usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-03 14:03:24 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

os_install_log_retention_configure - remediation does not match check #154

New Issue
Closed
opened 2026-01-19 18:29:26 +00:00 by michael · 5 comments
michael commented 2026-01-19 18:29:26 +00:00
Owner
Copy Link

Originally created by @Honestpuck on GitHub.

Summary

os_install_log_retention_configure has a test that fails if it sees "MAX" but the remediation sets 'file_max=50M" which seems to fail the test

Steps to reproduce

run the test:-

sudo /usr/sbin/aslmanager -dd 2>&1 | /usr/bin/awk '/\/var\/log\/install.log/ {count++} /Processing module com.apple.install/,/Finished/ { for (i=1;i<=NR;i++) { if ($i == "TTL" && $(i+2) >= 365) { ttl="True" }; if ($i == "MAX") {max="True"}}} END{if (count > 1) { print "Multiple config files for /var/log/install, manually remove"} else if (ttl != "True") { print "TTL not configured" } else if (max == "True") { print "Max Size is configured, must be removed" } else { print "Yes" }}'

and you will see that it prints "Max size is configured, must be removed"

Run the remediation

sudo /usr/bin/sed -i '' "s/\* file \/var\/log\/install.log.*/\* file \/var\/log \/install.log format='\$\(\(Time\)\(JZ\)\) \$Host \$\(Sender\)\[\$\(PID\\)\]: \$Message' rotate=utc compress file_max=50M size_only ttl=365/g" /etc/asl/com.apple.install

then run the test again and it will still fail

Operating System version

Ventura 13.5.1

Intel or Apple Silicon

Apple Silicon

Project branch

Current Ventura branch.

Output of checks

"Max Size is configured, must be removed"

Possible fixes

change the remediation to :-

/usr/bin/sed -i '' "s/\* file \/var\/log\/install.log.*/\* file \/var\/log \/install.log format='\$\(\(Time\)\(JZ\)\) \$Host \$\(Sender\)\[\$\(PID\\)\]: \$Message' rotate=utc compress ttl=365/g" /etc/asl/com.apple.install

so that it doesn't insert the culprit text.

BTW that line would look neater if you didn't use / as the substitution separator, instead :-

/usr/bin/sed -i '' "s#\* file /var/log/install.log.*#\* file /var/log/install.log format='\$\(\(Time\)\(JZ\)\) \$Host \$\(Sender\)\[\$\(PID\\)\]: \$Message' rotate=utc compress ttl=365#g" /etc/asl/com.apple.install
Originally created by @Honestpuck on GitHub. ### Summary `os_install_log_retention_configure` has a test that fails if it sees "MAX" but the remediation sets 'file_max=50M" which seems to fail the test ### Steps to reproduce run the test:- ``` sudo /usr/sbin/aslmanager -dd 2>&1 | /usr/bin/awk '/\/var\/log\/install.log/ {count++} /Processing module com.apple.install/,/Finished/ { for (i=1;i<=NR;i++) { if ($i == "TTL" && $(i+2) >= 365) { ttl="True" }; if ($i == "MAX") {max="True"}}} END{if (count > 1) { print "Multiple config files for /var/log/install, manually remove"} else if (ttl != "True") { print "TTL not configured" } else if (max == "True") { print "Max Size is configured, must be removed" } else { print "Yes" }}' ``` and you will see that it prints "Max size is configured, must be removed" Run the remediation ``` sudo /usr/bin/sed -i '' "s/\* file \/var\/log\/install.log.*/\* file \/var\/log \/install.log format='\$\(\(Time\)\(JZ\)\) \$Host \$\(Sender\)\[\$\(PID\\)\]: \$Message' rotate=utc compress file_max=50M size_only ttl=365/g" /etc/asl/com.apple.install ``` then run the test again and it will still fail ### Operating System version Ventura 13.5.1 ### Intel or Apple Silicon Apple Silicon ### Project branch Current Ventura branch. ### Output of checks "Max Size is configured, must be removed" ### Possible fixes change the remediation to :- ``` /usr/bin/sed -i '' "s/\* file \/var\/log\/install.log.*/\* file \/var\/log \/install.log format='\$\(\(Time\)\(JZ\)\) \$Host \$\(Sender\)\[\$\(PID\\)\]: \$Message' rotate=utc compress ttl=365/g" /etc/asl/com.apple.install ``` so that it doesn't insert the culprit text. BTW that line would look neater if you didn't use `/` as the substitution separator, instead :- ``` /usr/bin/sed -i '' "s#\* file /var/log/install.log.*#\* file /var/log/install.log format='\$\(\(Time\)\(JZ\)\) \$Host \$\(Sender\)\[\$\(PID\\)\]: \$Message' rotate=utc compress ttl=365#g" /etc/asl/com.apple.install ```
michael commented 2026-01-19 18:29:26 +00:00
Author
Owner
Copy Link

@robertgendler commented on GitHub:

Merged into the os branches

@robertgendler commented on GitHub: Merged into the os branches
michael commented 2026-01-19 18:29:26 +00:00
Author
Owner
Copy Link

@brodjieski commented on GitHub:

For this control, there needs to be a couple of conditions met. First, and primarily, the TTL needs to be defined, since we are trying to retain the logs for X amount of time. This is not part of the default configuration from Apple. The issue becomes then, if there is a value defined for all_max in the configuration (which is default from Apple), TTL is not honored and the asl manager will only rotate based on the all_max value.

