audit_control policy cnt vs ahlt #282

New Issue

michael · 2026-01-19T18:29:55Z

michael commented

2026-01-19 18:29:55 +00:00

Originally created by @robertgendler on GitHub.

audit_failure_halt recommends adding the ahlt to the audit_control policy section which will halt the system if it runs out of space and not able to write the audit logs to disk.

We are not removing cnt which allows things to continuing running even though events are not being audited.

https://www.freebsd.org/cgi/man.cgi?query=audit_control&sektion=5&n=1

We should be checking for cnt and replacing it with ahlt.

Originally created by @robertgendler on GitHub. audit_failure_halt recommends adding the ahlt to the audit_control policy section which will halt the system if it runs out of space and not able to write the audit logs to disk. We are not removing cnt which allows things to continuing running even though events are not being audited. https://www.freebsd.org/cgi/man.cgi?query=audit_control&sektion=5&n=1 We should be checking for cnt and replacing it with ahlt.

michael closed this issue

2026-01-19 18:29:55 +00:00

michael commented

2026-01-19 18:29:55 +00:00

@golbiga commented on GitHub:

New Check: /usr/bin/awk -F':' '/^policy/ {print $NF}' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'ahlt'

New Fix: /usr/bin/sed -i.bak 's/^policy.*/policy: ahlt,argv/' /etc/security/audit_control; /usr/sbin/audit -s

@golbiga commented on GitHub: New Check: `/usr/bin/awk -F':' '/^policy/ {print $NF}' /etc/security/audit_control | /usr/bin/tr ',' '\n' | /usr/bin/grep -Ec 'ahlt'` New Fix: `/usr/bin/sed -i.bak 's/^policy.*/policy: ahlt,argv/' /etc/security/audit_control; /usr/sbin/audit -s`

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: usnistgov/macos_security#282