macos_security/rules/audit/audit_files_mode_configure.yaml

id: audit_files_mode_configure
title: "Configure Audit Log Files to Mode 440 or Less Permissive"
discussion: |
  The audit service _MUST_ be configured to create log files that are readable only by the root user and group wheel. To achieve this, audit log files _MUST_ be configured to mode 440 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs.
check: |
  /bin/ls -l $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '!/-r--r-----|current|total/{print $1}' | /usr/bin/wc -l | /usr/bin/tr -d ' '
result:
  integer: 0
fix: |
  [source,bash]
  ----
  /bin/chmod 440 /var/audit/*
  ----
references:
  cce:
    - CCE-92713-7
  cci:
    - CCI-000162
  800-53r5:
    - AU-9
  800-53r4:
    - AU-9
  srg:
    - SRG-OS-000057-GPOS-00027
  disa_stig:
    - N/A
  800-171r2:
    - 3.3.8
  cis:
    benchmark:
      - 3.5 (level 1)
    controls v8:
      - 3.3
  cmmc:
    - AU.L2-3.3.8
macOS:
  - "14.0"
tags:
  - 800-53r5_low
  - 800-53r5_moderate
  - 800-53r5_high
  - 800-53r4_low
  - 800-53r4_moderate
  - 800-53r4_high
  - 800-171
  - cis_lvl1
  - cis_lvl2
  - cisv8
  - cnssi-1253_moderate
  - cnssi-1253_low
  - cnssi-1253_high
  - cmmc_lvl2
severity: "medium"
mobileconfig: false
mobileconfig_info: