usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-03-15 13:32:44 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

Merge branch 'dev_ventura_issue268' into ventura

Browse Source
This commit is contained in:
Bob Gendler
2023-06-20 11:44:14 -04:00
parent 1c0cb40cff be424f5d74
commit b7ecd573f2
2 changed files with 28 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
rules/system_settings/system_settings_firewall_enable.yaml
View File

@@ -5,14 +5,26 @@ discussion: |
When the macOS Application Firewall is enabled, the flow of information within the information system and between interconnected systems will be controlled by approved authorizations.
check: |
/usr/bin/osascript -l JavaScript << EOS
profile="$(/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\
.objectForKey('EnableFirewall').js
EOS
)"
plist="$(/usr/bin/defaults read /Library/Preferences/com.apple.alf globalstate 2>/dev/null)"
if [[ "$profile" == "true" ]] && [[ "$plist" =~ [1,2] ]]; then
echo "true"
else
echo "false"
fi
result:
string: "true"
fix: |
This is implemented by a Configuration Profile.
[source,bash]
----
/usr/bin/defaults write /Library/Preferences/com.apple.alf globalstate -int 1
----
references:
cce:
- CCE-91948-0

16
rules/system_settings/system_settings_firewall_stealth_mode_enable.yaml
View File

@@ -10,14 +10,26 @@ discussion: |
Enabling firewall stealth mode may prevent certain remote mechanisms used for maintenance and compliance scanning from properly functioning. Information System Security Officers (ISSOs) are advised to first fully weigh the potential risks posed to their organization before opting not to enable stealth mode.
====
check: |
/usr/bin/osascript -l JavaScript << EOS
profile="$(/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\
.objectForKey('EnableStealthMode').js
EOS
)"
plist=$(/usr/bin/defaults read /Library/Preferences/com.apple.alf stealthenabled 2>/dev/null)
if [[ "$profile" == "true" ]] && [[ $plist == 1 ]]; then
echo "true"
else
echo "false"
fi
result:
string: "true"
fix: |
This is implemented by a Configuration Profile.
[source,bash]
----
/usr/bin/defaults write /Library/Preferences/com.apple.alf stealthenabled -int 1
----
references:
cce:
- CCE-91949-8