The macOS system must configure audit retention to seven days.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-268467 | APPL-15-001029 | SV-268467r1034341_rule | CCI-001849 | low |
| Description | ||||
| The audit service must be configured to require that records be kept for an organizational-defined value before deletion unless the system uses a central audit record storage facility. When "expire-after" is set to "7d", the audit service will not delete audit logs until the log data criteria is met. | ||||
| STIG | Date | |||
| Apple macOS 15 (Sequoia) Security Technical Implementation Guide | 2025-05-05 | |||
Related Frameworks
2 paths across 2 frameworks
Related Frameworks
NIST 800-531 mapping
AU-4
1.00
- DISA · 1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
CCI1 mapping
CCI-001849
1.00
- DISA · 1 · disa_xccdf · related
Details
Check Text (C-268467r1034341_chk)
Verify the macOS system is configured to set audit retention to seven days with the following command:
/usr/bin/awk -F: '/expire-after/{print $2}' /etc/security/audit_control
If the result is not "7d", this is a finding.
Fix Text (F-72398r1034340_fix)
Configure the macOS system to set audit retention to seven days with the following command:
/usr/bin/sed -i.bak 's/^expire-after.*/expire-after:7d/' /etc/security/audit_control; /usr/sbin/audit -s