macOS 26 - Tahoe
The macOS system must configure audit retention to seven days
STIG ID:
APPL-26-001029
|
SRG:
SRG-OS-000341-GPOS-00132
|
Severity:
Low
|
CCI:
CCI-001849
|
Vulnerability ID:
V-277074
Description
The audit service must be configured to require that records be kept for an organizational-defined value before deletion unless the system uses a central audit record storage facility.
When "expire-after" is set to "7d", the audit service will not delete audit logs until the log data criteria is met.
Check
C-81229r1148672_chk
Verify the macOS system is configured to set audit retention to seven days with the following command:
/usr/bin/awk -F: '/expire-after/{print $2}' /etc/security/audit_control
If the result is not "7d", this is a finding.
Fix
F-81134r1148673_fix
Configure the macOS system to set audit retention to seven days with the following command:
/usr/bin/sed -i.bak 's/^expire-after.*/expire-after:7d/' /etc/security/audit_control; /usr/sbin/audit -s