Catalina - Configure Audit Retention to a Minimum of Seven Days

Information

The audit service _MUST_ be configured to require records be kept for seven days or longer before deletion, unless the system uses a central audit record storage facility.

When "expire-after" is set to "7d", the audit service will not delete audit logs until the log data is at least seven days old.

Solution

[source,bash]
----
/usr/bin/sed -i.bak 's/^expire-after.*/expire-after:7d/' /etc/security/audit_control; /usr/sbin/audit -s
----

See Also

https://github.com/usnistgov/macos_security

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-4, 800-53|AU-11, CCE|CCE-84719-4, CCI|CCI-001849, STIG-ID|AOSX-15-001029

Plugin: Unix

Control ID: 7c5ebff0a6ad43101498330233a2cbf0882c8a18adfd1dfc1f7f61a91a870460