Information
While in Stealth mode, the computer will not respond to unsolicited probes, dropping that traffic.
Stealth mode on the firewall minimizes the threat of system discovery tools while connected to a network or the Internet.
Solution
Run the following command to enable stealth mode:
% /usr/bin/sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on
Stealth mode enabled
Impact:
Traditional network discovery tools like ping will not succeed. Other network tools that measure activity and approved applications will work as expected.
This control aligns with the primary macOS use case of a laptop that is often connected to untrusted networks where host segregation may be non-existent. In that use case, hiding from the other inmates is likely more than desirable. In use cases where use is only on trusted LANs with static IP addresses, stealth mode may not be desirable.
Item Details
Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, 800-53|SC-7, 800-53|SC-7(5), CSCv7|5.1, CSCv7|9.4
Control ID: c31f417fae0c19c64b686c6f9673cc0986789059501ad847305689b44bd334d0