usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-03 14:03:24 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity
Files
main
macos_security/rules/audit/audit_flags_ex_configure.yaml
Bob Gendler 8305331b37 refactor[rules] CCEs added
2025-08-18 14:28:42 -04:00

77 lines
2.0 KiB
YAML
Raw Permalink Blame History

id: audit_flags_ex_configure
title: Configure System to Audit All Failed Program Execution on the System
discussion: |
The audit system _MUST_ be configured to record enforcement actions of access restrictions, including failed program execute (-ex) attempts.
Enforcement actions are the methods or mechanisms used to prevent unauthorized access and/or changes to configuration settings. One common and effective enforcement action method is using program execution restrictions (e.g., denying users access to execute certain processes).
This configuration ensures that audit lists include events in which program execution has failed.
Without auditing the enforcement of program execution, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation.
check: |
/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '\-ex'
result:
integer: 1
fix: |
[source,bash]
----
/usr/bin/grep -qE "^flags.*-ex" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-ex/' /etc/security/audit_control; /usr/sbin/audit -s
----
references:
cce:
- CCE-95117-8
cci:
- CCI-000172
- CCI-001814
- CCI-003938
800-53r5:
- AC-2(12)
- AU-12
- AU-2
- CM-5(1)
800-53r4:
- AU-2
- AU-12
- CM-5(1)
srg:
- SRG-OS-000365-GPOS-00152
- SRG-OS-000465-GPOS-00209
- SRG-OS-000458-GPOS-00203
- SRG-OS-000463-GPOS-00207
disa_stig:
- APPL-26-001024
800-171r3:
- 03.03.01
- 03.03.03
cis:
benchmark:
- 3.2 (level 2)
controls v8:
- 3.14
- 8.2
- 8.5
cmmc:
- AU.L2-3.3.3
- AU.L2-3.3.6
- SI.L2-3.14.3
macOS:
- '26.0'
tags:
- 800-53r5_privacy
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- 800-171
- cis_lvl2
- cisv8
- cnssi-1253_low
- cnssi-1253_high
- cmmc_lvl2
- stig
- cnssi-1253_moderate
severity: medium
mobileconfig: false
mobileconfig_info:
Reference in New Issue View Git Blame Copy Permalink