[Forgot Password]
Login  Register Subscribe

24003

 
 

131573

 
 

108530

 
 

909

 
 

85343

 
 

134

Paid content will be excluded from the download.


Download | Alert*
CCE
view XML

CCE-90006-8

Platform: macosx10.9Date: (C)2015-06-11   (M)2018-03-17



Audit Kernel Module Loading and Unloading Kernel modules, called kernel extensions in Mac OS X, are compiled segments of code that are dynamically loaded into the kernel as required to support specific pieces of hardware or functionality. Privileged users are permitted to load or unload kernel extensions manually. An attacker might attempt to load a kernel extension that is known to be insecure to increase the attack surface of the system, or a user might plug in an unauthorized device that then triggers a kernel extension to be loaded. Auditing administrative actions, which include the loading or unloading of kernel extensions, mitigates this risk.


Parameter: EXISTS/DOES NOT EXIST


Technical Mechanism: In order to view the currently configured flags for the audit daemon, run the following command: sudo grep ^flags /etc/security/audit_control Privileged access, including administrative use of the command line tools kextload and kextunload, is logged via the 'ad' flag. If 'ad' is not listed in the result of the check, this is a finding.

References:

Resource IdReference
NISTAU-12 c
SCAP Repo OVAL Definitionoval:org.secpod.oval:def:24640


OVAL    1
oval:org.secpod.oval:def:24640
XCCDF    1
xccdf_org.secpod_benchmark_general_Mac_OS_X_10_9

© SecPod Technologies