2.5.2.2 Ensure Firewall Stealth Mode Is Enabled

Information

While in Stealth mode, the computer will not respond to unsolicited probes, dropping that traffic.

http://support.apple.com/en-us/HT201642

Rationale:

Stealth mode on the firewall minimizes the threat of system discovery tools while connected to a network or the Internet.

Impact:

Traditional network discovery tools like ping will not succeed. Other network tools that measure activity and approved applications will work as expected.

This control aligns with the primary macOS use case of a laptop that is often connected to untrusted networks where host segregation may be non-existent. In that use case, hiding from the other inmates is likely more than desirable. In use cases where use is only on trusted LANs with static IP addresses, stealth mode may not be desirable.

Solution

Graphical Method:
Perform the following steps to enable stealth mode:

Open System Preferences

Select Security & Privacy

Select Firewall Options...

Set Enable stealth mode to enabled

Terminal Method:
Run the following command to enable stealth mode:

$ /usr/bin/sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on

Stealth mode enabled

Profile Method:
Create or edit a configuration profile with the following information:

The PayloadType string is com.apple.security.firewall

The key to include is EnableStealthMode

The key must be set to <true/>

Note: This key must be set in the same configuration profile with EnableFirewall set to <true/>. If it is set in its own configuration profile, it will fail.

See Also

https://workbench.cisecurity.org/files/4176

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, 800-53|SC-7, 800-53|SC-7(5), CSCv7|5.1, CSCv7|9.4

Plugin: Unix

Control ID: 5db82a152fdbe498e9d6ba97bfd4fe8ee2a6d0d70daf92b81597d9e2e03dc137