os_install_log_retention_configure #208

New Issue

michael · 2026-01-19T18:29:39Z

michael commented

2026-01-19 18:29:39 +00:00

Originally created by @cipineda on GitHub.

Summary

When running the aslmanager binary the code used to detect if ttl = 365 is returning "TTL not configured" when it fact it is configured.

Steps to reproduce

Run the command
/usr/sbin/aslmanager -dd 2>&1 | /usr/bin/awk '/\/var\/log\/install.log/ {count++} /Processing module com.apple.install/,/Finished/'
This returns the following on my test machine:

Dec 1 08:14:49: Processing module com.apple.install Dec 1 08:14:49: Checking file /var/log/install.log Dec 1 08:14:49: - Rename, move to destination directory, and compress as required Dec 1 08:14:49: ignore src file install.log since it is internal and syslogd will checkpoint it when it needs to be renamed Dec 1 08:14:49: no src files Dec 1 08:14:49: - Check for expired files - TTL = 365 days Dec 1 08:14:49: no dst files Dec 1 08:14:49: Finished processing module com.apple.install

As you can see the TTL is set to 365 (which means that is remediated).

Looking at the contents of file /etc/asl/com.apple.install

returns the following:

`# install messages get saved only in /var/log/install.log
? [= Facility install] claim only

file /var/log/install.log format='$((Time)(JZ)) $Host $(Sender)[$(PID)]: $Message' rotate=utc compress file_max=50M size_only ttl=365`

Running your existing code returns in "TTL not configured"

`result_value=$(/usr/sbin/aslmanager -dd 2>&1 | /usr/bin/awk '//var/log/install.log/ {count++} /Processing module com.apple.install/,/Finished/ { for (i=1;i<=NR;i++) { if ($i == "TTL" && $(i+2) >= 365) { ttl="True" }; if ($i == "MAX") {max="True"}} } END{if (count > 1) { print "Multiple config files for /var/log/install, manually remove"} else if (ttl != "True") { print "TTL not configured"} else if (max == "True") { print "Max Size is configured, must be removed" } else { print "Yes" }}')

if ; then
echo "$(date -u)" " Compliance os_install_log_retention_configure: FAILED"
fi

echo $result_value`

Operating System version

ProductName: macOS
ProductVersion: 13.0.1
BuildVersion: 22A400

Tested also on
ProductName: macOS
ProductVersion: 13.1
BuildVersion: 22C5050e

Intel or Apple Silicon

Intel and Silicon

What is the current bug behavior?

(What actually happens)

The validation script should return a "Yes"

(What you should see instead)

The validation script returns "TTL not configured"

Output of checks

shown above in steps to reproduce section

Possible fixes

Originally created by @cipineda on GitHub. ### Summary When running the aslmanager binary the code used to detect if ttl = 365 is returning "TTL not configured" when it fact it is configured. ### Steps to reproduce Run the command `/usr/sbin/aslmanager -dd 2>&1 | /usr/bin/awk '/\/var\/log\/install.log/ {count++} /Processing module com.apple.install/,/Finished/'` This returns the following on my test machine: `Dec 1 08:14:49: Processing module com.apple.install Dec 1 08:14:49: Checking file /var/log/install.log Dec 1 08:14:49: - Rename, move to destination directory, and compress as required Dec 1 08:14:49: ignore src file install.log since it is internal and syslogd will checkpoint it when it needs to be renamed Dec 1 08:14:49: no src files Dec 1 08:14:49: - Check for expired files - TTL = 365 days Dec 1 08:14:49: no dst files Dec 1 08:14:49: Finished processing module com.apple.install` As you can see the TTL is set to 365 (which means that is remediated). Looking at the contents of file `/etc/asl/com.apple.install` returns the following: `# install messages get saved only in /var/log/install.log ? [= Facility install] claim only * file /var/log/install.log format='$((Time)(JZ)) $Host $(Sender)[$(PID)]: $Message' rotate=utc compress file_max=50M size_only ttl=365` Running your existing code returns in "TTL not configured" `result_value=$(/usr/sbin/aslmanager -dd 2>&1 | /usr/bin/awk '/\/var\/log\/install.log/ {count++} /Processing module com.apple.install/,/Finished/ { for (i=1;i<=NR;i++) { if ($i == "TTL" && $(i+2) >= 365) { ttl="True" }; if ($i == "MAX") {max="True"}} } END{if (count > 1) { print "Multiple config files for /var/log/install, manually remove"} else if (ttl != "True") { print "TTL not configured"} else if (max == "True") { print "Max Size is configured, must be removed" } else { print "Yes" }}') if [[ $result_value != "Yes" ]]; then echo "$(date -u)" " Compliance os_install_log_retention_configure: FAILED" fi echo $result_value` ### Operating System version ProductName: macOS ProductVersion: 13.0.1 BuildVersion: 22A400 Tested also on ProductName: macOS ProductVersion: 13.1 BuildVersion: 22C5050e ### Intel or Apple Silicon Intel and Silicon ### What is the current *bug* behavior? (What actually happens) The validation script should return a "Yes" (What you should see instead) The validation script returns "TTL not configured" ### Output of checks shown above in steps to reproduce section ### Possible fixes

michael closed this issue

2026-01-19 18:29:39 +00:00

michael commented

2026-01-19 18:29:40 +00:00

@jmahlman commented on GitHub:

Are you running the command with sudo?

@jmahlman commented on GitHub: Are you running the command with sudo?

michael commented

2026-01-19 18:29:40 +00:00

@cipineda commented on GitHub:

my bad, it works with root, I guess I got confused as I thought I had seen this as well in the EA in JAMF.
Closing this ticket.

@cipineda commented on GitHub: my bad, it works with root, I guess I got confused as I thought I had seen this as well in the EA in JAMF. Closing this ticket.

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: usnistgov/macos_security#208