3.6 Ensure Firewall Logging Is Enabled and Configured

Information

The socketfilter Firewall is what is used when the Firewall is turned on in the Security & Privacy Preference Pane. In order to appropriately monitor what access is allowed and denied, logging must be enabled. The logging level must be set to 'detailed' to be useful in monitoring connection attempts that the firewall detects. Throttled login is not sufficient for examining Firewall connection attempts.

In depth log monitoring on macOS may require changes to the 'Enable-Private-Data' key in SystemLogging.System to ensure more complete logging.

Reviewing macOS Unified Logs

Rationale:

In order to troubleshoot the successes and failures of a Firewall, detailed logging should be enabled.

Impact:

Detailed logging may result in excessive storage.

Solution

Terminal Method:
Run the following command to enable logging of the firewall:

$ /usr/bin/sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on

Turning on log mode

$ /usr/bin/sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingopt detail

Setting detail log option

See Also

https://workbench.cisecurity.org/benchmarks/14563

Item Details

Category: AUDIT AND ACCOUNTABILITY, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AU-2, 800-53|AU-3, 800-53|AU-3(1), 800-53|AU-7, 800-53|AU-12, 800-53|SC-7, 800-53|SC-7(5), CSCv7|6.2, CSCv7|6.3, CSCv7|9.2

Plugin: Unix

Control ID: 5e26d15554496e396ef322b1154557b3ae69dbebaa0b863fda80fb32dc054478