U Apple macOS 15 V1R1

ℹ️ The items you can view are limited because you do not have a subscription. Contact us at [email protected] to purchase one.

UNCLASSIFIED
Group Title
SRG-OS-000341-GPOS-00132
Group ID
V-268467
Rule Version
APPL-15-001029
Rule Title
The macOS system must configure audit retention to seven days.
Rule ID
SV-268467r1034341_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

The audit service must be configured to require that records be kept for an organizational-defined value before deletion unless the system uses a central audit record storage facility.

When "expire-after" is set to "7d", the audit service will not delete audit logs until the log data criteria is met.

Documentable
False
Check Content

Verify the macOS system is configured to set audit retention to seven days with the following command:

/usr/bin/awk -F: '/expire-after/{print $2}' /etc/security/audit_control

If the result is not "7d", this is a finding.

Check System
C-72497r1034339_chk
Fix Reference
F-72398r1034340_fix
Fix Text

Configure the macOS system to set audit retention to seven days with the following command:

/usr/bin/sed -i.bak 's/^expire-after.*/expire-after:7d/' /etc/security/audit_control; /usr/sbin/audit -s

Identities
CCI-001849

Allocate audit log storage capacity to accommodate organization-defined audit record retention requirements.

  • 800-53 Rev. 4 :: AU-4
  • 800-53 Rev. 5 :: AU-4
Group Title
SRG-OS-000341-GPOS-00132
Group ID
V-268554
Rule Version
APPL-15-004050
Rule Title
The macOS system must configure install.log retention to 365.
Rule ID
SV-268554r1034602_rule
Rule Severity
Low
Rule Weight
10.0
Vuln Discussion

The install.log must be configured to require that records be kept for an organizational-defined value before deletion, unless the system uses a central audit record storage facility.

Proper audit storage capacity is crucial to ensuring the ongoing logging of critical events.

Documentable
False
Check Content

Verify the macOS system is configured with install.log retention to 365 with the following command:

/usr/sbin/aslmanager -dd 2>&1 | /usr/bin/awk '/\/var\/log\/install.log$/ {count++} /Processing module com.apple.install/,/Finished/ { for (i=1;i<=NR;i++) { if ($i == "TTL" && $(i+2) >= 365) { ttl="True" }; if ($i == "MAX") {max="True"}}} END{if (count > 1) { print "Multiple config files for /var/log/install, manually remove the extra files"} else if (max == "True") { print "all_max setting is configured, must be removed" } if (ttl != "True") { print "TTL not configured" } else { print "Yes" }}'

If the result is not "yes", this is a finding.

Check System
C-72584r1034600_chk
Fix Reference
F-72485r1034601_fix
Fix Text

Configure the macOS system with install.log retention to 365 with the following command:

/usr/bin/sed -i '' "s/\* file \/var\/log\/install.log.*/\* file \/var\/log\/install.log format='\$\(\(Time\)\(JZ\)\) \$Host \$\(Sender\)\[\$\(PID\\)\]: \$Message' rotate=utc compress file_max=50M size_only ttl=365/g" /etc/asl/com.apple.install

NOTE: If multiple configuration files in /etc/asl are set to process the file /var/log/install.log, these files must be manually removed.

Identities
CCI-001849

Allocate audit log storage capacity to accommodate organization-defined audit record retention requirements.

  • 800-53 Rev. 4 :: AU-4
  • 800-53 Rev. 5 :: AU-4
UNCLASSIFIED