From 514d451ff620e88fd2d5656a8d106b50ba62da1a Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Mon, 15 Jul 2024 20:58:41 -0400 Subject: [PATCH] refactor[rules] firewall rules Firewall is now fully enforced by a configuration profile. --- .../system_settings_firewall_enable.yaml | 16 ++-------------- ...em_settings_firewall_stealth_mode_enable.yaml | 16 ++-------------- 2 files changed, 4 insertions(+), 28 deletions(-) diff --git a/rules/system_settings/system_settings_firewall_enable.yaml b/rules/system_settings/system_settings_firewall_enable.yaml index 63a9606f..4020011e 100644 --- a/rules/system_settings/system_settings_firewall_enable.yaml +++ b/rules/system_settings/system_settings_firewall_enable.yaml @@ -5,26 +5,14 @@ discussion: | When the macOS Application Firewall is enabled, the flow of information within the information system and between interconnected systems will be controlled by approved authorizations. check: | - profile="$(/usr/bin/osascript -l JavaScript << EOS + /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\ .objectForKey('EnableFirewall').js EOS - )" - - plist="$(/usr/bin/defaults read /Library/Preferences/com.apple.alf globalstate 2>/dev/null)" - - if [[ "$profile" == "true" ]] && [[ "$plist" =~ [1,2] ]]; then - echo "true" - else - echo "false" - fi result: string: 'true' fix: | - [source,bash] - ---- - /usr/bin/defaults write /Library/Preferences/com.apple.alf globalstate -int 1 - ---- + This is implemented by a Configuration Profile. references: cce: - N/A diff --git a/rules/system_settings/system_settings_firewall_stealth_mode_enable.yaml b/rules/system_settings/system_settings_firewall_stealth_mode_enable.yaml index 1ba190f4..2b241f74 100644 --- a/rules/system_settings/system_settings_firewall_stealth_mode_enable.yaml +++ b/rules/system_settings/system_settings_firewall_stealth_mode_enable.yaml @@ -10,26 +10,14 @@ discussion: | Enabling firewall stealth mode may prevent certain remote mechanisms used for maintenance and compliance scanning from properly functioning. Information System Security Officers (ISSOs) are advised to first fully weigh the potential risks posed to their organization before opting not to enable stealth mode. ==== check: | - profile="$(/usr/bin/osascript -l JavaScript << EOS + /usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\ .objectForKey('EnableStealthMode').js EOS - )" - - plist=$(/usr/bin/defaults read /Library/Preferences/com.apple.alf stealthenabled 2>/dev/null) - - if [[ "$profile" == "true" ]] && [[ $plist == 1 ]]; then - echo "true" - else - echo "false" - fi result: string: 'true' fix: | - [source,bash] - ---- - /usr/bin/defaults write /Library/Preferences/com.apple.alf stealthenabled -int 1 - ---- + This is implemented by a Configuration Profile. references: cce: - N/A