From 4c16c655a79fc17eb198c0fc6bb9ce58ae55d53c Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Fri, 20 Aug 2021 17:20:03 -0400 Subject: [PATCH] modified firewall rules --- rules/os/os_firewall_log_enable.yaml | 13 ++++++------- rules/sysprefs/sysprefs_firewall_enable.yaml | 13 ++++++------- .../sysprefs_firewall_stealth_mode_enable.yaml | 11 +++++------ 3 files changed, 17 insertions(+), 20 deletions(-) diff --git a/rules/os/os_firewall_log_enable.yaml b/rules/os/os_firewall_log_enable.yaml index c4ea8a52..65f16c9c 100644 --- a/rules/os/os_firewall_log_enable.yaml +++ b/rules/os/os_firewall_log_enable.yaml @@ -7,14 +7,11 @@ discussion: | NOTE: The firewall data is logged to Apple's Unified Logging with the subsystem com.apple.alf and the data is marked as private. check: | - /usr/libexec/ApplicationFirewall/socketfilterfw --getloggingmode | /usr/bin/grep -c "Log mode is on" + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'EnableLogging = 1' result: integer: 1 fix: | - [source,bash] - ---- - /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on - ---- + This is implemented by a Configuration Profile. references: cce: - N/A @@ -47,5 +44,7 @@ tags: - 800-53r4_high - 800-171 - cnssi-1253 -mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig: true +mobileconfig_info: + com.apple.security.firewall: + EnableLogging: true \ No newline at end of file diff --git a/rules/sysprefs/sysprefs_firewall_enable.yaml b/rules/sysprefs/sysprefs_firewall_enable.yaml index fb7747fe..f6f39eb4 100644 --- a/rules/sysprefs/sysprefs_firewall_enable.yaml +++ b/rules/sysprefs/sysprefs_firewall_enable.yaml @@ -5,14 +5,11 @@ discussion: | When the macOS Application Firewall is enabled, the flow of information within the information system and between interconnected systems will be controlled by approved authorizations. check: | - /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate | /usr/bin/grep -c "Firewall is enabled" + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'EnableFirewall = 1' result: integer: 1 fix: | - [source,bash] - ---- - /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on - ---- + This is implemented by a Configuration Profile. references: cce: - N/A @@ -57,5 +54,7 @@ tags: - cnssi-1253 - stig severity: "medium" -mobileconfig: false -mobileconfig_info: \ No newline at end of file +mobileconfig: true +mobileconfig_info: + com.apple.security.firewall: + EnableFirewall: true \ No newline at end of file diff --git a/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml b/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml index b7ceb929..9be39cfc 100644 --- a/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml +++ b/rules/sysprefs/sysprefs_firewall_stealth_mode_enable.yaml @@ -10,14 +10,11 @@ discussion: | Enabling firewall stealth mode may prevent certain remote mechanisms used for maintenance and compliance scanning from properly functioning. Information System Security Officers (ISSOs) are advised to first fully weigh the potential risks posed to their organization before opting not to enable stealth mode. ==== check: | - /usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode | /usr/bin/grep -c "Stealth mode enabled" + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'EnableStealthMode = 1' result: integer: 1 fix: | - [source,bash] - ---- - /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on - ---- + This is implemented by a Configuration Profile. references: cce: - N/A @@ -55,5 +52,7 @@ tags: - cnssi-1253 - stig severity: "medium" -mobileconfig: false +mobileconfig: true mobileconfig_info: + com.apple.security.firewall: + EnableStealthMode: true