Rules Related To 'cups'

Component overview

Relevant packages:

Relevant groups:

Changelog:

No changes recorded.

Relevant rules:

Rule details

Disable Printer Browsing Entirely if Possible

cups_disable_browsing

Description

By default, CUPS listens on the network for printer list broadcasts on UDP port 631. This functionality is called printer browsing. To disable printer browsing entirely, edit the CUPS configuration file, located at /etc/cups/cupsd.conf, to include the following:

Browsing Off
BrowseAllow none

Rationale

The CUPS print service can be configured to broadcast a list of available printers to the network. Other systems on the network, also running the CUPS print service, can be configured to listen to these broadcasts and add and configure these printers for immediate use. By disabling this browsing capability, the system will no longer generate or receive such broadcasts.

Disable Print Server Capabilities

cups_disable_printserver

Description

To prevent remote users from potentially connecting to and using locally configured printers, disable the CUPS print server sharing capabilities. To do so, limit how the server will listen for print jobs by removing the more generic port directive from /etc/cups/cupsd.conf:

Port 631
and replacing it with the Listen directive:
Listen localhost:631
This will prevent remote users from printing to locally configured printers while still allowing local users on the system to print normally.

Rationale

By default, locally configured printers will not be shared over the network, but if this functionality has somehow been enabled, these recommendations will disable it again. Be sure to disable outgoing printer list broadcasts, or remote users will still be able to see the locally configured printers, even if they cannot actually print to them. To limit print serving to a particular set of users, use the Policy directive.

Uninstall CUPS Package

package_cups_removed

Description

The cups package can be removed with the following command:

$ apt-get remove cups

Rationale

If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be removed to reduce the potential attack surface.

Disable the CUPS Service

service_cups_disabled

Description

The cups service can be disabled with the following command:

$ sudo systemctl mask --now cups.service

Rationale

Turn off unneeded services to reduce attack surface.