DISA STIGS Viewer

Finding ID	Version	Rule ID	IA Controls	Severity
V-268452	APPL-15-001001	SV-268452r1034296_rule		Medium

Description

The auditing system must be configured to flag administrative action (ad) events. Administrative action events include changes made to the system (e.g., modifying authentication policies). If audit records do not include ad events, it is difficult to identify incidents and to correlate incidents to subsequent events. Audit records can be generated from various components within the information system (e.g., via a module or policy filter). The information system audits the execution of privileged functions. NOTE: Changing the line "43127:AUE_MAC_SYSCALL:mac_syscall(2):ad" to "43127:AUE_MAC_SYSCALL:mac_syscall(2):zz" in the file /etc/security/audit_event is recommended. This will prevent sandbox violations from being audited by the ad flag. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000327-GPOS-00127, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000476-GPOS-00221

STIG	Date
Apple macOS 15 (Sequoia) Security Technical Implementation Guide	2025-05-05

Check Text (C-72482r1034294_chk)

Verify the macOS system is configured to audit privileged access with the following command: /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'ad' If "ad" is not listed in the output, this is a finding.

Fix Text (F-72383r1034295_fix)

Configure the macOS system to audit privileged access with the following command: /usr/bin/grep -qE "^flags.*[^-]ad" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,ad/' /etc/security/audit_control; /usr/sbin/audit -s A text editor may also be used to implement the required updates to the "/etc/security/audit_control" file.