macos_security/rules/audit/audit_flags_aa_configure.yaml

id: audit_flags_aa_configure
title: "Configure System to Audit All Authorization and Authentication Events"
discussion: |
  The auditing system _MUST_ be configured to flag authorization and authentication (aa) events.

  Authentication events contain information about the identity of a user, server, or client. Authorization events contain information about permissions, rights, and rules. If audit records do not include aa events, it is difficult to identify incidents and to correlate incidents to subsequent events.

  Audit records can be generated from various components within the information system (e.g., via a module or policy filter).
check: |
  /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'aa'
result:
  integer: 1
fix: |
  [source,bash]
  ----
  /usr/bin/grep -qE "^flags.*[^-]aa" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,aa/' /etc/security/audit_control; /usr/sbin/audit -s
  ----
references:
  cce:
    - CCE-92715-2
  cci:
    - CCI-000172
  800-53r5:
    - AC-2(12)
    - AU-12
    - AU-2
    - MA-4(1)
    - CM-5(1)
  800-53r4:
    - AU-2
    - AU-12
    - MA-4(1)
  srg:
    - SRG-OS-000470-GPOS-00214
    - SRG-OS-000472-GPOS-00217
    - SRG-OS-000473-GPOS-00218
    - SRG-OS-000475-GPOS-00220
  disa_stig:
    - N/A
  800-171r2:
    - 3.3.1
    - 3.3.2
  cis:
    benchmark:
      - 3.2 (level 2)
    controls v8:
      - 3.14
      - 8.2
      - 8.5
  cmmc:
    - AU.L2-3.3.3
    - AU.L2-3.3.6
    - SI.L2-3.14.3
macOS:
  - "14.0"
tags:
  - 800-53r5_privacy
  - 800-53r4_low
  - 800-53r4_moderate
  - 800-53r4_high
  - 800-53r5_low
  - 800-53r5_moderate
  - 800-53r5_high
  - 800-171
  - cis_lvl2
  - cisv8
  - cnssi-1253_moderate
  - cnssi-1253_low
  - cnssi-1253_high
  - cmmc_lvl2
severity: "medium"
mobileconfig: false
mobileconfig_info: