3.5 Retain install.log for 365 or more days

Information

macOS writes information pertaining to system-related events to the file /var/log/install.log and has a configurable retention policy for this file. The default logging setting limits the file size of the logs and the maximum size for all logs. The default allows for an errant application to fill the log files and does not enforce sufficient log retention. The Benchmark recommends a value based on standard use cases. The value should align with local requirements within the organization.

The default value has an 'all_max' file limitation, no reference to a minimum retention and a less precise rotation argument.

The maximum file size limitation string should be removed 'all_max='

An organization appropriate retention should be added 'ttl='

The rotation should be set with time stamps 'rotate=utc' or 'rotate=local'

Rationale:

Archiving and retaining install.log for at least a year is beneficial in the event of an incident as it will allow the user to view the various changes to the system along with the date and time they occurred.

Impact:

Without log files system maintenance and security forensics cannot be properly performed.

Solution

Perform the following to implement the prescribed state:

Run the following command in Terminal:

sudo vim /etc/asl/com.apple.install



Replace or edit the current setting with a compliant setting

* file /var/log/install.log mode=0640 format=bsd rotate=utc compress file_max=5M ttl=365

See Also

https://workbench.cisecurity.org/files/3092

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-11

Plugin: Unix

Control ID: 44ce8920a4e14bd1b9243c109dc7b7f4a9d1b7a08f1a6a371ba9740195b6a3d7