_control file.
Additional Identifiers
Rule ID: SV-73991r1_rule
Vulnerability ID: V-59561
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001403 |
The information system automatically audits account modification actions. |
Controls
Number | Title |
---|---|
AC-2 (4) |
Automated Audit Actions |