To determine if all_max is set, the output of aslmanager -dd will report "Check total storage used - MAX = 157286400"... this is the MAX that the check is looking for and reporting if found. If this is there, then the TTL cannot be used. Setting the file_max parameter won't have an effect on what the check is looking for, as this parameter will dictate how often the log files are rotated based on size.

When testing this after reviewing this issue, I did see that we can probably rewrite the check to better show what is happening.

sudo /usr/sbin/aslmanager -dd 2>&1 | /usr/bin/awk '/\/var\/log\/install.log/ {count++} /Processing module com.apple.install/,/Finished/ { for (i=1;i<=NR;i++) { if ($i == "TTL" && $(i+2) >= 365) { ttl="True" }; if ($i == "MAX") {max="True"}}} END{if (count > 1) { print "Multiple config files for /var/log/install, manually remove"} else if (max == "True") { print "all_max is configured, must be removed" } if (ttl != "True") { print "TTL not configured" } else { print "Yes" }}'

As for the fix... in my testing, it does seem to be working as expected. If the above check still reports a finding, then let's dig deeper into what might be happening. If you can share what you have configured in /etc/asl as well as the output of sudo /usr/sbin/aslmanager -dd that will help narrow down what we are seeing.

Thanks!

@brodjieski commented on GitHub: For this control, there needs to be a couple of conditions met. First, and primarily, the TTL needs to be defined, since we are trying to retain the logs for X amount of time. This is not part of the default configuration from Apple. The issue becomes then, if there is a value defined for `all_max` in the configuration (which is default from Apple), TTL is not honored and the asl manager will only rotate based on the `all_max` value. To determine if `all_max` is set, the output of `aslmanager -dd` will report "Check total storage used - MAX = 157286400"... this is the `MAX` that the check is looking for and reporting if found. If this is there, then the TTL cannot be used. Setting the `file_max` parameter won't have an effect on what the check is looking for, as this parameter will dictate how often the log files are rotated based on size. When testing this after reviewing this issue, I did see that we can probably rewrite the check to better show what is happening. ``` sudo /usr/sbin/aslmanager -dd 2>&1 | /usr/bin/awk '/\/var\/log\/install.log/ {count++} /Processing module com.apple.install/,/Finished/ { for (i=1;i<=NR;i++) { if ($i == "TTL" && $(i+2) >= 365) { ttl="True" }; if ($i == "MAX") {max="True"}}} END{if (count > 1) { print "Multiple config files for /var/log/install, manually remove"} else if (max == "True") { print "all_max is configured, must be removed" } if (ttl != "True") { print "TTL not configured" } else { print "Yes" }}' ``` As for the fix... in my testing, it does seem to be working as expected. If the above check still reports a finding, then let's dig deeper into what might be happening. If you can share what you have configured in `/etc/asl` as well as the output of `sudo /usr/sbin/aslmanager -dd` that will help narrow down what we are seeing. Thanks!
michael commented 2026-01-19 18:29:26 +00:00
Author
Owner
Copy Link

@Honestpuck commented on GitHub:

Mine seems to have resolved itself, now I have a problem where multiple files are setting things for installer.log so I will need to build something to remove one.

Check your logs to see what the fail message is, when I check I saw it mentioning multiple files.

@Honestpuck commented on GitHub: Mine seems to have resolved itself, now I have a problem where multiple files are setting things for installer.log so I will need to build something to remove one. Check your logs to see what the fail message is, when I check I saw it mentioning multiple files.
michael commented 2026-01-19 18:29:26 +00:00
Author
Owner
Copy Link

@Acting-IT commented on GitHub:

I'm also seeing this in our environment. Was there any resolution? The fix shown above is not resolving this for us.

@Acting-IT commented on GitHub: I'm also seeing this in our environment. Was there any resolution? The fix shown above is not resolving this for us.
michael commented 2026-01-19 18:29:26 +00:00
Author
Owner
Copy Link

@Acting-IT commented on GitHub:

it did turn out to be the multiple copies of com.apple.install. I added a line to remove /etc/asl/com.apple.install.old. That did the trick.

@Acting-IT commented on GitHub: it did turn out to be the multiple copies of com.apple.install. I added a line to remove /etc/asl/com.apple.install.old. That did the trick.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
michael
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: usnistgov/macos_security#154
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?