os_gatekeeper_enable and system_settings_gatekeeper_identified_developers_allowed have both a configuration profile and a shell script. Firewall rules system_settings_firewall_enable and system_settings_firewall_stealth_mode_enable do the same.

CIS “2.2.1 Ensure Firewall Is Enabled (Automated)” (counterpart of system_settings_firewall_enable) warns that

Note: After some testing, it was discovered that setting globalstate to 0 in the plist
/Library/Preferences/com.apple.alf disables the firewall even if the profile is
installed. We are now auditing for '0' in that plist even if the profile is installed to give as
much information as possible to administrators.

No such warning is given for any of the other three rules. Is duplication of fixes for other rules really necessary?

@nihil-admirari
This is intentional.

The profile locks the GUI but the binary or defaults can override the profile. So both methods are required.