mirror of
https://github.com/usnistgov/macos_security.git
synced 2026-02-03 05:53:24 +00:00
57 lines
1.8 KiB
YAML
57 lines
1.8 KiB
YAML
id: os_install_log_retention_configure
|
|
title: "Configure Install.log Retention to $ODV"
|
|
discussion: |
|
|
The install.log _MUST_ be configured to require records be kept for a organizational defined value before deletion, unless the system uses a central audit record storage facility.
|
|
check: |
|
|
/usr/sbin/aslmanager -dd 2>&1 | /usr/bin/awk '/\/var\/log\/install.log/ {count++} /Processing module com.apple.install/,/Finished/ { for (i=1;i<=NR;i++) { if ($i == "TTL" && $(i+2) >= $ODV) { ttl="True" }; if ($i == "MAX") {max="True"}}} END{if (count > 1) { print "Multiple config files for /var/log/install, manually remove"} else if (ttl != "True") { print "TTL not configured" } else if (max == "True") { print "Max Size is configured, must be removed" } else { print "Yes" }}'
|
|
result:
|
|
string: "Yes"
|
|
fix: |
|
|
[source,bash]
|
|
----
|
|
/usr/bin/sed -i '' "s/\* file \/var\/log\/install.log.*/\* file \/var\/log\/install.log format='\$\(\(Time\)\(JZ\)\) \$Host \$\(Sender\)\[\$\(PID\\)\]: \$Message' rotate=utc compress file_max=50M size_only ttl=$ODV/g" /etc/asl/com.apple.install
|
|
----
|
|
|
|
NOTE: If there are multiple configuration files in /etc/asl that are set to process the file /var/log/install.log, these files will have to be manually removed.
|
|
references:
|
|
cce:
|
|
- CCE-92811-9
|
|
cci:
|
|
- N/A
|
|
800-53r5:
|
|
- AU-11
|
|
- AU-4
|
|
800-53r4:
|
|
- AU-11
|
|
- AU-4
|
|
srg:
|
|
- N/A
|
|
disa_stig:
|
|
- N/A
|
|
800-171r2:
|
|
- N/A
|
|
cis:
|
|
benchmark:
|
|
- 3.3 (level 1)
|
|
controls v8:
|
|
- 8.1
|
|
- 8.3
|
|
cmmc:
|
|
- AU.L2-3.3.1
|
|
macOS:
|
|
- "14.0"
|
|
odv:
|
|
hint: "Number of days."
|
|
recommended: 365
|
|
cis_lvl1: 365
|
|
cis_lvl2: 365
|
|
tags:
|
|
- cis_lvl1
|
|
- cis_lvl2
|
|
- cisv8
|
|
- cnssi-1253_moderate
|
|
- cnssi-1253_low
|
|
- cnssi-1253_high
|
|
- cmmc_lvl2
|
|
mobileconfig: false
|
|
mobileconfig_info: |