Exempting Rules
Exemptions let you mark rules as approved exceptions. When a rule is exempt, the compliance script reports it as an exemption rather than a failure, and skips remediation for that rule.
How Exemptions Work
Section titled “How Exemptions Work”Exemptions are stored in the audit plist file at:
/Library/Preferences/org.{baseline_name}.audit.plistEach exempted rule has two keys:
| Key | Type | Description |
|---|---|---|
exempt | Boolean | true to mark as exempt |
exempt_reason | String | Why the exemption is approved |
Set an Exemption Locally
Section titled “Set an Exemption Locally”-
Set the exempt flag
Terminal window sudo /usr/libexec/PlistBuddy -c "Add :RULE_ID:exempt bool true" /Library/Preferences/org.BASELINE.audit.plist -
Add the reason
Terminal window sudo /usr/libexec/PlistBuddy -c "Add :RULE_ID:exempt_reason string 'Your reason'" /Library/Preferences/org.BASELINE.audit.plist -
Verify the exemption
Terminal window /usr/libexec/PlistBuddy -c "Print :RULE_ID" /Library/Preferences/org.BASELINE.audit.plistOutput:
Dict {finding = trueexempt = trueexempt_reason = Your reason}
Example: Exempt auth_smartcard_enforce from the 800-53r5_moderate baseline:
sudo /usr/libexec/PlistBuddy -c "Add :auth_smartcard_enforce:exempt bool true" /Library/Preferences/org.800-53r5_moderate.audit.plistsudo /usr/libexec/PlistBuddy -c "Add :auth_smartcard_enforce:exempt_reason string 'Hardware reader not available'" /Library/Preferences/org.800-53r5_moderate.audit.plistDeploy Exemptions via MDM
Section titled “Deploy Exemptions via MDM”For enterprise deployments, deploy exemptions as a managed preference profile targeting the org.{baseline_name}.audit preference domain.
The compliance script checks for managed preferences and respects exemptions set through MDM.
Next Steps
Section titled “Next Steps”- Tailoring Rules - Select rules and set ODV values
- Customize Rules - Modify rule behavior beyond ODVs