3.4 Ensure security auditing retention

Information

The macOS audit capability contains important information to investigate security or operational issues. This resource is only completely useful if it is retained long enough to allow technical staff to find the root cause of anomalies in the records.

Retention can be set to respect both size and longevity. To retain as much as possible under a certain size the recommendation is to use:

expire-after:60d OR 1G

More info in the man page man audit_control

Rationale:

The audit records need to be retained long enough to be reviewed as necessary.

Impact:

The recommendation is that at least 60 days or 1 gigabyte of audit records are retained. Systems that very little remaining disk space may have issues retaining sufficient data.

Solution

Perform the following to set the audit retention length:
Edit the /etc/security/audit_control file so that expire-after: is at least 60d OR 1G

See Also

https://workbench.cisecurity.org/files/3013

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-11, CSCv6|6.3

Plugin: Unix

Control ID: 47c7fdcbb2ba10870bd7e675f70c39f4b14ae08a514fa8da2ff937ef059a2884