kolide · Micah-Kolide · Aug 20, 2024 · Aug 20, 2024 · Aug 20, 2024
diff --git a/ee/tables/execparsers/socketfilterfw/parser.go b/ee/tables/execparsers/socketfilterfw/parser.go
@@ -113,7 +113,10 @@ func sanitizeState(state string) string {
 	// When the "block all" firewall option is enabled, it doesn't
 	// include a state like string, which is why we match on
 	// the string value of "connections" for that mode.
-	case "1", "on", "enabled", "connections":
+	//
+	// When both the Firewall and Stealth Mode are enabled,
+	// the global firewall state value is `2` instead of `1`.
+	case "1", "2", "on", "enabled", "connections":
 		return "1"
 	case "throttled", "brief", "detail":
 		// The "logging option" value differs from the booleans.

diff --git a/ee/tables/execparsers/socketfilterfw/parser_test.go b/ee/tables/execparsers/socketfilterfw/parser_test.go
@@ -67,7 +67,7 @@ func TestParse(t *testing.T) {
 					"block_all_enabled":               "0",
 					"allow_built-in_signed_enabled":   "1",
 					"allow_downloaded_signed_enabled": "1",
-					"stealth_enabled":                 "0",
+					"stealth_enabled":                 "1",
 					"logging_enabled":                 "1",
 					"logging_option":                  "throttled",
 				},

diff --git a/ee/tables/execparsers/socketfilterfw/test-data/data.txt b/ee/tables/execparsers/socketfilterfw/test-data/data.txt
@@ -1,7 +1,7 @@
-Firewall is enabled. (State = 1)
+Firewall is enabled. (State = 2)
 Firewall has block all state set to disabled.
 Automatically allow built-in signed software ENABLED.
 Automatically allow downloaded signed software ENABLED.
-Firewall stealth mode is off
+Stealth mode enabled
 Log mode is on 
 Log Option is throttled