mirror of
https://github.com/usnistgov/macos_security.git
synced 2026-02-03 14:03:24 +00:00
86 lines
2.3 KiB
YAML
86 lines
2.3 KiB
YAML
id: audit_flags_fm_configure
|
|
title: Configure System to Audit All Changes of Object Attributes
|
|
discussion: |
|
|
The audit system _MUST_ be configured to record enforcement actions of attempts to modify file attributes (fm).
|
|
|
|
Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., modifications to a file by applying file permissions).
|
|
|
|
This configuration ensures that audit lists include events in which enforcement actions attempts to modify a file.
|
|
|
|
Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation.
|
|
check: |
|
|
/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '^fm'
|
|
result:
|
|
integer: 1
|
|
fix: |
|
|
[source,bash]
|
|
----
|
|
/usr/bin/grep -qE "^flags.*fm" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,fm/' /etc/security/audit_control;/usr/sbin/audit -s
|
|
----
|
|
references:
|
|
cce:
|
|
- CCE-95119-4
|
|
cci:
|
|
- CCI-000162
|
|
- CCI-000163
|
|
- CCI-000164
|
|
- CCI-000172
|
|
- CCI-001493
|
|
- CCI-001494
|
|
- CCI-001495
|
|
- CCI-001814
|
|
- CCI-002884
|
|
- CCI-003938
|
|
800-53r5:
|
|
- AC-2(12)
|
|
- AU-12
|
|
- AU-2
|
|
- AU-9
|
|
- CM-5(1)
|
|
- MA-4(1)
|
|
800-53r4:
|
|
- AU-2
|
|
- AU-12
|
|
- AU-9
|
|
- CM-5(1)
|
|
- MA-4(1)
|
|
srg:
|
|
- SRG-OS-000392-GPOS-00172
|
|
- SRG-OS-000256-GPOS-00097
|
|
- SRG-OS-000365-GPOS-00152
|
|
- SRG-OS-000057-GPOS-00027
|
|
- SRG-OS-000064-GPOS-00033
|
|
- SRG-OS-000463-GPOS-00207
|
|
- SRG-OS-000467-GPOS-00211
|
|
- SRG-OS-000465-GPOS-00209
|
|
- SRG-OS-000468-GPOS-00212
|
|
- SRG-OS-000466-GPOS-00210
|
|
- SRG-OS-000059-GPOS-00029
|
|
- SRG-OS-000462-GPOS-00206
|
|
- SRG-OS-000257-GPOS-00098
|
|
- SRG-OS-000258-GPOS-00099
|
|
- SRG-OS-000458-GPOS-00203
|
|
- SRG-OS-000058-GPOS-00028
|
|
disa_stig:
|
|
- APPL-26-001021
|
|
800-171r3:
|
|
- 03.03.01
|
|
- 03.03.03
|
|
- 03.03.08
|
|
cmmc:
|
|
- AU.L2-3.3.3
|
|
- AU.L2-3.3.6
|
|
- AU.L2-3.3.8
|
|
- SI.L2-3.14.3
|
|
macOS:
|
|
- '26.0'
|
|
tags:
|
|
- cnssi-1253_low
|
|
- cnssi-1253_high
|
|
- cmmc_lvl2
|
|
- stig
|
|
- cnssi-1253_moderate
|
|
severity: medium
|
|
mobileconfig: false
|
|
mobileconfig_info:
|