7.2.2 Audit History and Remove History Items

Information

Organizational management of user web browsing history is a challenge affected by multiple facets. Organizations should decide whether to manage browser history and how much history should be maintained.

Rationale:

There are conflicting concerns in the retention of browser history. Unlimited retention:

Consumes disk space

Preferred by on disk forensics teams

User searchable for old visited pages

User privacy concerns

Security concerns to retain old links that may be stale or lead to compromised pages or pages with changes or inappropriate content

Old browser history becomes stale and the use or misuse of the data can lead to unwanted outcomes. Search engine results are maintained and often provide much more relevant current information than old website visit information.

Impact:

If old browsing history is not available, it will not be available to authorized or unauthorized users. Some users may find old and even stale information useful.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Profile Method:
Create or edit a configuration profile with the following information:

The PayloadType string is com.apple.Safari

The key to include is HistoryAgeInDaysLimit

The key must be set to: <integer><1,7,14,31,365,36500></integer>

Note: Setting the plist key to a value that is not represented by the GUI could cause issues.
Note: Since the profile method sets a system-wide setting and not a user-level one, the profile method is the preferred method. It is always better to set system-wide than per user.

Additional Information:

To verify individual users:

Audit:

Graphical Method:

Perform the following steps to verify how long the history in Safari is kept:

Open Safari

Select Safari from the menu bar

Select Preferences

Select General

Verify that Remove history items is set to your organization's requirements

or

Open System Preferences

Select Profiles

Verify that an installed profile has HistoryAgeInDaysLimit set to your organization's requirements

Terminal Method:

Run the following command to verify how long Safari keeps history:

$ /usr/bin/sudo -u <username> /usr/bin/defaults read /Users/<username>/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari HistoryAgeInDaysLimit

The output will be:

1 - After one day 7 - After one week 14 - After two weeks 31 - After one month 365 - After one year 36500 - Manually

Note: Setting the plist key to a value that is not represented by the GUI could cause issues.

example:

$ /usr/bin/sudo -u firstuser /usr/bin/defaults read /Users/firstuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari HistoryAgeInDaysLimit

1

$ /usr/bin/sudo -u seconduser /usr/bin/defaults read /Users/seconduser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari HistoryAgeInDaysLimit

7

$ /usr/bin/sudo -u thirduser /usr/bin/defaults read /Users/thirduser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari HistoryAgeInDaysLimit

14

$ /usr/bin/sudo -u fourthuser /usr/bin/defaults read /Users/fourthuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari HistoryAgeInDaysLimit

31

$ /usr/bin/sudo -u fifthuser /usr/bin/defaults read /Users/fifthuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari HistoryAgeInDaysLimit

365

$ /usr/bin/sudo -u sixthuser /usr/bin/defaults read /Users/sixthuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari HistoryAgeInDaysLimit

36500

Note: To run the Terminal commands, Terminal must be granted Full Disk Access in the Security & Privacy pane in System Preferences.

Remediation:

Graphical Method:

Perform the following steps to set Safari to remove history after a set amount of days:

Open Safari

Select Safari from the menu bar

Select Preferences

Select General

Set Remove history items to your organization's requirements

Terminal Method:

Run the following command to set when Safari will remove history items:

$ /usr/bin/sudo -u <username> /usr/bin/defaults write /Users/<username>/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari HistoryAgeInDaysLimit -int <1,7,14,31,365,36500>

example:

$ /usr/bin/sudo -u firstuser /usr/bin/defaults write /Users/firstuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari HistoryAgeInDaysLimit -int 36500

$ /usr/bin/sudo -u seconduser /usr/bin/defaults write /Users/seconduser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari HistoryAgeInDaysLimit -int 365

$ /usr/bin/sudo -u thirduser /usr/bin/defaults write /Users/thirduser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari HistoryAgeInDaysLimit -int 31

$ /usr/bin/sudo -u fourthuser /usr/bin/defaults write /Users/fourthuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari HistoryAgeInDaysLimit -int 14

$ /usr/bin/sudo -u fifthuser /usr/bin/defaults write /Users/fifthuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari HistoryAgeInDaysLimit -int 7

$ /usr/bin/sudo -u sixthuser /usr/bin/defaults write /Users/sixthuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari HistoryAgeInDaysLimit -int 1

Note: Setting the plist key to a value that is not represented by the GUI could cause issues.

Note: To run the Terminal commands, Terminal must be granted Full Disk Access in the Security & Privacy pane in System Preferences.

See Also

https://workbench.cisecurity.org/benchmarks/14563

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-10, 800-53|SC-18, CSCv7|7.1

Plugin: Unix

Control ID: 329968426dbbcda2a5a15c69d392b621d8a95b5863b9524c192408d8ee8bc684