2.2.2 Ensure Firewall Stealth Mode Is Enabled

Information

While in Stealth mode, the computer will not respond to unsolicited probes, dropping that traffic.

Stealth mode on the firewall minimizes the threat of system discovery tools while connected to a network or the Internet.

Solution

Graphical Method:

Perform the following steps to enable firewall stealth mode:

- Open System Settings
- Select Network
- Select Firewall
- Select Options...
- Set Enabled stealth mode to enabled

Terminal Method:

Run the following command to enable stealth mode:

% /usr/bin/sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on

Stealth mode enabled

Profile Method:

Create or edit a configuration profile with the following information:

- The PayloadType string is com.apple.security.firewall
- The key to include is EnableStealthMode
- The key must be set to <true/>

Note: This key must be set in the same configuration profile with EnableFirewall set to <true/> If it is set in its own configuration profile, it will fail.

Impact:

Traditional network discovery tools like ping will not succeed. Other network tools that measure activity and approved applications will work as expected.

This control aligns with the primary macOS use case of a laptop that is often connected to untrusted networks where host segregation may be non-existent. In that use case, hiding from the other inmates is likely more than desirable. In use cases where use is only on trusted LANs with static IP addresses, stealth mode may not be desirable.

See Also

https://workbench.cisecurity.org/benchmarks/18635

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, 800-53|SC-7, 800-53|SC-7(5), CSCv7|5.1, CSCv7|9.4

Plugin: Unix

Control ID: 56d7a99e97a0c73282bf102327ce34a8bf5fadf2f74bf89671a24a69082a9ca4