The operating system must monitor remote access methods.

From Apple OS X 10.11 Security Technical Implementation Guide

Part of SRG-OS-000032-GPOS-00013

Associated with: CCI-000067

SV-81957r1_rule The operating system must monitor remote access methods.

Vulnerability discussion

Remote access services, such as those providing remote access to network devices and information systems, increase risk and expose those systems to possible cyber attacks, so all remote access should be closely monitored and audited. Only authorized users should be permitted to remotely access DoD non-public information systems. An attacker might attempt to log in as an authorized user, through stolen credentials, unpatched exploits of the remote access service, or brute force attempts to guess a valid username and password. If a user is attempting to log in to a system from an unusual location or at an unusual time, or if there are many failed attempts, there is a possibility that the system is the target of a cyber attack. Auditing logon events mitigates this risk by recording all logon attempts, successful and unsuccessful, to the system.

Check content

To check to make sure the audit daemon is configured to log all logon events, both local and remote, run the following command: /usr/bin/sudo /usr/bin/grep ^flags /etc/security/audit_control The flag "lo" should be included in the list of flags set. If it is not, this is a finding.

Fix text

To make sure the appropriate flags are enabled for auditing, run the following command: /usr/bin/sudo /usr/bin/sed -i.bak '/^flags/ s/$/,lo/' /etc/security/audit_control; /usr/bin/sudo /usr/sbin/audit -s A text editor may also be used to implement the required updates to the /etc/security/audit_control file.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer