Help

Is there a way to enable reasonable security audit log retention via script to comply with CIS Level

Go to solution
deep786
New Contributor II

Posted on ‎05-02-2023 05:20 AM

Is there a way to enable reasonable security audit log retention via script to comply with CIS Level 1 requirements? Thank in advance

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
YanW
Contributor III
In response to deep786

Posted on ‎05-02-2023 06:08 AM

For Ventura, try this

chflags nouchg /etc/security/audit_control; sleep 2; /usr/bin/sed -i.bak 's/^expire-after.*/expire-after:60d OR 1G/' /etc/security/audit_control; /usr/sbin/audit -s

 

View solution in original post

4 REPLIES 4

Go to solution
ThijsX
Valued Contributor
Valued Contributor

Posted on ‎05-02-2023 05:32 AM

Hey @deep786 

Yes this can be achieve with the following where $ODV is the organisational defined value.

/usr/bin/sed -i.bak 's/^expire-after.*/expire-after:$ODV/' /etc/security/audit_control; /usr/sbin/audit -s

 

To check the current set value

 

/usr/bin/awk -F: '/expire-after/{print $2}' /etc/security/audit_control

 

Hopefully this is helpful!

 

Cheers,

Thijs

 

0 Kudos

Go to solution
deep786
New Contributor II
In response to ThijsX

Posted on ‎05-02-2023 05:53 AM

not able to edit "audit_control" file , Error permission denied

0 Kudos

Go to solution
deep786
New Contributor II

Posted on ‎05-02-2023 06:02 AM

I am login as a root user but still not able to edit.

image (11).png

0 Kudos

Go to solution
YanW
Contributor III
In response to deep786

Posted on ‎05-02-2023 06:08 AM

For Ventura, try this

chflags nouchg /etc/security/audit_control; sleep 2; /usr/bin/sed -i.bak 's/^expire-after.*/expire-after:60d OR 1G/' /etc/security/audit_control; /usr/sbin/audit -s