Disable Avahi Server Software
An XCCDF Rule
Description
The avahi-daemon
service can be disabled with the following command:
$ sudo systemctl mask --now avahi-daemon.service
Rationale
Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Its functionality is convenient but is only appropriate if the local network can be trusted.
- ID
- xccdf_org.ssgproject.content_rule_service_avahi-daemon_disabled
- Severity
- Medium
- References
- Updated
Remediation - Kubernetes Patch
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition:
version: 3.1.0
Remediation - OS Build Blueprint
[customizations.services]
disabled = ["avahi-daemon"]
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'avahi-daemon' 2>/dev/null | grep -q installed ); then
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'avahi-daemon.service'
"$SYSTEMCTL_EXEC" disable 'avahi-daemon.service'
Remediation - Puppet
include disable_avahi-daemon
class disable_avahi-daemon {
service {'avahi-daemon':
enable => false,
ensure => 'stopped',