CCE-50344-1Platform: cpe:/o:apple:mac_os_14 | Date: (C)2024-01-24 (M)2024-01-24 |
The socketfilter Firewall is what is used when the Firewall is turned on in the Security and Privacy Preference Pane. In order to appropriately monitor what access is allowed and denied, logging must be enabled.The logging level must be set to "detailed" to be useful in monitoring connection attempts that the firewall detects. Throttled login is not sufficient for examining Firewall connection attempts.In-depth log monitoring on macOS may require changes to the "Enable-Private-Data" key in SystemLogging.System to ensure more complete logging.
Rationale:In order to troubleshoot the successes and failures of a Firewall, detailed logging should be enabled.
Impact:Detailed logging may result in excessive storage.
Remediation:
Terminal Method:
Run the following command to enable logging of the firewall:
$ /usr/bin/sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on
Turning on log mode
$ /usr/bin/sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingopt detail
Setting detail log option
Note:If the Firewall settings are set through a configuration profile, then modifications cannot be done through the command line. If attempted, you will receive the messageFirewall settings cannot be modified from command line on managed Mac computers.
Profile Method:
Create or edit a configuration profile with the following information:
1. The PayloadType string is com.apple.security.firewall
2. The key to include is EnableFirewall
3. The key must be set to <true>
4. The key to also include is EnableLogging
5. The key must be set to <true>
6. The key to also include is LoggingOption
7. The key must be set to <string>detail</string>
Parameter:
[Yes/No]
Technical Mechanism:
Remediation:
Terminal Method:
Run the following command to enable logging of the firewall:
$ /usr/bin/sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on
Turning on log mode
$ /usr/bin/sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingopt detail
Setting detail log option
Note: If the Firewall settings are set through a configuration profile, then modifications cannot be done through the command line. If attempted, you will receive the message Firewall settings cannot be modified from command line on managed Mac computers.
Profile Method:
Create or edit a configuration profile with the following information:
1. The PayloadType string is com.apple.security.firewall
2. The key to include is EnableFirewall
3. The key must be set to true
4. The key to also include is EnableLogging
5. The key must be set to true
6. The key to also include is LoggingOption
7. The key must be set to string detail /string
CCSS Severity: | CCSS Metrics: |
CCSS Score : 5.6 | Attack Vector: NETWORK |
Exploit Score: 2.2 | Attack Complexity: HIGH |
Impact Score: 3.4 | Privileges Required: NONE |
Severity: MEDIUM | User Interaction: NONE |
Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L | Scope: UNCHANGED |
| Confidentiality: LOW |
| Integrity: LOW |
| Availability: LOW |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:97013 |