Check: OSX8-00-00230
Apple OSX 10.8 STIG:
OSX8-00-00230
(in version v1 r2)
Title
The operating system must support the capability to compile audit records from multiple components within the system into a system-wide (logical or physical) audit trail that is time-correlated to within organization-defined level of tolerance. (Cat II impact)
Discussion
Audit generation and audit records can be generated from various components within the information system. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records (i.e., auditable events). The events that occur must be time-correlated in order to conduct accurate forensic analysis. In addition, the correlation must meet a certain tolerance criteria. The operating system must be able to have audit events correlated to the level of tolerance determined by the organization.
Check Content
To see if the audit daemon is loaded, run the following command: sudo launchctl list | grep -i com.apple.auditd The result returned should be " - 0 com.apple.auditd". If this is not running, this is a finding.
Fix Text
Configuration of startup processes is done via configuration files for each process or daemon. Make sure the file /System/Library/LaunchDaemons/com.apple.auditd.plist exists. If not, you may need to obtain a copy from the original installation media.
Additional Identifiers
Rule ID: SV-65889r1_rule
Vulnerability ID: V-51679
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000174 |
The information system compiles audit records from organization-defined information system components into a system-wide (logical or physical) audit trail that is time-correlated to within an organization-defined level of tolerance for relationship between time stamps of individual records in the audit trail. |
Controls
Number | Title |
---|---|
AU-12 (1) |
System-Wide / Time-Correlated Audit Trail |