The macOS system must allocate audit record storage capacity to store at least seven days of audit records when audit records are not immediately sent to a central audit record storage facility.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-257179 | APPL-13-001029 | SV-257179r905170_rule | Low |
| Description |
|---|
| The audit service must be configured to require that records are kept for seven days or longer before deletion when there is no central audit record storage facility. When "expire-after" is set to "7d", the audit service will not delete audit logs until the log data is at least seven days old. |
| STIG | Date |
|---|---|
| Apple macOS 13 (Ventura) Security Technical Implementation Guide | 2023-08-28 |
Details
| Check Text ( C-60864r905168_chk ) |
|---|
| Verify the macOS system is configured to store at least seven days of audit records with the following command: /usr/bin/sudo /usr/bin/grep ^expire-after /etc/security/audit_control expire-after:7d If "expire-after" is not set to "7d" or greater, this is a finding. |
| Fix Text (F-60805r905169_fix) |
|---|
| Configure the macOS system to store seven days of audit records with the following command: /usr/bin/sudo /usr/bin/sed -i.bak 's/.*expire-after.*/expire-after:7d/' /etc/security/audit_control; /usr/bin/sudo /usr/sbin/audit -s Alternatively, use a text editor to update the "/etc/security/audit_control" file. |