The macOS system must be configured to audit all failed write actions on the system.

STIG ID: APPL-14-001023  |  SRG: SRG-OS-000463-GPOS-00207 |  Severity: medium |  CCI: CCI-000162,CCI-000172 |  Vulnerability Id: V-259465 | 

Vulnerability Discussion

The audit system must be configured to record enforcement actions of access restrictions, including failed file write (-fw) attempts.

Enforcement actions are the methods or mechanisms used to prevent unauthorized access and/or changes to configuration settings. One common and effective enforcement action method is using access restrictions (e.g., denying users access to edit a file by applying file permissions).

This configuration ensures that audit lists include events in which enforcement actions prevent attempts to change a file.

Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation.

Satisfies: SRG-OS-000463-GPOS-00207,SRG-OS-000057-GPOS-00027,SRG-OS-000465-GPOS-00209,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212

Check

Verify the macOS system is configured to audit all failed write actions on the system with the following command:

/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '\-fw'

If the result is not "1", this is a finding.

Fix

Configure the macOS system to audit all failed write actions on the system with the following command:

/usr/bin/grep -qE "^flags.*-fw" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-fw/' /etc/security/audit_control;/usr/sbin/audit -s