|Platform: macosx10.10||Date: (C)2015-06-23 (M)2017-11-21|
Audit Kernel Module Loading and Unloading
Kernel modules, called kernel extensions in Mac OS X, are compiled segments of code that are dynamically loaded into the kernel as required to support specific pieces of hardware or functionality. Privileged users are permitted to load or unload kernel extensions manually. An attacker might attempt to load a kernel extension that is known to be insecure to increase the attack surface of the system, or a user might plug in an unauthorized device that then triggers a kernel extension to be loaded. Auditing administrative actions, which include the loading or unloading of kernel extensions, mitigates this risk.
EXISTS/DOES NOT EXIST
In order to view the currently configured flags for the audit daemon, run the following command:
sudo grep ^flags /etc/security/audit_control
Privileged access, including administrative use of the command line tools kextload and kextunload, is logged via the 'ad' flag. If 'ad' is not listed in the result of the check, this is a finding.
|SCAP Repo OVAL Definition||oval:org.secpod.oval:def:25048|