Information
The macOS audit capability contains important information to investigate security or operational issues. This resource is only completely useful if it is retained long enough to allow technical staff to find the root cause of anomalies in the records.
Retention can be set to respect both size and longevity. To retain as much as possible under a certain size, the recommendation is to use the following:
expire-after:60d OR 5G
This recomendation is based on minimum storage for review and investigation. When a third party tool is in use to allow remote logging or the store and forwarding of logs, this local storage requirement is not required.
Rationale:
The audit records need to be retained long enough to be reviewed as necessary.
Impact:
The recommendation is that at least 60 days or 5 gigabytes of audit records are retained. Systems that have very little remaining disk space may have issues retaining sufficient data.
Solution
Perform the following to set the audit retention length:
Edit the /etc/security/audit_control file so that expire-after: is at least 60d OR 5G
Default Value:
More info in the man page. To reference the man page use the command $ man audit_control