Monterey - Configure Audit Retention to a Minimum of Seven Days

Information

The audit service _MUST_ be configured to require records be kept for seven days or longer before deletion, unless the system uses a central audit record storage facility.

When "expire-after" is set to "7d", the audit service will not delete audit logs until the log data is at least seven days old.

Solution

[source,bash]
----
/usr/bin/sed -i.bak 's/^expire-after.*/expire-after:7d/' /etc/security/audit_control; /usr/sbin/audit -s
----

See Also

https://github.com/usnistgov/macos_security

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-4, 800-53|AU-11, CCE|CCE-90875-6, CCI|CCI-001849

Plugin: Unix

Control ID: c8cc9618a64f43600861de5901131386d37ff068e95b516b1b9d573ed7e306be