APPL-13-001030 - The macOS system must provide an immediate warning to the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent of repository maximum audit record storage capacity.

Information

The audit service must be configured to require a minimum percentage of free disk space to run. This ensures that audit will notify the administrator that action is required to free up more disk space for audit logs.

When 'minfree' is set to 25 percent, security personnel are notified immediately when the storage volume is 75 percent full and are able to plan for audit record storage capacity expansion.

Solution

Configure the macOS system to require 25 percent free disk space for audit record storage with the following command:

/usr/bin/sudo /usr/bin/sed -i.bak 's/.*minfree.*/minfree:25/' /etc/security/audit_control; /usr/bin/sudo /usr/sbin/audit -s

Alternatively, use a text editor to update the '/etc/security/audit_control' file.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_macOS_13_V1R4_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-5(1), CAT|III, CCI|CCI-001855, Rule-ID|SV-257180r905173_rule, STIG-ID|APPL-13-001030, Vuln-ID|V-257180

Plugin: Unix

Control ID: 2efbfdaece27fcd7810c0f1a910fc7cdbc6aa87c37ae6b36d865eb5c38d7cf98