audit_flags_fm_configure fails in dev_sonoma because of the ^fm #152

New Issue

Closed

opened 2026-01-19 18:29:25 +00:00 by michael · 7 comments

michael commented 2026-01-19 18:29:25 +00:00

Owner

Copy Link

Originally created by @cipineda on GitHub.

Summary

I did find a similar issue (#73) but it is way too old.
audit_flags_fm_configure fails all the time even if the -fm flag is in the file and I think it is because of the '^fm' code.

Steps to reproduce

In Sonoma 14.0 Beta 7 (23A5337a) one running the following code it always returns 0.
Run: /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '^fm'

Operating System version

Sonoma 14.0 Beta 7 (23A5337a)

Intel or Apple Silicon

Silicon and Intel

What is the current bug behavior?

validation script returns 0 even if the audit file does have the -fm flag

What is the expected correct behavior?

Validation script should return 1

Relevant logs and/or screenshots

Output of checks

/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '^fm'
0

Possible fixes

/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'fm'
OR
/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '-fm'

Originally created by @cipineda on GitHub. <!--- Please read this! Before opening a new issue, make sure to search for keywords in the issues filtered by the "regression" or "bug" label and verify the issue you're about to submit isn't a duplicate. ---> ### Summary I did find a similar issue (#73) but it is way too old. audit_flags_fm_configure fails all the time even if the -fm flag is in the file and I think it is because of the `'^fm'` code. ### Steps to reproduce In Sonoma 14.0 Beta 7 (23A5337a) one running the following code it always returns 0. Run: /usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '^fm' ### Operating System version Sonoma 14.0 Beta 7 (23A5337a) ### Intel or Apple Silicon Silicon and Intel ### What is the current *bug* behavior? validation script returns 0 even if the audit file does have the -fm flag ### What is the expected *correct* behavior? Validation script should return 1 ### Relevant logs and/or screenshots ### Output of checks `/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '^fm'` `0` ### Possible fixes `/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'fm' ` OR `/usr/bin/awk -F':' '/^flags/ { print $NF }' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec '-fm' `

michael closed this issue 2026-01-19 18:29:25 +00:00

michael commented 2026-01-19 18:29:25 +00:00

Author

Owner

Copy Link

@cipineda commented on GitHub:

Here it is.

P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#8

dir:/var/audit
flags:lo,aa,ad,-ex,-fd,-fm,-fr,-fw
minfree:25
naflags:lo,aa
policy: ahlt,argv
filesz:2M
expire-after:7d
superuser-set-sflags-mask:has_authenticated,has_console_access
superuser-clear-sflags-mask:has_authenticated,has_console_access
member-set-sflags-mask:
member-clear-sflags-mask:has_authenticated

@cipineda commented on GitHub: Here it is. # # $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#8 $ # dir:/var/audit flags:lo,aa,ad,-ex,-fd,-fm,-fr,-fw minfree:25 naflags:lo,aa policy: ahlt,argv filesz:2M expire-after:7d superuser-set-sflags-mask:has_authenticated,has_console_access superuser-clear-sflags-mask:has_authenticated,has_console_access member-set-sflags-mask: member-clear-sflags-mask:has_authenticated

michael commented 2026-01-19 18:29:25 +00:00

Author

Owner

Copy Link

@cipineda commented on GitHub:

The rule Im using and reporting in this issue is audit_flags_fm_configure and it failed as coded, until I modified the proposed code above, then it marked the finding as passed.

@cipineda commented on GitHub: The rule Im using and reporting in this issue is `audit_flags_fm_configure` and it failed as coded, until I modified the proposed code above, then it marked the finding as passed.

michael commented 2026-01-19 18:29:25 +00:00

Author

Owner

Copy Link

@brodjieski commented on GitHub:

Can you share your configuration in /etc/security/audit_control?

@brodjieski commented on GitHub: Can you share your configuration in `/etc/security/audit_control`?

michael commented 2026-01-19 18:29:25 +00:00

Author

Owner

Copy Link

@brodjieski commented on GitHub:

That configuration does not contain the fm flag, and will fail the check for audit_flags_fm_configure.

I see you have -fm which will pass the check for audit_flags_fm_failed_configure, but will not pass the other. With audit flags fm is not the same as -fm.

@brodjieski commented on GitHub: That configuration does not contain the `fm` flag, and will fail the check for `audit_flags_fm_configure`. I see you have `-fm` which will pass the check for `audit_flags_fm_failed_configure`, but will not pass the other. With audit flags `fm` is not the same as `-fm`.

michael commented 2026-01-19 18:29:25 +00:00

Author

Owner

Copy Link

@brodjieski commented on GitHub:

There are 2 different rules that touch upon the fm flag for auditing. One is audit_flags_fm_configure and the other is audit_flags_fm_failed_configure.

