CCE-50311-0| Platform: cpe:/o:apple:mac_os_14 | Date: (C)2023-11-28 (M)2023-11-28 |
Audit records should never be changed except by the system daemon posting events. Records may be viewed or extracts manipulated but the authoritative files should be protected from unauthorized changes. This control is only checking the default configuration to ensure that unwanted access to audit records is not available.
Fix:
$ sudo chown -R root:wheel /etc/security/audit_control
$ sudo chmod -R -o-rw /etc/security/audit_control
$ sudo chown -R root:wheel /var/audit/
$ sudo chmod -R -o-rw /var/audit/
Parameter:
[640, root, root]
Technical Mechanism:
$ sudo chown -R root:wheel /etc/security/audit_control
$ sudo chmod -R -o-rw /etc/security/audit_control
$ sudo chown -R root:wheel /var/audit/
$ sudo chmod -R -o-rw /var/audit/
| CCSS Severity: | CCSS Metrics: |
| CCSS Score : 5.3 | Attack Vector: LOCAL |
| Exploit Score: 1.8 | Attack Complexity: LOW |
| Impact Score: 3.4 | Privileges Required: LOW |
| Severity: MEDIUM | User Interaction: NONE |
| Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L | Scope: UNCHANGED |
| | Confidentiality: LOW |
| | Integrity: LOW |
| | Availability: LOW |
| | |
References: | Resource Id | Reference |
|---|
| SCAP Repo OVAL Definition | oval:org.secpod.oval:def:94876 |
