fleet icon indicating copy to clipboard operation
fleet copied to clipboard

Published 20 hours ago verified publisher icon fleetdm

`alf` table returns no results on macOS 15 Sequoia

Open zayhanlon opened this issue 5 months ago • 32 comments

Problem

Application Firewall settings are no longer contained in a plist, so Firewall is reported as not activated in Sequoia devices (incorrectly).

Related to: https://github.com/osquery/osquery/issues/8395

From Apple docs: https://developer.apple.com/documentation/macos-release-notes/macos-15-release-notes#Deprecations Application Firewall settings are no longer contained in a property list. If your app or workflow relies on changing Application Firewall settings by modifying /Library/Preferences/com.apple.alf.plist, then you need to make changes to use the socketfilterfw command line tool instead. (124405935)

What have you tried?

No workarounds available at the moment via Fleet or osquery

Potential solutions

Another way to obtain the data could be to add a new fleetd table to allow this. The new fleetd table can execute the socketfilterfw command and return the data.

What is the expected workflow as a result of your proposal?

A new table (or other proposed solution) would allow me to pull the application firewall settings for my macOS 15 device.

QA notes

5.14.1 has been released to edge. Build fleetd with fleetctl package [...] --osqueryd-channel edge.

Following tests should be executed on macOS 14 and 15. The tables we want to test are:

  • alf: Should returns global_state, stealth_enabled, logging_enabled, and version (other columns will be empty for now). Test enabling/disabling each setting. PS: There's no way to enable firewall "logging" on macOS 15, so it will currently be always 0 (AFAICS macOS exposes the value of the setting but it's not configurable anymore).
  • alf_exceptions: On macOS 14 this table returns file paths, in macOS 15 this table returns bundle identifiers instead. Exceptions on executables without bundle identifier are not included in the returned list for macOS 15.
  • alf_explicit_auths: Returns no results on macOS 15 (you should only see a verbose log that says I1008 09:47:54.161409 213143552 firewall.mm:239] alf_explicit_auths is currently not supported on macOS 15).

zayhanlon avatar Sep 04 '24 13:09 zayhanlon