The rule referenced in this issue is audit_flags_fm_configure which is looking for fm in the flags, and will fail if only -fm exists in the flags.

The other rule audit_flags_fm_failed_configure is checking for -fm.

Depending on which rule you are including in your baseline, it should pass if configured correctly as written.

@brodjieski commented on GitHub: There are 2 different rules that touch upon the `fm` flag for auditing. One is `audit_flags_fm_configure` and the other is `audit_flags_fm_failed_configure`. The rule referenced in this issue is `audit_flags_fm_configure` which is looking for `fm` in the flags, and will fail if only `-fm` exists in the flags. The other rule `audit_flags_fm_failed_configure` is checking for `-fm`. Depending on which rule you are including in your baseline, it should pass if configured correctly as written.

michael commented 2026-01-19 18:29:25 +00:00

Author

Owner

Copy Link

@cipineda commented on GitHub:

Are you saying that the flags: should not have a dash at all?

@cipineda commented on GitHub: Are you saying that the flags: should not have a dash at all?

michael commented 2026-01-19 18:29:25 +00:00

Author

Owner

Copy Link

@brodjieski commented on GitHub:

Flags can include a dash, along with other modifiers, according to the audit_control man page. Flags with a - indicate it will only log failed events. We have 2 rules in the project that cover the file modification (fm) events. One is to capture all audit events, and the other is to capture failed.

The rule audit_flags_fm_configure is to capture them all... fm
The rule audit_flags_fm_failed_configure is to capture the failed... -fm

Depending on which rule you want to include in your baseline, that will result in which configuration you need to pass the check.

If you want to pass the audit_flags_fm_configure rule, your configuration needs to include fm in the flags.
If you want to pass the audit_flags_fm_failed_configure rule, your configuration needs to include -fm in the flags.

@brodjieski commented on GitHub: Flags can include a dash, along with other modifiers, according to the `audit_control` man page. Flags with a `-` indicate it will only log failed events. We have 2 rules in the project that cover the file modification (fm) events. One is to capture all audit events, and the other is to capture failed. The rule `audit_flags_fm_configure` is to capture them all... `fm` The rule `audit_flags_fm_failed_configure` is to capture the failed... `-fm` Depending on which rule you want to include in your baseline, that will result in which configuration you need to pass the check. If you want to pass the `audit_flags_fm_configure` rule, your configuration needs to include `fm` in the flags. If you want to pass the `audit_flags_fm_failed_configure` rule, your configuration needs to include `-fm` in the flags.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dev_2.0_generate_mapping

dev_2.0

sequoia

sonoma

nist-pages

nist-pages-docs

ios_18

ios_26

ios_26_cmmc

dev_2.0_compliance_script

tahoe

visionos_26

dev_ios_26_stig

dev_visionOS_26_stig

dev_tahoe_adjustments

ios_17

dev_sequoia_bio

tahoe_578-typo-in-os_sshd_fips_compliantyaml-fix-code

ventura

ios_16

visionos_2

505-create-python-scp-library

monterey

big_sur

catalina

tahoe_rev2

sequoia_rev4

visionos26_rev2

ios26_rev2

tahoe_rev1

visionos26_rev1

ios26_rev1

sonoma_rev5

sequoia_rev3

ios18_rev3

ios17_rev4

ventura_rev6

sonoma_rev4

sequoia_rev2

visionos_rev2

ios18_rev2.0

ios16_rev4

sequoia_rev1.1

ventura_rev5.1

ios18_rev1.1

sonoma_rev3.1

sequoia_rev1

visionos_rev1

ios18_rev1

ios17_rev3

ios16_rev3

ventura_rev5

sonoma_rev3

ventura_rev4

sonoma_rev2

ios17_rev2

ios16_rev2

monterey_rev6

sonoma_rev1

ventura_rev3

monterey_rev5

ios16_rev1

ios17_rev1

big_sur_rev7

monterey_rev4

ventura_rev2

ventura_rev1.1

monterey_rev3.1

big_sur_rev6.1

ventura_rev1

monterey_rev3

big_sur_rev6

monterey_rev2

catalina_rev6

big_sur_rev5

monterey_rev1

big_sur_rev4

catalina_rev5

big_sur_rev3

catalina_rev4

big_sur_rev2

catalina_rev3

big_sur_rev1

catalina_rev2

catalina_rev1

v0.9

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

michael

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: usnistgov/macos_security#152