Ensure Security Auditing Is Enabled

Enable Auditing
$ /usr/bin/sudo /bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist

Read Auditing Setting
LAUNCHD_RUNNING=$(/bin/launchctl list | /usr/bin/grep -c com.apple.auditd)
AUDITD_RUNNING=$(/usr/sbin/audit -c | /usr/bin/grep -c "AUC_AUDITING")
if [[ $LAUNCHD_RUNNING == 1 ]] && [[ -e /etc/security/audit_control ]] && [[ $AUDITD_RUNNING == 1 ]]; then
echo "pass"
else
echo "fail"
fi

Link:
https://www.tenable.com/audits/items/CIS_Apple_macOS_13.0_Ventura_v1.0.0_L1.audit:8d4aa7b5be6a9746844fd9d58e97825b

Splunk
index=* host=myMacOSMachine | eval eventSize=len(_raw) | stats sum(eventSize) as totalBytes by sourcetype | eval totalKB=round(totalBytes/1024, 2) | eval totalMB=round(totalKB/1024, 2) | eval totalGB=round(totalMB/1024, 2) | fields sourcetype, totalBytes, totalKB, totalMB, totalGB

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top
Share via
Copy link