Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-257179 | APPL-13-001029 | SV-257179r905170_rule | Low |
Description |
---|
The audit service must be configured to require that records are kept for seven days or longer before deletion when there is no central audit record storage facility. When "expire-after" is set to "7d", the audit service will not delete audit logs until the log data is at least seven days old. |
STIG | Date |
---|---|
Apple macOS 13 (Ventura) Security Technical Implementation Guide | 2023-08-28 |
Check Text ( C-60864r905168_chk ) |
---|
Verify the macOS system is configured to store at least seven days of audit records with the following command: /usr/bin/sudo /usr/bin/grep ^expire-after /etc/security/audit_control expire-after:7d If "expire-after" is not set to "7d" or greater, this is a finding. |
Fix Text (F-60805r905169_fix) |
---|
Configure the macOS system to store seven days of audit records with the following command: /usr/bin/sudo /usr/bin/sed -i.bak 's/.*expire-after.*/expire-after:7d/' /etc/security/audit_control; /usr/bin/sudo /usr/sbin/audit -s Alternatively, use a text editor to update the "/etc/security/audit_control" file. |