ℹ️ The items you can view are limited because you do not have a subscription. Contact us at [email protected] to purchase one.
- Group Title
- SRG-OS-000341-GPOS-00132
- Group ID
- V-268467
- Rule Version
- APPL-15-001029
- Rule Title
- The macOS system must configure audit retention to seven days.
- Rule ID
- SV-268467r1034341_rule
- Rule Severity
- ● Low
- Rule Weight
- 10.0
- Vuln Discussion
-
The audit service must be configured to require that records be kept for an organizational-defined value before deletion unless the system uses a central audit record storage facility.
When "expire-after" is set to "7d", the audit service will not delete audit logs until the log data criteria is met.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured to set audit retention to seven days with the following command:
/usr/bin/awk -F: '/expire-after/{print $2}' /etc/security/audit_control
If the result is not "7d", this is a finding.
- Check System
- C-72497r1034339_chk
- Fix Reference
- F-72398r1034340_fix
- Fix Text
-
Configure the macOS system to set audit retention to seven days with the following command:
/usr/bin/sed -i.bak 's/^expire-after.*/expire-after:7d/' /etc/security/audit_control; /usr/sbin/audit -s
- Identities
-
CCI-001849
Allocate audit log storage capacity to accommodate organization-defined audit record retention requirements.
- 800-53 Rev. 4 :: AU-4
- 800-53 Rev. 5 :: AU-4
- Group Title
- SRG-OS-000341-GPOS-00132
- Group ID
- V-268554
- Rule Version
- APPL-15-004050
- Rule Title
- The macOS system must configure install.log retention to 365.
- Rule ID
- SV-268554r1034602_rule
- Rule Severity
- ● Low
- Rule Weight
- 10.0
- Vuln Discussion
-
The install.log must be configured to require that records be kept for an organizational-defined value before deletion, unless the system uses a central audit record storage facility.
Proper audit storage capacity is crucial to ensuring the ongoing logging of critical events.
- Documentable
- False
- Check Content
-
Verify the macOS system is configured with install.log retention to 365 with the following command:
/usr/sbin/aslmanager -dd 2>&1 | /usr/bin/awk '/\/var\/log\/install.log$/ {count++} /Processing module com.apple.install/,/Finished/ { for (i=1;i<=NR;i++) { if ($i == "TTL" && $(i+2) >= 365) { ttl="True" }; if ($i == "MAX") {max="True"}}} END{if (count > 1) { print "Multiple config files for /var/log/install, manually remove the extra files"} else if (max == "True") { print "all_max setting is configured, must be removed" } if (ttl != "True") { print "TTL not configured" } else { print "Yes" }}'
If the result is not "yes", this is a finding.
- Check System
- C-72584r1034600_chk
- Fix Reference
- F-72485r1034601_fix
- Fix Text
-
Configure the macOS system with install.log retention to 365 with the following command:
/usr/bin/sed -i '' "s/\* file \/var\/log\/install.log.*/\* file \/var\/log\/install.log format='\$\(\(Time\)\(JZ\)\) \$Host \$\(Sender\)\[\$\(PID\\)\]: \$Message' rotate=utc compress file_max=50M size_only ttl=365/g" /etc/asl/com.apple.install
NOTE: If multiple configuration files in /etc/asl are set to process the file /var/log/install.log, these files must be manually removed.
- Identities
-
CCI-001849
Allocate audit log storage capacity to accommodate organization-defined audit record retention requirements.
- 800-53 Rev. 4 :: AU-4
- 800-53 Rev. 5 :: AU-4