Big Sur - Configure Audit Retention to a Minimum of Seven Days

Information

The audit service _MUST_ be configured to require records be kept for seven days or longer before deletion, unless the system uses a central audit record storage facility.

When "expire-after" is set to "7d", the audit service will not delete audit logs until the log data is at least seven days old.

Solution

[source,bash]
----
/usr/bin/sed -i.bak 's/^expire-after.*/expire-after:7d/' /etc/security/audit_control; /usr/sbin/audit -s
----

See Also

https://github.com/usnistgov/macos_security

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-4, 800-53|AU-11, CCE|CCE-85272-3, CCI|CCI-001849, STIG-ID|APPL-11-001029

Plugin: Unix

Control ID: 104ea39edd30853420fcdafb012c8af53313d4d9170ad27a23dc3801accc16ae