Check: AOSX-12-000030
Apple OS X 10.12 STIG:
AOSX-12-000030
(in versions v1 r6 through v1 r1)
Title
The OS X system must monitor remote access methods and generate audit records when successful/unsuccessful attempts to access/modify privileges occur. (Cat II impact)
Discussion
Frequently, an attacker that successfully gains access to a system has only gained access to an account with limited privileges, such as a guest account or a service account. The attacker must attempt to change to another user account with normal or elevated privileges in order to proceed. Auditing successful and unsuccessful attempts to switch to another user account and the escalation of privileges mitigates this risk. Satisfies: SRG-OS-000032-GPOS-00013, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206
Check Content
To view the currently configured flags for the audit daemon, run the following command: /usr/bin/sudo /usr/bin/grep ^flags /etc/security/audit_control Attempts to log in as another user are logged by way of the "lo" flag. If "lo" is not listed in the result of the check, this is a finding.
Fix Text
To ensure the appropriate flags are enabled for auditing, run the following command: /usr/bin/sudo sed -i.bak '/^flags/ s/$/,lo/' /etc/security/audit_control; /usr/bin/sudo /usr/sbin/audit -s A text editor may also be used to implement the required updates to the "/etc/security/audit_control" file.
Additional Identifiers
Rule ID: SV-90645r1_rule
Vulnerability ID: V-75957
Group Title: SRG-OS-000032-GPOS-00013
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000067 |
The information system monitors remote access methods. |
CCI-000172 |
The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. |