Skip to main content

Audit

Run compliance checks directly on your Mac and see results in real-time.

Instantly identify what's compliant, what's not, and what needs manual review.

MACE AuditMACE Audit

What Does Audit Do?

When you click Audit, MACE runs every enabled rule's check command directly on your Mac and tells you whether each setting is compliant. Think of it as a compliance health check: MACE examines your system and reports what passes, what fails, and what needs attention.

Audit vs Build: What's the Difference?

Build generates files (scripts, profiles, DDM) that you deploy to other Macs via MDM.

Audit runs those same checks right now, on this Mac, and shows you the results immediately. It's how you verify compliance on a specific machine.

Audit Status Types

Each rule receives one of these statuses after checking:

PassThe setting matches the expected value. This Mac is compliant for this rule.
FailThe setting does not match the expected value. This Mac needs remediation.
⚠️
ErrorThe check couldn't run or returned unexpected output. Investigate manually.
👁️
Manual ReviewNo automated check exists. You must verify this rule manually and set the status yourself.
N/AThis rule doesn't apply to this system. Excluded from the pass rate calculation.
PendingThe rule hasn't been checked yet. Waiting for the audit to reach this rule.
🔄
RunningThe check is currently executing. You'll see this briefly as MACE works through each rule.

How Auditing Works

When you run an audit, MACE goes through each enabled rule and executes its check command:

📋
Load your rules

MACE reads all enabled rules from your baseline, including any customizations you've made.

🔐
Verify helper is ready

Some checks need admin access. MACE confirms the helper tool is installed.

Run each check

For each rule, MACE runs the check command to see what your Mac's current setting is.

⚖️
Compare actual vs expected

The output is compared against the expected value defined in the rule.

📊
Report results

Each rule gets a status (Pass/Fail/Error/etc.) and the results are displayed with details.

Example: What Happens During a Check

For a rule like "Enable Firewall Logging":

  1. Check command runs: /usr/libexec/ApplicationFirewall/socketfilterfw --getloggingmode
  2. Output received: Log mode is on
  3. Expected value: Output should contain "Log mode is on"
  4. Comparison: Output matches expected value
  5. Result: Pass

If the output was "Log mode is off", the result would be Fail.

Privileged Helper

Some compliance checks need administrator access to read protected system settings. MACE includes a helper tool that runs these checks securely.

🔐Why Admin Access?

Certain security settings can only be read with admin privileges. For example, checking FileVault status or reading protected system preferences.

📦Install Permanently

Installs the helper so it's always available for future audits. You'll still see a warning before each audit runs, but you won't need to enter your password again.

⏱️Install for This Session

Installs the helper temporarily. It automatically removes itself when MACE closes. Good if you only need to run a one-time audit.

Safety First

The helper runs commands from your rules with admin privileges. Before running an audit, make sure you trust the baseline you're using. If you've added custom rules or are using an unfamiliar baseline, review them first.

Running an Audit

1
Open your projectLoad a compliance project with your selected baseline and enabled rules
2
Click AuditUse the toolbar button to open the Audit window
3
Select audit engineChoose M.A.C.E. engine (recommended)
4
Configure optionsEnable or disable Watch Live mode
5
Click Run AuditReview the code execution warning and acknowledge to proceed
6
Watch progressSee pass/fail status for each rule as it completes

Code Execution Warning

Before the audit starts, MACE shows a warning explaining that it will run commands to check your Mac's settings. This is normal and expected. Review the warning and acknowledge to proceed.

Audit Options

Watch Live

👁️Watch Live (Default: ON)

Shows results updating in real-time as each rule is checked. You can see pass/fail results appear immediately as the audit progresses.

When to disable: On slower Macs, live updates can slow down the audit. Disable this to let the audit complete faster, then view all results at once.

Audit Engines

M.A.C.E. Audit Engine

The recommended engine. Fast, full-featured, and built into MACE.

  • Real-time results with Watch Live
  • Export to PDF, HTML, CSV, CKL
  • Override results and add comments
  • Supports all customizations
🐍

mSCP Audit Engine

Uses the original mSCP Python scripts. For organizations already using mSCP command-line tools.

  • (Planned for future release)

Understanding the Results

After the audit completes, you'll see:

Summary Statistics

📊Pass Rate

The percentage of rules that passed. N/A and Manual Review rules don't count toward this number since they aren't automated checks.

📈Status Counts

Badges showing how many rules are in each status: Total, Passed, Failed, Manual Review, Errors, N/A.

Results Table

Each row shows one rule with its:

  • Status: Color-coded badge (Pass/Fail/Error/etc.)
  • Rule ID: Unique identifier (or STIG ID for STIG compliance)
  • Title: Human-readable rule name
  • Section: Category the rule belongs to
  • Expected Output: What the check should return
  • Actual Output: What was actually found
  • Execution Time: How long the check took

What You Can Do With Results

🔍Filter and Search

Filter by status (show only failures) or search by Rule ID, title, or section.

✏️Override Status

Manually change a rule's status if needed. Overrides are tracked and appear in exports.

💬Add Comments

Add notes to any rule explaining exceptions, compensating controls, or remediation plans.

🔄Re-run Individual Rules

Re-check a single rule without running the entire audit again.

📤Export Reports

Export results to PDF, HTML, CSV, or DISA STIG CKL format for documentation and auditors.

Manual Review Rules

Some rules don't have automated checks. These are marked as "Manual Review" and require you to:

  1. Read the rule's discussion to understand what needs to be verified
  2. Manually check the setting on your Mac
  3. Set the status to Pass, Fail, or N/A based on your findings
  4. Add a comment explaining your verification

Why Some Rules Need Manual Review

Not every security setting can be checked automatically. Some require visual inspection (like checking a physical cable), reviewing policies, or judgment calls that can't be automated.

System Information Collection

MACE can collect device information to include in reports:

💻Serial NumberYour Mac's unique identifier
📱Model Namee.g., "MacBook Pro" or "Mac mini"
🖥️HostnameYour computer's network name
🍎macOS Versione.g., 15.0.1

This information is optional and can be included in exported reports to identify which Mac was audited.

What's Next?

📊Audit ResultsDeep dive into working with results, overrides, and comments
📄Exporting ReportsExport to PDF, HTML, CSV, and STIG CKL formats