The macOS system must configure audit retention to seven days.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-268467	APPL-15-001029	SV-268467r1034341_rule		Low

Description

The audit service must be configured to require that records be kept for an organizational-defined value before deletion unless the system uses a central audit record storage facility. When "expire-after" is set to "7d", the audit service will not delete audit logs until the log data criteria is met.

STIG	Date
Apple macOS 15 (Sequoia) Security Technical Implementation Guide	2025-05-05

Details

Check Text (C-72497r1034339_chk)

Verify the macOS system is configured to set audit retention to seven days with the following command:

/usr/bin/awk -F: '/expire-after/{print $2}' /etc/security/audit_control

If the result is not "7d", this is a finding.

Fix Text (F-72398r1034340_fix)

Configure the macOS system to set audit retention to seven days with the following command:

/usr/bin/sed -i.bak 's/^expire-after.*/expire-after:7d/' /etc/security/audit_control; /usr/sbin/audit -s