This artifact provides information around the configuration of the application firewall for a macOS host.
This can be useful for auditing to ensure compliance, overall safety, or to identify tampering with allowed application connections or firewall-related restrictions.
name: MacOS.Network.ApplicationLayerFirewall
description: |
This artifact provides information around the configuration of the application firewall for a macOS host.
This can be useful for auditing to ensure compliance, overall safety, or to identify tampering with allowed application connections or firewall-related restrictions.
type: CLIENT
author: Wes Lambert - @therealwlambert
precondition: SELECT OS FROM info() WHERE OS =~ 'darwin'
parameters:
- name: ALFGlob
default: /Library/Preferences/com.apple.alf.plist
sources:
- query: |
SELECT
if(condition=globalstate, then="Enabled", else="Disabled") AS GlobalState,
if(condition=allowsignedenabled, then="Yes", else="No") AS AllowSigned,
if(condition=allowdownloadsignedenabled, then="Yes", else="No") AS AllowDLSigned,
if(condition=loggingenabled, then="Yes", else="No") AS LoggingEnabled,
if(condition=stealthenabled, then="Yes", else="No") AS StealthEnabled,
version AS Version,
explicitauths.id AS ExplicitAuths,
firewall AS Applications
FROM plist(file=ALFGlob)