usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-03-16 14:02:07 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

refactor[rules] firewall rules

Browse Source 
Firewall is now fully enforced by a configuration profile.
This commit is contained in:
Bob Gendler
2024-07-15 20:58:41 -04:00
parent d7db6e4c3d
commit 514d451ff6
2 changed files with 4 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
rules/system_settings/system_settings_firewall_enable.yaml
View File

@@ -5,26 +5,14 @@ discussion: |
When the macOS Application Firewall is enabled, the flow of information within the information system and between interconnected systems will be controlled by approved authorizations.
check: |
profile="$(/usr/bin/osascript -l JavaScript << EOS
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\
.objectForKey('EnableFirewall').js
EOS
)"
plist="$(/usr/bin/defaults read /Library/Preferences/com.apple.alf globalstate 2>/dev/null)"
if [[ "$profile" == "true" ]] && [[ "$plist" =~ [1,2] ]]; then
echo "true"
else
echo "false"
fi
result:
string: 'true'
fix: |
[source,bash]
----
/usr/bin/defaults write /Library/Preferences/com.apple.alf globalstate -int 1
----
This is implemented by a Configuration Profile.
references:
cce:
- N/A

16
rules/system_settings/system_settings_firewall_stealth_mode_enable.yaml
View File

@@ -10,26 +10,14 @@ discussion: |
Enabling firewall stealth mode may prevent certain remote mechanisms used for maintenance and compliance scanning from properly functioning. Information System Security Officers (ISSOs) are advised to first fully weigh the potential risks posed to their organization before opting not to enable stealth mode.
====
check: |
profile="$(/usr/bin/osascript -l JavaScript << EOS
/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\
.objectForKey('EnableStealthMode').js
EOS
)"
plist=$(/usr/bin/defaults read /Library/Preferences/com.apple.alf stealthenabled 2>/dev/null)
if [[ "$profile" == "true" ]] && [[ $plist == 1 ]]; then
echo "true"
else
echo "false"
fi
result:
string: 'true'
fix: |
[source,bash]
----
/usr/bin/defaults write /Library/Preferences/com.apple.alf stealthenabled -int 1
----
This is implemented by a Configuration Profile.
references:
cce:
- N/A