2.5.2.3 Ensure Firewall Stealth Mode Is Enabled

Information

While in Stealth mode the computer will not respond to unsolicited probes, dropping that traffic.

http://support.apple.com/en-us/HT201642

Rationale:

Stealth mode on the firewall minimizes the threat of system discovery tools while connected to a network or the Internet.

Impact:

Traditional network discovery tools like ping will not succeed. Other network tools that measure activity and approved applications will work as expected.

This control aligns with the primary macOS use case of a laptop that is often connected to untrusted networks where host segregation may be non-existent. In that use case hiding from the other inmates is likely more than desirable. In use cases where use is only on trusted LANs with static IP addresses stealth mode may not be desirable.

Solution

Perform the following to enable stealth mode:
Graphical Method:

Open System Preferences

Select Security & Privacy

Select Firewall Options

Turn on Enable stealth mode

Terminal Method:
Run the following command to enable stealth mode:

$ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on

Stealth mode enabled

Profile Method:

Edit a configuration profile with the PayLoadType of com.apple.security.firewall

Add the key EnableStealthMode

Set the key to <true/>

Note: This key must be set in the same configuration profile with EnableFirewall set to <true/>. If it is set in it's own configuration profile, it will fail.

Additional Information:

http://docs.info.apple.com/article.html?artnum=306938

See Also

https://workbench.cisecurity.org/files/3569

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, 800-53|SC-7, 800-53|SC-7(5), CSCv7|5.1, CSCv7|9.4

Plugin: Unix

Control ID: 94606d0535bf265e43c348616d8add4b378d22331fe74b101ebc9a3cbb6c23a8