DISA STIGS Viewer

Finding ID	Version	Rule ID	IA Controls	Severity
V-268554	APPL-15-004050	SV-268554r1034602_rule		Low

Description

The install.log must be configured to require that records be kept for an organizational-defined value before deletion, unless the system uses a central audit record storage facility. Proper audit storage capacity is crucial to ensuring the ongoing logging of critical events.

STIG	Date
Apple macOS 15 (Sequoia) Security Technical Implementation Guide	2025-05-05

Check Text (C-72584r1034600_chk)

Verify the macOS system is configured with install.log retention to 365 with the following command: /usr/sbin/aslmanager -dd 2>&1 | /usr/bin/awk '/\/var\/log\/install.log$/ {count++} /Processing module com.apple.install/,/Finished/ { for (i=1;i<=NR;i++) { if ($i == "TTL" && $(i+2) >= 365) { ttl="True" }; if ($i == "MAX") {max="True"}}} END{if (count > 1) { print "Multiple config files for /var/log/install, manually remove the extra files"} else if (max == "True") { print "all_max setting is configured, must be removed" } if (ttl != "True") { print "TTL not configured" } else { print "Yes" }}' If the result is not "yes", this is a finding.

Fix Text (F-72485r1034601_fix)

Configure the macOS system with install.log retention to 365 with the following command: /usr/bin/sed -i '' "s/\* file \/var\/log\/install.log.*/\* file \/var\/log\/install.log format='\$\(\(Time\)\(JZ\)\) \$Host \$\(Sender\)\[\$\(PID\\)\]: \$Message' rotate=utc compress file_max=50M size_only ttl=365/g" /etc/asl/com.apple.install NOTE: If multiple configuration files in /etc/asl are set to process the file /var/log/install.log, these files must be manually removed.