From be424f5d74f4586b0901e6f1a6699dc15ce6737a Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Tue, 20 Jun 2023 11:33:26 -0400 Subject: [PATCH] refactor[rules] New firewall check/fix Added new check/fix for ALF due to discovery of being able to override the config profile Issue #268 --- .../system_settings_firewall_enable.yaml | 16 ++++++++++++++-- ...em_settings_firewall_stealth_mode_enable.yaml | 16 ++++++++++++++-- 2 files changed, 28 insertions(+), 4 deletions(-) diff --git a/rules/system_settings/system_settings_firewall_enable.yaml b/rules/system_settings/system_settings_firewall_enable.yaml index cdbc1183..8253b5a8 100644 --- a/rules/system_settings/system_settings_firewall_enable.yaml +++ b/rules/system_settings/system_settings_firewall_enable.yaml @@ -5,14 +5,26 @@ discussion: | When the macOS Application Firewall is enabled, the flow of information within the information system and between interconnected systems will be controlled by approved authorizations. check: | - /usr/bin/osascript -l JavaScript << EOS + profile="$(/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\ .objectForKey('EnableFirewall').js EOS + )" + + plist="$(/usr/bin/defaults read /Library/Preferences/com.apple.alf globalstate 2>/dev/null)" + + if [[ "$profile" == "true" ]] && [[ "$plist" =~ [1,2] ]]; then + echo "true" + else + echo "false" + fi result: string: "true" fix: | - This is implemented by a Configuration Profile. + [source,bash] + ---- + /usr/bin/defaults write /Library/Preferences/com.apple.alf globalstate -int 1 + ---- references: cce: - CCE-91948-0 diff --git a/rules/system_settings/system_settings_firewall_stealth_mode_enable.yaml b/rules/system_settings/system_settings_firewall_stealth_mode_enable.yaml index c91e2ae0..a9e76364 100644 --- a/rules/system_settings/system_settings_firewall_stealth_mode_enable.yaml +++ b/rules/system_settings/system_settings_firewall_stealth_mode_enable.yaml @@ -10,14 +10,26 @@ discussion: | Enabling firewall stealth mode may prevent certain remote mechanisms used for maintenance and compliance scanning from properly functioning. Information System Security Officers (ISSOs) are advised to first fully weigh the potential risks posed to their organization before opting not to enable stealth mode. ==== check: | - /usr/bin/osascript -l JavaScript << EOS + profile="$(/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.security.firewall')\ .objectForKey('EnableStealthMode').js EOS + )" + + plist=$(/usr/bin/defaults read /Library/Preferences/com.apple.alf stealthenabled 2>/dev/null) + + if [[ "$profile" == "true" ]] && [[ $plist == 1 ]]; then + echo "true" + else + echo "false" + fi result: string: "true" fix: | - This is implemented by a Configuration Profile. + [source,bash] + ---- + /usr/bin/defaults write /Library/Preferences/com.apple.alf stealthenabled -int 1 + ---- references: cce: - CCE-91949-8