audit_flags_fm_configure fix script no longer working

[rs1278]

Summary

fix script for audit_flags_fm_configure does not work in macOS 15 or macOS 26

Steps to reproduce

running
/usr/bin/grep -qE "^flags.*-fd" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-fd/' /etc/security/audit_control;/usr/sbin/audit -s

does not add ,fd to the file /etc/security/audit_control

Operating System version

macOS 15.7.3
macOS 26.2

Intel or Apple Silicon

Apple Silicon

What is the current bug behavior?

/usr/bin/grep -qE "^flags.*-fd" /etc/security/audit_control
does not add ,fd to the file /etc/security/audit_control, but still returns 0 making the || operator pass without trying the backup command

What is the expected correct behavior?

,fd should be added tr to the file /etc/security/audit_control

Relevant logs and/or screenshots

n/a

Output of checks

audit_flags_fm_configure failed (Result: 0, Expected: "{'integer': 1}")

Running the command to configure the settings for: audit_flags_fm_configure ...
Trigger sent.

Possible fixes

use this command instead (omit the part before the ||)
/usr/bin/sed -i.bak '/^flags/ s/$/,-fd/' /etc/security/audit_control;/usr/sbin/audit -s

[brodjieski]

With any of the audit related controls, they require that the auditd daemon be configured and enabled. Running the fix for any of the audit flag rules on a system that does not have auditd running will result in both failed checks and the inability to run the remediation script.

With auditd configured and running as outlined in audit_auditd_enabled, I am unable to recreate the issue, and the commands work as expected.

Verify the content in the /etc/security/audit_control file along with the following to see that auditd is running as expected:

❯ sudo audit -c
audit condition: 1 (AUC_AUDITING)

[rs1278]

Thank you for confirming the integrity of this code!

Despite auditd running properly, it seems that this issue did resolve its self in our environment after our remediation script ran the fix command two or three times.

[rs1278]

I believed this to be resolved in my testing environment, but upon deploying across my fleet, most systems are failing audit_flags_fm_configure

Running an extension attribute to check sudo audit -c gives us the output on these systems we would hope to see: audit condition: 1 (AUC_AUDITING)

These systems did have a previous configuration applied with the following /etc/security/audit_control configuration, we had -fm set without fm:

#
# DEPRECATION NOTICE
#
# The audit(4) subsystem has been deprecated since macOS 11.0, disabled since
# macOS 14.0, and WILL BE REMOVED in a future version of macOS. Applications
# that require a security event stream should use the EndpointSecurity(7) API
# instead.
#
# On this version of macOS, you can re-enable audit(4) by renaming or copying
# /etc/security/audit_control.example to /etc/security/audit_control,
# re-enabling the system/com.apple.auditd service by running `launchctl enable
# system/com.apple.auditd` as root, and rebooting.
#
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#8 $
#
dir:/var/audit
flags:lo,aa,ad,-ex,-fd,-fm,-fr,-fw
minfree:5
naflags:lo,aa
policy:cnt,argv
filesz:2M
expire-after:7d

Our issue, it seems, is the fix script is unable to add fm in this circumstance--even though it runs every day with a valid sudo audit -c return