Posted on 10-25-2024 08:21 AM
Hi,
We would like to create custom analyses for firewall monitoring. When users turn off the firewall (System Preferences → Network → Firewall), Jamf Protect should trigger an alert. We have already built a custom analysis for the firewall:
$event.type IN {0, 3, 4} AND$event.path == "/Library/Preferences/com.apple.alf.plist" AND$event.file.contentsAsDict.globalstate != "1"
After the update to macOS 15 Sequoia, the plist file no longer exists, which is why we are trying to create a new custom analysis:
$event.type IN {0, 3, 4} AND$event.path == "/Library/Preferences/com.apple.networkextension.plist"
$event.file.contentsAsDict.com.apple.ALF.ApplicationFirewall.Enabled != "1"
I searched on GitHub https://github.com/jamf/jamfprotect but couldn’t find any relevant information.
The plist file contains several dictionaries, but we are only interested in the firewall section. Unfortunately, the analysis does not work. We suspect that the issue lies in the syntax. Could you please help us build this custom analysis correctly or provide tips on how we can check it via the terminal?
Thank you in advance!
Posted on 10-25-2024 08:34 AM
Hey @Grisha
Thanks for posting this question!
Indeed there's a space and a operator missing in the syntax.
$event.type IN {0, 3, 4} AND
$event.path == "/Library/Preferences/com.apple.networkextension.plist" AND
$event.file.contentsAsDict.com.apple.ALF.ApplicationFirewall.Enabled != "1"
You could try the following?
$event.type IN {0, 3, 4} AND
$event.path == "/Library/Preferences/com.apple.networkextension.plist" AND
$event.file.contentsAsDict.com.apple.ALF.ApplicationFirewall[0].Enabled != "1"
Posted on 10-25-2024 09:47 AM
Thank you very much for your help. Unfortunately, it doesn’t work. I believe the problem is that the plist file contains a total of 4 or 5 keys named "Enabled," which makes it difficult to match properly. I look forward to your response.
Posted on 10-26-2024 09:55 AM
On macOS Sequoia, a modification has been implemented in the Firewall management system. To ascertain the current Firewall status, kindly utilize the following command:
/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate | awk '{print $3}' |sed 's/\.$//'
Posted on 10-26-2024 10:51 AM
Thank you very much! Unfortunately, I cannot use the command in Custom Analytics. In Custom Analytics, I can only use predicates (https://learn.jamf.com/en-US/bundle/jamf-protect-documentation/page/Creating_Analytics.html). We want to monitor the firewall through Jamf Protect.
a month ago
Here is the document i got from MAC admin. This is how to help you to capture and write the needed custom analytic.
https://trusted.jamf.com/docs/tailored-event-monitoring-on-macos