UCF STIG Viewer Logo

Bonjour must be disabled.


Overview

Finding ID Version Rule ID IA Controls Severity
V-25882 OSX00467 M6 SV-38581r1_rule ECSC-1 Medium
Description
Bonjour is unnecessary in a managed environment and presents an attack surface. Its behavior, which trusts the local network, is especially inappropriate on portable devices which may connect to untrusted networks.
STIG Date
MAC OSX 10.6 Workstation Security Technical Implementation Guide 2013-04-09

Details

Check Text ( C-37771r1_chk )
Open a terminal session and enter the following command.

sudo ipfw print.

If no line contains "deny udp from any to me dst-port 5353" or a more restrictive rule, this is a finding.
Fix Text (F-33017r1_fix)
Open a terminal session and edit or create /Library/LaunchDaemons/org.freebsd.ipfw.plist and ensure it contains the following:


"http://www.apple.com/DTDs/ PropertyList-1.0.dtd">


Label
org.freebsd.ipfw
Program
/sbin/ipfw
ProgramArguments

/sbin/ipfw
/etc/ipfw.conf

RunAtLoad




Edit or create /etc/ipfw.conf and ensure it contains the following line (the first number, a line number, may need to be changed if another line already begins with that number):

Add 10 deny udp from any to me dst-port 5353