|Platform: macosx10.10||Date: (C)2015-06-23 (M)2018-03-17|
Ensure Audit Logs are Kept for 1 Week or Longer
The audit service must be configured to require that records are kept for 7 days or longer before deletion when there is no central audit record storage facility. When expire-after is set to 7d, the audit service will not delete audit logs until the log data is at least 7 days old.
Number of days
The check displays the amount of time the audit system is configured to retain audit log files. The audit system will not delete logs until the specified condition has been met. To view the current setting, run the following command:
sudo grep ^expire-after /etc/security/audit_control
If this returns no results, or does not contain 7d or a larger value, this is a finding.
|SCAP Repo OVAL Definition||oval:org.secpod.oval:def:25098|