The macOS system must configure audit retention to seven days.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| low | V-268467 | SRG-OS-000341-GPOS-00132 | APPL-15-001029 | SV-268467r1034341_rule | 2025-02-20 | 1 |
| Description |
|---|
| The audit service must be configured to require that records be kept for an organizational-defined value before deletion unless the system uses a central audit record storage facility. When "expire-after" is set to "7d", the audit service will not delete audit logs until the log data criteria is met. |
| ℹ️ Check |
|---|
| Verify the macOS system is configured to set audit retention to seven days with the following command: /usr/bin/awk -F: '/expire-after/{print $2}' /etc/security/audit_control If the result is not "7d", this is a finding. |
| ✔️ Fix |
|---|
| Configure the macOS system to set audit retention to seven days with the following command: /usr/bin/sed -i.bak 's/^expire-after.*/expire-after:7d/' /etc/security/audit_control; /usr/sbin/audit -s |