Merge pull request #1240 from remotephone/oscdt1016
[OSCD] Test for T1016 - macOS firewall enumeration
This commit is contained in:
Matt Graeber
@@ -122,4 +122,19 @@ atomic_tests:
|
||||
cleanup_command: |
|
||||
Remove-Item -ErrorAction ignore "#{output_file}"
|
||||
name: powershell
|
||||
|
||||
- name: List macOS Firewall Rules
|
||||
description: |
|
||||
"This will test if the macOS firewall is enabled and/or show what rules are configured. Must be run with elevated privileges. Upon successful execution, these commands will output various information about the firewall configuration, including status and specific port/protocol blocks or allows.
|
||||
|
||||
Using `defaults`, additional arguments can be added to see filtered details, such as `globalstate` for global configuration (\"Is it on or off?\"), `firewall` for common application allow rules, and `explicitauths` for specific rules configured by the user.
|
||||
|
||||
Using `socketfilterfw`, flags such as --getglobalstate or --listapps can be used for similar filtering. At least one flag is required to send parseable output to standard out.
|
||||
supported_platforms:
|
||||
- macos
|
||||
executor:
|
||||
command: |
|
||||
sudo defaults read /Library/Preferences/com.apple.alf
|
||||
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
|
||||
name: bash
|
||||
elevation_required: true
|
||||
|
||||
|
||||
Reference in New Issue
Block a user