The macOS system must configure install.log retention to 365.

STIG ID: APPL-14-004050  |  SRG: SRG-OS-000341-GPOS-00132 |  Severity: low |  CCI: CCI-001849 |  Vulnerability Id: V-259558 | 

Vulnerability Discussion

The install.log must be configured to require records be kept for an
organizational-defined value before deletion, unless the system uses a central audit record storage
facility.

Check

Verify the macOS system is configured with install.log retention to 365 with the
following command:

/usr/sbin/aslmanager -dd 2>&1 | /usr/bin/awk '/\/var\/log\/install.log/ {count++} /Processing
module com.apple.install/,/Finished/ { for (i=1;i<=NR;i++) { if ($i == "TTL" && $(i+2)
>= 365) { ttl="True" }; if ($i == "MAX") {max="True"}}} END{if (count > 1) { print "Multiple
config files for /var/log/install, manually remove"} else if (ttl != "True") { print "TTL not
configured" } else if (max == "True") { print "Max Size is configured, must be removed" } else {
print "Yes" }}'

If the result is not "yes", this is a finding.

Fix

Configure the macOS system with install.log retention to 365 with the
following command:

/usr/bin/sed -i '' "s/\* file \/var\/log\/install.log.*/\* file \/var\/log\/install.log
format='\$\(\(Time\)\(JZ\)\) \$Host \$\(Sender\)\[\$\(PID\\)\]: \$Message' rotate=utc compress
file_max=50M size_only ttl=365/g" /etc/asl/com.apple.install

Note: If there are multiple configuration files in /etc/asl that are set to process the file
/var/log/install.log, these files will have to be manually removed.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.