The macOS system must configure sudo to log events.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-268451 | SRG-OS-000064-GPOS-00033 | APPL-15-000190 | SV-268451r1131208_rule | 2026-02-06 | 1 |
Description
Sudo must be configured to log privilege escalation.
Without logging privilege escalation, it is difficult to identify attempted attacks because no audit trail is available for forensic investigation.
ℹ️ Check
Verify the macOS system is configured to log privilege escalation with the following command:
/usr/bin/sudo /usr/bin/sudo -V | /usr/bin/grep -c "Log when a command is allowed by sudoers"
If the result is not "1", this is a finding.
✔️ Fix
Configure the macOS system to log privilege escalation with the following command:
/usr/bin/find /etc/sudoers* -type f -exec sed -i '' '/^Defaults[[:blank:]]*\!log_allowed/s/^/# /' '{}' \;
/bin/echo "Defaults log_allowed" >> /etc/sudoers.d/mscp