Bonjour must be disabled.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-25882	OSX00467 M6	SV-38581r1_rule	ECSC-1	Medium

Description
Bonjour is unnecessary in a managed environment and presents an attack surface. Its behavior, which trusts the local network, is especially inappropriate on portable devices which may connect to untrusted networks.

STIG	Date
MAC OSX 10.6 Workstation Security Technical Implementation Guide Draft	2013-01-10

Details

Check Text ( C-37771r1_chk )
Open a terminal session and enter the following command. sudo ipfw print. If no line contains "deny udp from any to me dst-port 5353" or a more restrictive rule, this is a finding.

Fix Text (F-33017r1_fix)
Open a terminal session and edit or create /Library/LaunchDaemons/org.freebsd.ipfw.plist and ensure it contains the following: "http://www.apple.com/DTDs/ PropertyList-1.0.dtd"> Label org.freebsd.ipfw Program /sbin/ipfw ProgramArguments /sbin/ipfw /etc/ipfw.conf RunAtLoad Edit or create /etc/ipfw.conf and ensure it contains the following line (the first number, a line number, may need to be changed if another line already begins with that number): Add 10 deny udp from any to me dst-port 5353

Fix Text (F-33017r1_fix)

Open a terminal session and edit or create /Library/LaunchDaemons/org.freebsd.ipfw.plist and ensure it contains the following:

"http://www.apple.com/DTDs/ PropertyList-1.0.dtd">

Label
org.freebsd.ipfw
Program
/sbin/ipfw
ProgramArguments

/sbin/ipfw
/etc/ipfw.conf

RunAtLoad

Edit or create /etc/ipfw.conf and ensure it contains the following line (the first number, a line number, may need to be changed if another line already begins with that number):

Add 10 deny udp from any to me dst-port 5353