usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-03 14:03:24 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

Rules having both the fix and the profile #126

New Issue
Closed
opened 2026-01-19 18:29:19 +00:00 by michael · 1 comment
michael commented 2026-01-19 18:29:19 +00:00
Owner
Copy Link

Originally created by @nihil-admirari on GitHub.

os_gatekeeper_enable and system_settings_gatekeeper_identified_developers_allowed have both a configuration profile and a shell script. Firewall rules system_settings_firewall_enable and system_settings_firewall_stealth_mode_enable do the same.

CIS “2.2.1 Ensure Firewall Is Enabled (Automated)” (counterpart of system_settings_firewall_enable) warns that

Note: After some testing, it was discovered that setting globalstate to 0 in the plist
/Library/Preferences/com.apple.alf disables the firewall even if the profile is
installed. We are now auditing for '0' in that plist even if the profile is installed to give as
much information as possible to administrators.

No such warning is given for any of the other three rules. Is duplication of fixes for other rules really necessary?

Originally created by @nihil-admirari on GitHub. [os_gatekeeper_enable](https://github.com/usnistgov/macos_security/blob/main/rules/os/os_gatekeeper_enable.yaml) and [system_settings_gatekeeper_identified_developers_allowed](https://github.com/usnistgov/macos_security/blob/main/rules/system_settings/system_settings_gatekeeper_identified_developers_allowed.yaml) have both a configuration profile and a shell script. Firewall rules [system_settings_firewall_enable](https://github.com/usnistgov/macos_security/blob/main/rules/system_settings/system_settings_firewall_enable.yaml) and [system_settings_firewall_stealth_mode_enable](https://github.com/usnistgov/macos_security/blob/main/rules/system_settings/system_settings_firewall_stealth_mode_enable.yaml) do the same. CIS “2.2.1 Ensure Firewall Is Enabled (Automated)” (counterpart of `system_settings_firewall_enable`) warns that > Note: After some testing, it was discovered that setting globalstate to 0 in the plist /Library/Preferences/com.apple.alf **disables the firewall even if the profile is installed**. We are now auditing for '0' in that plist even if the profile is installed to give as much information as possible to administrators. No such warning is given for any of the other three rules. Is duplication of fixes for other rules really necessary?
michael commented 2026-01-19 18:29:19 +00:00
Author
Owner
Copy Link

@robertgendler commented on GitHub:

@nihil-admirari
This is intentional.

The profile locks the GUI but the binary or defaults can override the profile. So both methods are required.

@robertgendler commented on GitHub: @nihil-admirari This is intentional. The profile locks the GUI but the binary or defaults can override the profile. So both methods are required.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
michael
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: usnistgov/macos_security#126
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?