macos_security icon indicating copy to clipboard operation
macos_security copied to clipboard

Published 20 hours ago verified publisher icon usnistgov

os_install_log_retention_configure - remediation does not match check

Open Honestpuck opened this issue 2 years ago • 4 comments
trafficstars

Summary

os_install_log_retention_configure has a test that fails if it sees "MAX" but the remediation sets 'file_max=50M" which seems to fail the test

Steps to reproduce

run the test:-

sudo /usr/sbin/aslmanager -dd 2>&1 | /usr/bin/awk '/\/var\/log\/install.log/ {count++} /Processing module com.apple.install/,/Finished/ { for (i=1;i<=NR;i++) { if ($i == "TTL" && $(i+2) >= 365) { ttl="True" }; if ($i == "MAX") {max="True"}}} END{if (count > 1) { print "Multiple config files for /var/log/install, manually remove"} else if (ttl != "True") { print "TTL not configured" } else if (max == "True") { print "Max Size is configured, must be removed" } else { print "Yes" }}'

and you will see that it prints "Max size is configured, must be removed"

Run the remediation

sudo /usr/bin/sed -i '' "s/\* file \/var\/log\/install.log.*/\* file \/var\/log \/install.log format='\$\(\(Time\)\(JZ\)\) \$Host \$\(Sender\)\[\$\(PID\\)\]: \$Message' rotate=utc compress file_max=50M size_only ttl=365/g" /etc/asl/com.apple.install

then run the test again and it will still fail

Operating System version

Ventura 13.5.1

Intel or Apple Silicon

Apple Silicon

Project branch

Current Ventura branch.

Output of checks

"Max Size is configured, must be removed"

Possible fixes

change the remediation to :-

/usr/bin/sed -i '' "s/\* file \/var\/log\/install.log.*/\* file \/var\/log \/install.log format='\$\(\(Time\)\(JZ\)\) \$Host \$\(Sender\)\[\$\(PID\\)\]: \$Message' rotate=utc compress ttl=365/g" /etc/asl/com.apple.install

so that it doesn't insert the culprit text.

BTW that line would look neater if you didn't use / as the substitution separator, instead :-

/usr/bin/sed -i '' "s#\* file /var/log/install.log.*#\* file /var/log/install.log format='\$\(\(Time\)\(JZ\)\) \$Host \$\(Sender\)\[\$\(PID\\)\]: \$Message' rotate=utc compress ttl=365#g" /etc/asl/com.apple.install

Honestpuck avatar Aug 28 '23 01:08 Honestpuck

For this control, there needs to be a couple of conditions met. First, and primarily, the TTL needs to be defined, since we are trying to retain the logs for X amount of time. This is not part of the default configuration from Apple. The issue becomes then, if there is a value defined for all_max in the configuration (which is default from Apple), TTL is not honored and the asl manager will only rotate based on the all_max value.

To determine if all_max is set, the output of aslmanager -dd will report "Check total storage used - MAX = 157286400"... this is the MAX that the check is looking for and reporting if found. If this is there, then the TTL cannot be used. Setting the file_max parameter won't have an effect on what the check is looking for, as this parameter will dictate how often the log files are rotated based on size.

When testing this after reviewing this issue, I did see that we can probably rewrite the check to better show what is happening.

sudo /usr/sbin/aslmanager -dd 2>&1 | /usr/bin/awk '/\/var\/log\/install.log/ {count++} /Processing module com.apple.install/,/Finished/ { for (i=1;i<=NR;i++) { if ($i == "TTL" && $(i+2) >= 365) { ttl="True" }; if ($i == "MAX") {max="True"}}} END{if (count > 1) { print "Multiple config files for /var/log/install, manually remove"} else if (max == "True") { print "all_max is configured, must be removed" } if (ttl != "True") { print "TTL not configured" } else { print "Yes" }}'

As for the fix... in my testing, it does seem to be working as expected. If the above check still reports a finding, then let's dig deeper into what might be happening. If you can share what you have configured in /etc/asl as well as the output of sudo /usr/sbin/aslmanager -dd that will help narrow down what we are seeing.

Thanks!

brodjieski avatar Aug 29 '23 15:08 brodjieski

I'm also seeing this in our environment. Was there any resolution? The fix shown above is not resolving this for us.

Acting-IT avatar Oct 25 '23 14:10 Acting-IT

Mine seems to have resolved itself, now I have a problem where multiple files are setting things for installer.log so I will need to build something to remove one.

Check your logs to see what the fail message is, when I check I saw it mentioning multiple files.

Honestpuck avatar Oct 26 '23 02:10 Honestpuck

it did turn out to be the multiple copies of com.apple.install. I added a line to remove /etc/asl/com.apple.install.old. That did the trick.

Acting-IT avatar Oct 26 '23 18:10 Acting-IT

Merged into the os branches

robertgendler avatar Mar 25 '24 15:03 robertgendler