This is not the latest version of the STIG. This is provided for archival purposes. See the latest STIG.

The macOS system must be configured to audit all failed read actions on the system.

STIG ID: APPL-14-001022  |  SRG: SRG-OS-000463-GPOS-00207 |  Severity: medium (CAT II)  |  CCI: CCI-000162,CCI-000172 |  Vulnerability Id: V-259464

Vulnerability Discussion

The audit system must be configured to record enforcement actions of
access restrictions, including failed file read (-fr) attempts.

Enforcement actions are the methods or mechanisms used to prevent unauthorized access and/or changes to
configuration settings. One common and effective enforcement action method is using access restrictions
(e.g., denying access to a file by applying file permissions).

This configuration ensures that audit lists include events in which enforcement actions prevent attempts
to read a file.

Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks,
as there is no audit trail available for forensic investigation.

Satisfies:
SRG-OS-000463-GPOS-00207,SRG-OS-000057-GPOS-00027,SRG-OS-000465-GPOS-00209,SRG-OS-000474-GPOS-00219

Check

Verify the macOS system is configured to audit all failed read actions on the system with
the following command:

/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' |
/usr/bin/grep -Ec '\-fr'

If the result is not "1", this is a finding.

Fix

Configure the macOS system to audit all failed read actions on the
system with the following command:

/usr/bin/grep -qE "^flags.*-fr" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-fr/'
/etc/security/audit_control;/usr/sbin/audit -s
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.