The macOS system must configure system to audit all authorization and authentication events.

STIG ID: APPL-14-001044  |  SRG: SRG-OS-000365-GPOS-00152 |  Severity: medium |  CCI: CCI-000172,CCI-001814,CCI-002884 |  Vulnerability Id: V-259470 | 

Vulnerability Discussion

The auditing system must be configured to flag authorization and
authentication (aa) events.

Authentication events contain information about the identity of a user, server, or client. Authorization
events contain information about permissions, rights, and rules. If audit records do not include aa
events, it is difficult to identify incidents and to correlate incidents to subsequent events.

Audit records can be generated from various components within the information system (e.g., via a module
or policy filter).

Satisfies:
SRG-OS-000365-GPOS-00152,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000475-GPOS-00220,SRG-OS-000477-GPOS-00222

Check

Verify the macOS system is configured to audit logon events with the following command:

/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' |
/usr/bin/grep -Ec 'aa'

If the result is not "1", this is a finding.

Fix

Configure the macOS system to audit logon events with the following
command:

/usr/bin/grep -qE "^flags.*[^-]aa" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/
s/$/,aa/' /etc/security/audit_control; /usr/sbin/audit -s
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.