The macOS system must configure audit log folders to not contain access control lists.

STIG ID: APPL-14-000031  |  SRG: SRG-OS-000057-GPOS-00027 |  Severity: medium |  CCI: CCI-000162,CCI-000163,CCI-000164,CCI-001493,CCI-001494,CCI-001495 |  Vulnerability Id: V-259433

Vulnerability Discussion

The audit log folder must not contain access control lists (ACLs).

Audit logs contain sensitive data about the system and users. This rule ensures that the audit service
is configured to create log folders that are readable and writable only by system administrators in
order to prevent normal users from reading audit logs.

Satisfies:
SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098,SRG-OS-000258-GPOS-00099

Check

Verify the macOS system is configured without ACLs applied to log folders with the
following command:

/bin/ls -lde /var/audit | /usr/bin/awk '{print $1}' | /usr/bin/grep -c ":"

If the result is not "0", this is a finding.

Fix

Configure the macOS system without ACLs applied to log folders with the
following command:

/bin/chmod -N /var/audit
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.