Check: AOSX-09-000120
Apple OS X 10.9 Workstation STIG:
AOSX-09-000120
(in version v1 r2)
Title
The operating system must automatically audit account creation. (Cat II impact)
Discussion
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to create a new account. Auditing of account creation mitigates this risk. To address access requirements, many operating systems may be integrated with enterprise level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.
Check Content
In order to view the currently configured flags for the audit daemon, run the following command: sudo grep ^flags /etc/security/audit_control The account creation events are logged by way of the 'ad' flag. If 'ad' is not listed in the result of the check, this is a finding.
Fix Text
To make sure the appropriate flags are enabled for auditing, run the following command: sudo sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control; sudo audit -s A text editor may also be used to implement the required update to the /etc/security/audit_control file.
Additional Identifiers
Rule ID: SV-72717r1_rule
Vulnerability ID: V-58287
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000018 |
The information system automatically audits account creation actions. |
Controls
Number | Title |
---|---|
AC-2 (4) |
Automated Audit Actions |