Title

The macOS system must configure install.log retention to 365. (Cat III impact)

Discussion

The install.log must be configured to require that records be kept for an organizational-defined value before deletion, unless the system uses a central audit record storage facility. Proper audit storage capacity is crucial to ensuring the ongoing logging of critical events.

Check Content

Verify the macOS system is configured with install.log retention to 365 with the following command: /usr/sbin/aslmanager -dd 2>&1 | /usr/bin/awk '/\/var\/log\/install.log$/ {count++} /Processing module com.apple.install/,/Finished/ { for (i=1;i<=NR;i++) { if ($i == "TTL" && $(i+2) >= 365) { ttl="True" }; if ($i == "MAX") {max="True"}}} END{if (count > 1) { print "Multiple config files for /var/log/install, manually remove the extra files"} else if (max == "True") { print "all_max setting is configured, must be removed" } if (ttl != "True") { print "TTL not configured" } else { print "Yes" }}' If the result is not "yes", this is a finding.

Fix Text

Configure the macOS system with install.log retention to 365 with the following command: /usr/bin/sed -i '' "s/\* file \/var\/log\/install.log.*/\* file \/var\/log\/install.log format='\$\(\(Time\)\(JZ\)\) \$Host \$\(Sender\)\[\$\(PID\\)\]: \$Message' rotate=utc compress file_max=50M size_only ttl=365/g" /etc/asl/com.apple.install NOTE: If multiple configuration files in /etc/asl are set to process the file /var/log/install.log, these files must be manually removed.

Additional Identifiers

Rule ID: SV-268554r1034602_rule

Vulnerability ID: V-268554

Group Title: SRG-OS-000341-GPOS-00132

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.