CCE-50152-8Platform: cpe:/o:apple:mac_os_13 | Date: (C)2024-04-17 (M)2024-04-17 |
MacOS's audit facility, auditd, receives notifications from the kernel when certain system calls, such as open, fork, and exit, are made. These notifications are captured and written to an audit log.
Rationale:Logs generated by auditd may be useful when investigating a security incident as they may help reveal the vulnerable application and the actions taken by a malicious actor.
Remediation:
Terminal Method:
Perform the following to enable security auditing:
Run the following command to load auditd:
$ /usr/bin/sudo /bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist
Parameter:
[Yes/No]
Technical Mechanism:
Remediation:
Terminal Method:
Perform the following to enable security auditing:
Run the following command to load auditd:
$ /usr/bin/sudo /bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist
CCSS Severity: | CCSS Metrics: |
CCSS Score : 4.4 | Attack Vector: LOCAL |
Exploit Score: 1.8 | Attack Complexity: LOW |
Impact Score: 2.5 | Privileges Required: LOW |
Severity: MEDIUM | User Interaction: NONE |
Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L | Scope: UNCHANGED |
| Confidentiality: LOW |
| Integrity: NONE |
| Availability: LOW |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:99051 |