Details

The audit service _MUST_ be configured to require records be kept for seven days or longer before deletion, unless the system uses a central audit record storage facility.

When “expire-after” is set to “7d”, the audit service will not delete audit logs until the log data is at least seven days old.

Solution

Run the following bash code

/usr/bin/sed -i.bak 's/^expire-after.*/expire-after:7d/' /etc/security/audit_control; /usr/sbin/audit -s
----

Supportive Information

The following resource is also helpful.

• https://github.com/usnistgov/macos_security

This security hardening control applies to the following category of controls within NIST 800-53: Audit and Accountability.This control applies to the following type of system Unix.

References

• 800-53|AU-4
• 800-53|AU-11
• CCE|CCE-90875-6, CCI|CCI-001849

Source

• Tenable.com/audits