Detections
Analytics
7.2.2 Audit History and Remove History Items
Information
Organizational management of user web browsing history is a challenge affected by multiple facets. Organizations should decide whether to manage browser history and how much history should be maintained.Rationale:
There are conflicting concerns in the retention of browser history. Unlimited retention:
Consumes disk space
Preferred by on disk forensics teams
User searchable for old visited pages
User privacy concerns
Security concerns to retain old links that may be stale or lead to compromised pages or pages with changes or inappropriate content
Old browser history becomes stale and the use or misuse of the data can lead to unwanted outcomes. Search engine results are maintained and often provide much more relevant current information than old website visit information.
Impact:
If old browsing history is not available, it will not be available to authorized or unauthorized users. Some users may find old and even stale information useful.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Profile Method:Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.Safari
The key to include is HistoryAgeInDaysLimit
The key must be set to: <integer><1,7,14,31,365,36500></integer>
Note: Setting the plist key to a value that is not represented by the GUI could cause issues.
Note: Since the profile method sets a system-wide setting and not a user-level one, the profile method is the preferred method. It is always better to set system-wide than per user.
Additional Information:
To verify individual users:
Audit:
Graphical Method:
Perform the following steps to verify how long the history in Safari is kept:
Open Safari
Select Safari from the menu bar
Select Preferences
Select General
Verify that Remove history items is set to your organization's requirements
or
Open System Preferences
Select Profiles
Verify that an installed profile has HistoryAgeInDaysLimit set to your organization's requirements
Terminal Method:
Run the following command to verify how long Safari keeps history:
$ /usr/bin/sudo -u <username> /usr/bin/defaults read /Users/<username>/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari HistoryAgeInDaysLimit
The output will be:
1 - After one day 7 - After one week 14 - After two weeks 31 - After one month 365 - After one year 36500 - Manually
Note: Setting the plist key to a value that is not represented by the GUI could cause issues.
example:
$ /usr/bin/sudo -u firstuser /usr/bin/defaults read /Users/firstuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari HistoryAgeInDaysLimit
1
$ /usr/bin/sudo -u seconduser /usr/bin/defaults read /Users/seconduser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari HistoryAgeInDaysLimit
7
$ /usr/bin/sudo -u thirduser /usr/bin/defaults read /Users/thirduser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari HistoryAgeInDaysLimit
14
$ /usr/bin/sudo -u fourthuser /usr/bin/defaults read /Users/fourthuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari HistoryAgeInDaysLimit
31
$ /usr/bin/sudo -u fifthuser /usr/bin/defaults read /Users/fifthuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari HistoryAgeInDaysLimit
365
$ /usr/bin/sudo -u sixthuser /usr/bin/defaults read /Users/sixthuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari HistoryAgeInDaysLimit
36500
Note: To run the Terminal commands, Terminal must be granted Full Disk Access in the Security & Privacy pane in System Preferences.
Remediation:
Graphical Method:
Perform the following steps to set Safari to remove history after a set amount of days:
Open Safari
Select Safari from the menu bar
Select Preferences
Select General
Set Remove history items to your organization's requirements
Terminal Method:
Run the following command to set when Safari will remove history items:
$ /usr/bin/sudo -u <username> /usr/bin/defaults write /Users/<username>/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari HistoryAgeInDaysLimit -int <1,7,14,31,365,36500>
example:
$ /usr/bin/sudo -u firstuser /usr/bin/defaults write /Users/firstuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari HistoryAgeInDaysLimit -int 36500
$ /usr/bin/sudo -u seconduser /usr/bin/defaults write /Users/seconduser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari HistoryAgeInDaysLimit -int 365
$ /usr/bin/sudo -u thirduser /usr/bin/defaults write /Users/thirduser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari HistoryAgeInDaysLimit -int 31
$ /usr/bin/sudo -u fourthuser /usr/bin/defaults write /Users/fourthuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari HistoryAgeInDaysLimit -int 14
$ /usr/bin/sudo -u fifthuser /usr/bin/defaults write /Users/fifthuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari HistoryAgeInDaysLimit -int 7
$ /usr/bin/sudo -u sixthuser /usr/bin/defaults write /Users/sixthuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari HistoryAgeInDaysLimit -int 1
Note: Setting the plist key to a value that is not represented by the GUI could cause issues.
Note: To run the Terminal commands, Terminal must be granted Full Disk Access in the Security & Privacy pane in System Preferences.
See Also
Item Details
Audit Name: CIS Apple macOS 11.0 Big Sur v4.0.0 L2
Category: CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|CM-10, 800-53|SC-18, CSCv7|7.1
Plugin: Unix
Control ID: 329968426dbbcda2a5a15c69d392b621d8a95b5863b9524c192408d8ee8bc684