The macOS system must configure audit failure notification.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-268469 | APPL-15-001031 | SV-268469r1038966_rule | CCI-000140 | medium |
| Description | ||||
| The audit service must be configured to immediately print messages to the console or email administrator users when an auditing failure occurs. It is critical for the appropriate personnel to be made aware immediately if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of a potentially harmful failure in the auditing system's capability, and system operation may be adversely affected. Satisfies: SRG-OS-000047-GPOS-00023, SRG-OS-000344-GPOS-00135 | ||||
| STIG | Date | |||
| Apple macOS 15 (Sequoia) Security Technical Implementation Guide | 2025-05-05 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
AU-5
1.00
- DISA · 1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.3.4
1.00
- DISA · 1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000140
1.00
- DISA · 1 · disa_xccdf · related
Details
Check Text (C-268469r1038966_chk)
Verify the macOS system is configured to produce audit failure notification with the following command:
/usr/bin/grep -c "logger -s -p" /etc/security/audit_warn
If the result is not "1", this is a finding.
Fix Text (F-72400r1034346_fix)
Configure the macOS system to produce audit failure notification with the following command:
/usr/bin/sed -i.bak 's/logger -p/logger -s -p/' /etc/security/audit_warn; /usr/sbin/audit -s