Is there a way to enable reasonable security audit log retention via script to comply with CIS Level

deep786
New Contributor II

Is there a way to enable reasonable security audit log retention via script to comply with CIS Level 1 requirements? Thank in advance

1 ACCEPTED SOLUTION

YanW
Contributor III

For Ventura, try this

chflags nouchg /etc/security/audit_control; sleep 2; /usr/bin/sed -i.bak 's/^expire-after.*/expire-after:60d OR 1G/' /etc/security/audit_control; /usr/sbin/audit -s

 

View solution in original post

4 REPLIES 4

ThijsX
Valued Contributor
Valued Contributor

Hey @deep786 

Yes this can be achieve with the following where $ODV is the organisational defined value.

/usr/bin/sed -i.bak 's/^expire-after.*/expire-after:$ODV/' /etc/security/audit_control; /usr/sbin/audit -s

 

To check the current set value

 

/usr/bin/awk -F: '/expire-after/{print $2}' /etc/security/audit_control

 

Hopefully this is helpful!

 

Cheers,

Thijs

 

deep786
New Contributor II

not able to edit "audit_control" file , Error permission denied

deep786
New Contributor II

I am login as a root user but still not able to edit.

image (11).png

YanW
Contributor III

For Ventura, try this

chflags nouchg /etc/security/audit_control; sleep 2; /usr/bin/sed -i.bak 's/^expire-after.*/expire-after:60d OR 1G/' /etc/security/audit_control; /usr/sbin/audit -s