| Mapping | Rule Title | Description | Rationale |
|---|---|---|---|
| AU-3 AU-3(1) AU-8(a) AU-8(b) AU-12(3) AU-14(1) |
Enable audit Service | The audit service is an essential userspace component of the auditing system, as it is responsible for writing audit records to disk. |
Without establishing what type of events occurred, when they
occurred, and by whom, it would be difficult to establish, correlate,
and investigate the events leading up to an outage or attack.
Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the operating system audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured operating system. |
| AU-5(b) | Shutdown System When Auditing Failures Occur | The macOS system must shut down by default upon audit failure unless availability is an overriding concern. | The audit service should shut down the computer if it is unable to audit system events. Once audit failure occurs, user and system activity is no longer recorded and malicious activity could go undetected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Responses to audit failure depend on the nature of the failure mode. |