usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-03 14:03:24 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

audit_flags_fm_configure fix script no longer working #9

New Issue
Closed
opened 2026-01-19 18:28:55 +00:00 by michael · 2 comments
michael commented 2026-01-19 18:28:55 +00:00
Owner
Copy Link

Originally created by @rs1278 on GitHub.

Summary

fix script for audit_flags_fm_configure does not work in macOS 15 or macOS 26

Steps to reproduce

running
/usr/bin/grep -qE "^flags.*-fd" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-fd/' /etc/security/audit_control;/usr/sbin/audit -s

does not add ,fd to the file /etc/security/audit_control

Operating System version

macOS 15.7.3
macOS 26.2

Intel or Apple Silicon

Apple Silicon

What is the current bug behavior?

/usr/bin/grep -qE "^flags.*-fd" /etc/security/audit_control
does not add ,fd to the file /etc/security/audit_control, but still returns 0 making the || operator pass without trying the backup command

What is the expected correct behavior?

,fd should be added tr to the file /etc/security/audit_control

Relevant logs and/or screenshots

n/a

Output of checks

audit_flags_fm_configure failed (Result: 0, Expected: "{'integer': 1}")

Running the command to configure the settings for: audit_flags_fm_configure ...
Trigger sent.

Possible fixes

use this command instead (omit the part before the ||)
/usr/bin/sed -i.bak '/^flags/ s/$/,-fd/' /etc/security/audit_control;/usr/sbin/audit -s

Originally created by @rs1278 on GitHub. <!--- Please read this! Before opening a new issue, make sure to search for keywords in the issues filtered by the "regression" or "bug" label and verify the issue you're about to submit isn't a duplicate. ---> ### Summary fix script for audit_flags_fm_configure does not work in macOS 15 or macOS 26 ### Steps to reproduce running `/usr/bin/grep -qE "^flags.*-fd" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-fd/' /etc/security/audit_control;/usr/sbin/audit -s` does not add _,fd_ to the file `/etc/security/audit_control` ### Operating System version macOS 15.7.3 macOS 26.2 ### Intel or Apple Silicon Apple Silicon ### What is the current *bug* behavior? `/usr/bin/grep -qE "^flags.*-fd" /etc/security/audit_control` does not add _,fd_ to the file `/etc/security/audit_control`, but still returns 0 making the `||` operator pass without trying the backup command ### What is the expected *correct* behavior? _,fd_ should be added tr to the file `/etc/security/audit_control` ### Relevant logs and/or screenshots n/a ### Output of checks audit_flags_fm_configure failed (Result: 0, Expected: "{'integer': 1}") Running the command to configure the settings for: audit_flags_fm_configure ... Trigger sent. ### Possible fixes use this command instead (omit the part before the ||) `/usr/bin/sed -i.bak '/^flags/ s/$/,-fd/' /etc/security/audit_control;/usr/sbin/audit -s`
michael commented 2026-01-19 18:28:55 +00:00
Author
Owner
Copy Link

@brodjieski commented on GitHub:

With any of the audit related controls, they require that the auditd daemon be configured and enabled. Running the fix for any of the audit flag rules on a system that does not have auditd running will result in both failed checks and the inability to run the remediation script.

With auditd configured and running as outlined in audit_auditd_enabled, I am unable to recreate the issue, and the commands work as expected.

Verify the content in the /etc/security/audit_control file along with the following to see that auditd is running as expected:

❯ sudo audit -c
audit condition: 1 (AUC_AUDITING)
@brodjieski commented on GitHub: With any of the `audit` related controls, they require that the `auditd` daemon be configured and enabled. Running the fix for any of the audit flag rules on a system that does not have `auditd` running will result in both failed checks and the inability to run the remediation script. With `auditd` configured and running as outlined in `audit_auditd_enabled`, I am unable to recreate the issue, and the commands work as expected. Verify the content in the `/etc/security/audit_control` file along with the following to see that `auditd` is running as expected: ``` ❯ sudo audit -c audit condition: 1 (AUC_AUDITING) ```
michael commented 2026-01-19 18:28:55 +00:00
Author
Owner
Copy Link

@rs1278 commented on GitHub:

Thank you for confirming the integrity of this code!

Despite auditd running properly, it seems that this issue did resolve its self in our environment after our remediation script ran the fix command two or three times.

@rs1278 commented on GitHub: Thank you for confirming the integrity of this code! Despite `auditd` running properly, it seems that this issue did resolve its self in our environment after our remediation script ran the fix command two or three times.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
michael
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: usnistgov/macos_security#9
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?