U Apple macOS 14 V2R2

ℹ️ The items you can view are limited because you do not have a subscription. Contact us at [email protected] to purchase one.

UNCLASSIFIED
Group Title
SRG-OS-000341-GPOS-00132
Group ID
V-259467
Rule Version
APPL-14-001029
Rule Title
The macOS system must configure audit retention to seven days.
Rule ID
SV-259467r958752_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

The audit service must be configured to require records be kept for an organizational defined value before deletion, unless the system uses a central audit record storage facility.

When "expire-after" is set to "7d", the audit service will not delete audit logs until the log data criteria is met.

Documentable
False
Check Content

Verify the macOS system is configured audit retention to seven days with the following command:

/usr/bin/awk -F: '/expire-after/{print $2}' /etc/security/audit_control

If the result is not "7d", this is a finding.

Check System
C-63206r941021_chk
Fix Reference
F-63114r941022_fix
Fix Text

Configure the macOS system to set audit retention to seven days with the following command:

/usr/bin/sed -i.bak 's/^expire-after.*/expire-after:7d/' /etc/security/audit_control; /usr/sbin/audit -s

Identities
CCI-001849

Allocate audit log storage capacity to accommodate organization-defined audit record retention requirements.

  • 800-53 Rev. 4 :: AU-4
  • 800-53 Rev. 5 :: AU-4
Group Title
SRG-OS-000341-GPOS-00132
Group ID
V-259558
Rule Version
APPL-14-004050
Rule Title
The macOS system must configure install.log retention to 365.
Rule ID
SV-259558r958752_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

The install.log must be configured to require records be kept for an organizational-defined value before deletion, unless the system uses a central audit record storage facility.

Documentable
False
Check Content

Verify the macOS system is configured with install.log retention to 365 with the following command:

/usr/sbin/aslmanager -dd 2>&1 | /usr/bin/awk '/\/var\/log\/install.log/ {count++} /Processing module com.apple.install/,/Finished/ { for (i=1;i<=NR;i++) { if ($i == "TTL" && $(i+2) >= 365) { ttl="True" }; if ($i == "MAX") {max="True"}}} END{if (count > 1) { print "Multiple config files for /var/log/install, manually remove"} else if (ttl != "True") { print "TTL not configured" } else if (max == "True") { print "Max Size is configured, must be removed" } else { print "Yes" }}'

If the result is not "yes", this is a finding.

Check System
C-63297r941294_chk
Fix Reference
F-63205r941295_fix
Fix Text

Configure the macOS system with install.log retention to 365 with the following command:

/usr/bin/sed -i '' "s/\* file \/var\/log\/install.log.*/\* file \/var\/log\/install.log format='\$\(\(Time\)\(JZ\)\) \$Host \$\(Sender\)\[\$\(PID\\)\]: \$Message' rotate=utc compress file_max=50M size_only ttl=365/g" /etc/asl/com.apple.install

Note: If there are multiple configuration files in /etc/asl that are set to process the file /var/log/install.log, these files will have to be manually removed.

Identities
CCI-001849

Allocate audit log storage capacity to accommodate organization-defined audit record retention requirements.

  • 800-53 Rev. 4 :: AU-4
  • 800-53 Rev. 5 :: AU-4
UNCLASSIFIED