1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
|
documentation_complete: true
title: "Shutdown System When Auditing Failures Occur"
description: |-
The macOS system must shut down by default upon audit
failure unless availability is an overriding concern.
rationale: |-
The audit service should shut down the computer if it
is unable to audit system events. Once audit failure
occurs, user and system activity is no longer recorded
and malicious activity could go undetected. Audit
processing failures include software/hardware errors,
failures in the audit capturing mechanisms, and audit
storage capacity being reached or exceeded. Responses
to audit failure depend on the nature of the failure
mode.
severity: medium
#identifiers:
# cce: 27058-7
# -- or --
# cce@macos1015: 27058-7
references:
disa: CCI-000140
nist: AU-5(b)
srg: SRG-OS-000047-GPOS-00023
stigid: AOSX-14-001010
ocil_clause: 'auditing is not configured to shut down on audit failure'
ocil: |-
To verify that auditing is enabled and running, run the
following command:
<pre>$ sudo grep -E "^policy.*ahlt" /etc/security/audit_control</pre>
The output should contain <tt>ahlt</tt>
#check:
# /usr/bin/grep -Ec "^policy.*ahlt" /etc/security/audit_control
|
