The macOS system must configure audit log folders to not contain access control lists.

STIG ID: APPL-14-000031  |  SRG: SRG-OS-000057-GPOS-00027 | Severity: medium |  CCI: CCI-000162,CCI-000163,CCI-000164,CCI-001493,CCI-001494,CCI-001495

Vulnerability Discussion

The audit log folder must not contain access control lists (ACLs).

Audit logs contain sensitive data about the system and users. This rule ensures that the audit service is configured to create log folders that are readable and writable only by system administrators in order to prevent normal users from reading audit logs.

Satisfies: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098,SRG-OS-000258-GPOS-00099

Check

Verify the macOS system is configured without ACLs applied to log folders with the following command:

/bin/ls -lde /var/audit | /usr/bin/awk '{print $1}' | /usr/bin/grep -c ":"

If the result is not "0", this is a finding.

Fix

Configure the macOS system without ACLs applied to log folders with the following command:

/bin/chmod -N /var/audit
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.