Rules Related To 'avahi'

Component overview

Relevant packages:

Relevant groups:

Changelog:

No changes recorded.

Relevant rules:

Rule details

Check Avahi Responses' TTL Field

avahi_check_ttl

Description

To make Avahi ignore packets unless the TTL field is 255, edit /etc/avahi/avahi-daemon.conf and ensure the following line appears in the [server] section:

check-response-ttl=yes

Rationale

This helps to ensure that only mDNS responses from the local network are processed, because the TTL field in a packet is decremented from its initial value of 255 whenever it is routed from one network to another. Although a properly-configured router or firewall should not allow mDNS packets into the local network at all, this option provides another check to ensure they are not permitted.

Disable Avahi Publishing

avahi_disable_publishing

Description

To prevent Avahi from publishing its records, edit /etc/avahi/avahi-daemon.conf and ensure the following line appears in the [publish] section:

disable-publishing=yes

Rationale

This helps ensure that no record will be published by Avahi.

Serve Avahi Only via Required Protocol

avahi_ip_only

Description

If you are using only IPv4, edit /etc/avahi/avahi-daemon.conf and ensure the following line exists in the [server] section:

use-ipv6=no
Similarly, if you are using only IPv6, disable IPv4 sockets with the line:
use-ipv4=no

Rationale

Prevent Other Programs from Using Avahi's Port

avahi_prevent_port_sharing

Description

To prevent other mDNS stacks from running, edit /etc/avahi/avahi-daemon.conf and ensure the following line appears in the [server] section:

disallow-other-stacks=yes

Rationale

This helps ensure that only Avahi is responsible for mDNS traffic coming from that port on the system.

Restrict Information Published by Avahi

avahi_restrict_published_information

Description

If it is necessary to publish some information to the network, it should not be joined by any extraneous information, or by information supplied by a non-trusted source on the system. Prevent user applications from using Avahi to publish services by adding or correcting the following line in the [publish] section:

disable-user-service-publishing=yes
Implement as many of the following lines as possible, to restrict the information published by Avahi.
publish-addresses=no
publish-hinfo=no
publish-workstation=no
publish-domain=no
Inspect the files in the directory /etc/avahi/services/. Unless there is an operational need to publish information about each of these services, delete the corresponding file.

Rationale

These options prevent publishing attempts from succeeding, and can be applied even if publishing is disabled entirely via disable-publishing. Alternatively, these can be used to restrict the types of published information in the event that some information must be published.

Uninstall avahi-autoipd Server Package

package_avahi-autoipd_removed

Description

If the system does not need to have an Avahi server which implements the DNS Service Discovery and Multicast DNS protocols, the avahi-autoipd and avahi packages can be uninstalled.

Rationale

Automatic discovery of network services is not normally required for system functionality. It is recommended to remove this package to reduce the potential attack surface.

Uninstall avahi Server Package

package_avahi_removed

Description

If the system does not need to have an Avahi server which implements the DNS Service Discovery and Multicast DNS protocols, the avahi-autoipd and avahi packages can be uninstalled.

Rationale

Automatic discovery of network services is not normally required for system functionality. It is recommended to remove this package to reduce the potential attack surface.

Disable Avahi Server Software

service_avahi-daemon_disabled

Description

The avahi-daemon service can be disabled with the following command:

$ sudo systemctl mask --now avahi-daemon.service

Rationale

Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Its functionality is convenient but is only appropriate if the local network can be trusted.