Title

Bonjour must be disabled. (Cat II impact)

Discussion

Bonjour is unnecessary in a managed environment and presents an attack surface. Its behavior, which trusts the local network, is especially inappropriate on portable devices which may connect to untrusted networks.

Check Content

Open a terminal session and enter the following command. sudo ipfw print. If no line contains "deny udp from any to me dst-port 5353" or a more restrictive rule, this is a finding.

Fix Text

Open a terminal session and edit or create /Library/LaunchDaemons/org.freebsd.ipfw.plist and ensure it contains the following: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/ PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>org.freebsd.ipfw</string> <key>Program</key> <string>/sbin/ipfw</string> <key>ProgramArguments</key> <array> <string>/sbin/ipfw</string> <string>/etc/ipfw.conf</string> </array> <key>RunAtLoad</key> <true /> </dict> </plist> Edit or create /etc/ipfw.conf and ensure it contains the following line (the first number, a line number, may need to be changed if another line already begins with that number): Add 10 deny udp from any to me dst-port 5353

Additional Identifiers

Rule ID: SV-38581r1_rule

Vulnerability ID: V-25882

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.