Information
OSX writes information pertaining to system-related events to the file /var/log/ appfirewall . log and has a configurable retention policy for this file. The default logging setting limits the file size of the logs and the maximum size for all logs with it's own rule in asl.conf. The default allows for an errant application to fill the log files and does not enforce sufficient log retention. The Benchmark recommends a value based on standard use cases. The value should align with local requirements within the organization. The default value has an "all_max" file limitation, no reference to a minimum retention and a less precise rotation argument. The maximum file size limitation string should be removed "all_max=" An organization appropriate retention should be added "ttl=" The rotation should be set with time stamps "rotate=utc" or "rotate=local" Archiving and retaining appfirewall.log for 90 or more days is beneficial in the event of an incident as it will allow the user to view the various changes to the system along with the date and time they occurred.
Solution
Perform the following to implement the prescribed state: Run the following command in Terminal: sudo vim /etc/asl.conf Replace or edit the current setting with a compliant setting > appfirewall.log mode=0640 format=bsd rotate=utc compress file_max=5M ttl=90 Impact: Without log files system maintenance and security forensics cannot be properly performed.