The macOS system must configure sudo to log events.

STIG ID: APPL-15-000190  |  SRG: SRG-OS-000064-GPOS-00033 |  Severity: medium |  CCI: CCI-000172 |  Vulnerability Id: V-268451

Vulnerability Discussion

Sudo must be configured to log privilege escalation.

Without logging privilege escalation, it is difficult to identify attempted attacks because no audit trail is available for forensic investigation.

Check

Verify the macOS system is configured to log privilege escalation with the following command:

/usr/bin/sudo /usr/bin/sudo -V | /usr/bin/grep -c "Log when a command is allowed by sudoers"

If the result is not "1", this is a finding.

Fix

Configure the macOS system to log privilege escalation with the following command:

/usr/bin/find /etc/sudoers* -type f -exec sed -i '' '/Defaults \!log_allowed/d' '{}' \;
/bin/echo "Defaults log_allowed" >> /etc/sudoers.d/mscp
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.