Title

The macOS system must disable the built-in web server. (Cat II impact)

Discussion

The built-in web server managed by launchd is a nonessential service built into macOS and must be disabled and not running. Note: The built-in web server is disabled at startup by default with macOS.

Check Content

Verify the macOS system is configured to disable the built-in web server with the following command: result="FAIL" enabled=$(/bin/launchctl print-disabled system | /usr/bin/grep '"org.apache.httpd" => enabled') running=$(/bin/launchctl print system/org.apache.httpd 2>/dev/null) if [[ -z "$running" ]] && [[ -z "$enabled" ]]; then result="PASS" elif [[ -n "$running" ]]; then result=result+" RUNNING" elif [[ -n "$enabled" ]]; then result=result+" ENABLED" fi echo $result If the result is not "PASS", this is a finding.

Fix Text

Configure the macOS system to disable the built-in web server with the following command: /usr/sbin/apachectl stop 2>/dev/null /bin/launchctl disable system/org.apache.httpd The system may need a restart for the update to take effect.

Additional Identifiers

Rule ID: SV-277091r1149419_rule

Vulnerability ID: V-277091

Group Title: SRG-OS-000080-GPOS-00048

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.