os_install_log_retention_configure - TTL will be removed after update #69

New Issue

michael · 2026-01-19T18:29:07Z

michael commented

2026-01-19 18:29:07 +00:00

Originally created by @iamflaurian on GitHub.

os_install_log_retention_configure - TTL will be removed after update

Steps to reproduce

Update macOS 14 or 15 minor updates
open /etc/asl/com.apple.install
or
check it via terminal
usr/sbin/aslmanager -dd 2>&1 | /usr/bin/awk '/\/var\/log\/install.log$/ {count++} /Processing module com.apple.install/,/Finished/ { for (i=1;i<=NR;i++) { if ($i == "TTL" && $(i+2) >= $ODV) { ttl="True" }; if ($i == "MAX") {max="True"}}} END{if (count > 1) { print "Multiple config files for /var/log/install, manually remove the extra files"} else if (max == "True") { print "all_max setting is configured, must be removed" } if (ttl != "True") { print "TTL not configured" } else { print "Yes" }}'

Operating System version

tested with macOS 14.7.1 update to 14.7.2 and 15.1.1 to 15.2

Intel or Apple Silicon

Apple Silicon Mac

What is the current bug behavior?

The setting will be removed which means, you have to set it for each update again.

What is the expected correct behavior?

If its configured its should not be removed after updating the macOS system.

Originally created by @iamflaurian on GitHub. **os_install_log_retention_configure - TTL will be removed after update** ### Steps to reproduce 1. Update macOS 14 or 15 minor updates 2. open /etc/asl/com.apple.install or check it via terminal `usr/sbin/aslmanager -dd 2>&1 | /usr/bin/awk '/\/var\/log\/install.log$/ {count++} /Processing module com.apple.install/,/Finished/ { for (i=1;i<=NR;i++) { if ($i == "TTL" && $(i+2) >= $ODV) { ttl="True" }; if ($i == "MAX") {max="True"}}} END{if (count > 1) { print "Multiple config files for /var/log/install, manually remove the extra files"} else if (max == "True") { print "all_max setting is configured, must be removed" } if (ttl != "True") { print "TTL not configured" } else { print "Yes" }}' ` ### Operating System version tested with macOS 14.7.1 update to 14.7.2 and 15.1.1 to 15.2 ### Intel or Apple Silicon Apple Silicon Mac ### What is the current *bug* behavior? The setting will be removed which means, you have to set it for each update again. ### What is the expected *correct* behavior? If its configured its should not be removed after updating the macOS system.

michael closed this issue

2026-01-19 18:29:07 +00:00

michael commented

2026-01-19 18:29:07 +00:00

@iamflaurian commented on GitHub:

Hey @robertgendler
thank you for your quick response. I think it would be great to see these kind of information as a "note" to get hint about it

@iamflaurian commented on GitHub: Hey @robertgendler thank you for your quick response. I think it would be great to see these kind of information as a "note" to get hint about it

michael commented

2026-01-19 18:29:07 +00:00

@robertgendler commented on GitHub:

Unfortunately there's nothing that can be done by us. This is an Apple thing. The best solution is to do a check and fix on regular rotation so that when files such as this are modified, they are remediated.

@robertgendler commented on GitHub: Unfortunately there's nothing that can be done by us. This is an Apple thing. The best solution is to do a check and fix on regular rotation so that when files such as this are modified, they are remediated.

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: usnistgov/macos_security#69