The macOS system must be configured to audit all deletions of object attributes.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-268462	APPL-15-001020	SV-268462r1034326_rule		Medium

Description

The audit system must be configured to record enforcement actions of attempts to delete file attributes (fd). ***Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. One common and effective enforcement action method is using access restrictions (i.e., denying modifications to a file by applying file permissions). This configuration ensures that audit lists include events in which enforcement actions prevent attempts to delete a file. Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks because no audit trail is available for forensic investigation. Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000064-GPOS-00033, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212

STIG	Date
Apple macOS 15 (Sequoia) Security Technical Implementation Guide	2025-05-05

Details

Check Text (C-72492r1034324_chk)

Verify the macOS system is configured to audit all deletions of object attributes with the following command:

/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '\-fd'

If the result is not "1", this is a finding.

Fix Text (F-72393r1034325_fix)

Configure the macOS system to audit all deletions of object attributes with the following command:

/usr/bin/grep -qE "^flags.*-fd" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-fd/' /etc/security/audit_control;/usr/sbin/audit -s