Check: OSX8-00-00385
Apple OSX 10.8 STIG:
OSX8-00-00385
(in version v1 r2)
Title
The operating system must protect audit tools from unauthorized modification. (Cat II impact)
Discussion
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data. If the tools are compromised it could provide attackers with the capability to manipulate log data. It is imperative that audit tools be controlled and protected from unauthorized modification.
Check Content
The audit tools (audit, auditd, auditreduce, praudit) are installed by the Essentials package of the OS X installer. To verify the permissions for the files installed as part of this package, run the following command: sudo pkgutil --verify com.apple.pkg.Essentials Any inconsistencies from the original install and the current state will be displayed. If there are any inconsistencies, this is a finding.
Fix Text
To repair permissions on files that are inconsistent with the original install state, run the following command: sudo pkgutil --repair com.apple.pkg.Essentials If ACLs are found on any of the files, run the command: sudo chmod -N [full path to file]
Additional Identifiers
Rule ID: SV-65639r1_rule
Vulnerability ID: V-51429
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001494 |
The information system protects audit tools from unauthorized modification. |
Controls
Number | Title |
---|---|
AU-9 |
Protection Of Audit Information |