Check: AOSX-10-000230
Apple OS X 10-10 Workstation STIG:
AOSX-10-000230
(in versions v1 r5 through v1 r4)
Title
The operating system must initiate session audits at system startup. (Cat II impact)
Discussion
If auditing is enabled late in the startup process, the actions of some start-up processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.
Check Content
To check if the audit service is running, use the following command: sudo launchctl list | grep com.apple.auditd If nothing is returned, the audit service is not running and this is a finding.
Fix Text
To enable the audit service, run the following command: sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist
Additional Identifiers
Rule ID: SV-74021r1_rule
Vulnerability ID: V-59591
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001464 |
The information system initiates session audits at system start-up. |
Controls
Number | Title |
---|---|
AU-14 (1) |
System Start-Up |