CCE-50407-6Platform: cpe:/o:apple:mac_os_14 | Date: (C)2024-04-23 (M)2024-04-23 |
/etc/security/audit_control must not contain Access Control Lists (ACLs). /etc/security/audit_control contains sensitive configuration data about the audit service. This rule ensures that the audit service is configured to be readable and writable only by system administrators in order to prevent normal users from manipulating audit logs.
Audit:
Verify the macOS system is configured without ACLs applied to audit_control with the following command:
/bin/ls -le /etc/security/audit_control | /usr/bin/awk '{print $1}' | /usr/bin/grep -c ":"
If the result is not "0", this is a finding.
Remediation:
Configure the macOS system without ACLs applied to audit_control with the following command:
/bin/chmod -N /etc/security/audit_control
NOTE:/etc/security/audit_control is deprecated and disabled in Mac OS 14, the files are not present in the system by default. If remediated in this particular case (File not present) rollback will not behave as expected.
Parameter:
[Yes/No]
Technical Mechanism:
Configure the macOS system without ACLs applied to audit_control with the following command:
/bin/chmod -N /etc/security/audit_control
CCSS Severity: | CCSS Metrics: |
CCSS Score : 7.8 | Attack Vector: LOCAL |
Exploit Score: 1.8 | Attack Complexity: LOW |
Impact Score: 5.9 | Privileges Required: LOW |
Severity: HIGH | User Interaction: NONE |
Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | Scope: UNCHANGED |
| Confidentiality: HIGH |
| Integrity: HIGH |
| Availability: HIGH |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:99406 |