Exemptions

Exemptions allow you to mark certain rules as “approved exceptions” for your organization. Systems with exemptions are reported as compliant, even if the setting differs from the rule’s expected result.

Note: The check will still be logged as a finding, but marking it as exempt allows reporting tools to exclude it from non-compliance.

---

How Exemptions Work

Exemptions are set in the org.{baseline}.audit.plist file, which can be placed in /Library/Preferences/org.{baseline}.audit.plist or applied via a custom configuration profile.

---

Setting an Exemption

1. Set exempt to true for the rule.
2. Add an exempt_reason describing why the exemption is needed.

Example: Exempting auth_smartcard_enforce

sudo /usr/libexec/PlistBuddy -c "Add :auth_smartcard_enforce:exempt bool true" /Library/Preferences/org.800-53r5_moderate.audit.plist
sudo /usr/libexec/PlistBuddy -c "Add :auth_smartcard_enforce:exempt_reason string 'Reader Issues'" /Library/Preferences/org.800-53r5_moderate.audit.plist

/usr/libexec/PlistBuddy -c "Print auth_smartcard_enforce" /Library/Preferences/org.800-53r5_moderate.audit.plist

Result:

Dict {
    finding = true
    exempt = true
    exempt_reason = Reader Issues
}

---

Note

If org.{baseline}.audit.plist is not set, the script will default exempt to false.

Exemptions help you document and manage approved exceptions in your compliance reporting.