The operating system must allocate audit record storage capacity to store at least one weeks worth of audit records, when audit records are not immediately sent to a central audit record storage facility.

From Apple OS X 10.10 (Yosemite) Workstation Security Technical Implementation Guide

Associated with: CCI-001849

SV-74027r1_rule The operating system must allocate audit record storage capacity to store at least one weeks worth of audit records, when audit records are not immediately sent to a central audit record storage facility.

Vulnerability discussion

The audit service must be configured to require that records are kept for 7 days or longer before deletion when there is no central audit record storage facility. When expire-after is set to 7d, the audit service will not delete audit logs until the log data is at least 7 days old.

Check content

The check displays the amount of time the audit system is configured to retain audit log files. The audit system will not delete logs until the specified condition has been met. To view the current setting, run the following command: sudo grep ^expire-after /etc/security/audit_control If this returns no results, or does not contain 7d or a larger value, this is a finding.

Fix text

Edit the /etc/security/audit_control file, and change the value for 'expire-after' to the amount of time audit logs should be kept for the system. Use the following command to set the 'expire-after' value to '7d': sudo sed -i.bak 's/.*expire-after.*/expire-after:7d/' /etc/security/audit_control; sudo audit -s

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.