diff --git a/rules/system_settings/system_settings_firewall_enable.yaml b/rules/system_settings/system_settings_firewall_enable.yaml index 63a9606f..4020011e 100644 --- a/rules/system_settings/system_settings_firewall_enable.yaml +++ b/rules/system_settings/system_settings_firewall_enable.yaml @@ -5,26 +5,14 @@ discussion: | When the macOS Application Firewall is enabled, the flow of information within the information system and between interconnected systems will be controlled by approved authorizations. check: | - profile="$(/usr/bin/osascript -l JavaScript << EOS + /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\ .objectForKey('EnableFirewall').js EOS - )" - - plist="$(/usr/bin/defaults read /Library/Preferences/com.apple.alf globalstate 2>/dev/null)" - - if [[ "$profile" == "true" ]] && [[ "$plist" =~ [1,2] ]]; then - echo "true" - else - echo "false" - fi result: string: 'true' fix: | - [source,bash] - ---- - /usr/bin/defaults write /Library/Preferences/com.apple.alf globalstate -int 1 - ---- + This is implemented by a Configuration Profile. references: cce: - N/A diff --git a/rules/system_settings/system_settings_firewall_stealth_mode_enable.yaml b/rules/system_settings/system_settings_firewall_stealth_mode_enable.yaml index 1ba190f4..2b241f74 100644 --- a/rules/system_settings/system_settings_firewall_stealth_mode_enable.yaml +++ b/rules/system_settings/system_settings_firewall_stealth_mode_enable.yaml @@ -10,26 +10,14 @@ discussion: | Enabling firewall stealth mode may prevent certain remote mechanisms used for maintenance and compliance scanning from properly functioning. Information System Security Officers (ISSOs) are advised to first fully weigh the potential risks posed to their organization before opting not to enable stealth mode. ==== check: | - profile="$(/usr/bin/osascript -l JavaScript << EOS + /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\ .objectForKey('EnableStealthMode').js EOS - )" - - plist=$(/usr/bin/defaults read /Library/Preferences/com.apple.alf stealthenabled 2>/dev/null) - - if [[ "$profile" == "true" ]] && [[ $plist == 1 ]]; then - echo "true" - else - echo "false" - fi result: string: 'true' fix: | - [source,bash] - ---- - /usr/bin/defaults write /Library/Preferences/com.apple.alf stealthenabled -int 1 - ---- + This is implemented by a Configuration Profile. references: cce: - N/A