The macOS system must configure sudo to log events.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-268451	APPL-15-000190	SV-268451r1034293_rule		Medium

Description

Sudo must be configured to log privilege escalation. Without logging privilege escalation, it is difficult to identify attempted attacks because no audit trail is available for forensic investigation.

STIG	Date
Apple macOS 15 (Sequoia) Security Technical Implementation Guide	2025-05-05

Details

Check Text (C-72481r1034291_chk)

Verify the macOS system is configured to log privilege escalation with the following command:

/usr/bin/sudo /usr/bin/sudo -V | /usr/bin/grep -c "Log when a command is allowed by sudoers"

If the result is not "1", this is a finding.

Fix Text (F-72382r1034292_fix)

Configure the macOS system to log privilege escalation with the following command:

/usr/bin/find /etc/sudoers* -type f -exec sed -i '' '/Defaults \!log_allowed/d' '{}' \;
/bin/echo "Defaults log_allowed" >> /etc/sudoers.d/mscp