modified firewall rules

2026-03-05 01:23:18 +00:00 · 2021-08-20 17:20:03 -04:00
parent 3021b5d791
commit 4c16c655a7
3 changed files with 17 additions and 20 deletions
--- a/rules/os/os_firewall_log_enable.yaml
+++ b/rules/os/os_firewall_log_enable.yaml
@@ -7,14 +7,11 @@ discussion: |

  NOTE: The firewall data is logged to Apple's Unified Logging with the subsystem com.apple.alf and the data is marked as private.
 check: |
-  /usr/libexec/ApplicationFirewall/socketfilterfw --getloggingmode | /usr/bin/grep -c "Log mode is on"
+  /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'EnableLogging = 1'
 result:
  integer: 1
 fix: |
-  [source,bash]
-  ----
-  /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on
-  ----
+  This is implemented by a Configuration Profile.
 references:
  cce:
    - N/A
@@ -47,5 +44,7 @@ tags:
  - 800-53r4_high
  - 800-171
  - cnssi-1253
-mobileconfig: false
-mobileconfig_info:
+mobileconfig: true
+mobileconfig_info:
+  com.apple.security.firewall:
+    EnableLogging: true
--- a/rules/sysprefs/sysprefs_firewall_enable.yaml
+++ b/rules/sysprefs/sysprefs_firewall_enable.yaml
@@ -5,14 +5,11 @@ discussion: |

  When the macOS Application Firewall is enabled, the flow of information within the information system and between interconnected systems will be controlled by approved authorizations.
 check: |
-  /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate | /usr/bin/grep -c "Firewall is enabled"
+  /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'EnableFirewall = 1'
 result:
  integer: 1
 fix: |
-  [source,bash]
-  ----
-  /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
-  ----
+  This is implemented by a Configuration Profile.
 references:
  cce:
    - N/A
@@ -57,5 +54,7 @@ tags:
  - cnssi-1253
  - stig
 severity: "medium"
-mobileconfig: false
-mobileconfig_info:
+mobileconfig: true
+mobileconfig_info:
+  com.apple.security.firewall:
+    EnableFirewall: true
--- a/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml
+++ b/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml
@@ -10,14 +10,11 @@ discussion: |
  Enabling firewall stealth mode may prevent certain remote mechanisms used for maintenance and compliance scanning from properly functioning. Information System Security Officers (ISSOs) are advised to first fully weigh the potential risks posed to their organization before opting not to enable stealth mode.
  ====
 check: |
-  /usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode | /usr/bin/grep -c "Stealth mode enabled"
+  /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'EnableStealthMode = 1'
 result:
  integer: 1
 fix: |
-  [source,bash]
-  ----
-  /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on 
-  ----
+  This is implemented by a Configuration Profile.
 references:
  cce:
    - N/A
@@ -55,5 +52,7 @@ tags:
  - cnssi-1253
  - stig
 severity: "medium"
-mobileconfig: false
+mobileconfig: true
 mobileconfig_info:
+  com.apple.security.firewall:
+    EnableStealthMode: true