STIG V-277040 | The macOS system must configure audit...

macOS 26 - Tahoe

The macOS system must configure audit log files to not contain access control lists (ACLs)

STIG ID: APPL-26-000030 | SRG: SRG-OS-000057-GPOS-00027 | Severity: Medium | CCI: CCI-000162 | Vulnerability ID: V-277040

Description

The audit log files must not contain ACLs.

This rule ensures that audit information and audit files are configured to be readable and writable only by system administrators, thereby preventing unauthorized access, modification, and deletion of files.

Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099

Check

C-81195r1148570_chk

Verify the macOS system is configured without ACLs applied to log files with the following command:

/bin/ls -le $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}') | /usr/bin/awk '{print $1}' | /usr/bin/grep -c ":"

If the result is not "0", this is a finding.

Fix

F-81100r1148571_fix

Configure the macOS system without ACLs applied to log files with the following command:

/bin/chmod -RN /var/audit