The Common Unix Printing System (CUPS) service provides both local and network printing support. A system running the CUPS service can accept print jobs from other systems, process them, and send them to the appropriate printer. It also provides an interface for remote administration through a web browser. The CUPS service is installed and activated by default. The project homepage and more detailed documentation are available athttp://www.cups.org.
The HP Linux Imaging and Printing service (HPLIP) is a separate package that provides support for some of the additional features that HP printers provide that CUPS may not necessarily support. It relies upon the CUPS service.
3.8.1 Disable the CUPS Service if Possible
Do you need the ability to print from this machine or to allow others to print to it? If not:
# chkconfig cups off
CCE 4112-9, 3755-6
3.8.2 Disable Firewall Access to Printing Service if Possible
Does this system need to operate as a network print server? If not, edit the files /etc/sysconfig/iptables and /etc/sysconfig/ip6tables (if IPv6 is in use). In each file, locate and delete the lines:
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
CCE 3649-1
By default, inbound connections to the Internet Printing Protocol port are allowed. If the print server does not need to be accessed, either because the machine is not running the print service at all or because the machine is not providing a remote network printer to other machines, this exception should be removed from the firewall configuration. See Section2.5.5for more information about the Iptables firewall.
3.8.3 Configure the CUPS Service if Necessary
CUPS provides the ability to easily share local printers with other machines over the network. It does this by allowing machines to share lists of available printers. Additionally, each machine that runs the CUPS service can potentially act as a print server. Whenever possible, the printer sharing and print server capabilities of CUPS should be limited or disabled. The following recommendations should demonstrate how to do just that.
3.8.3.1 Limit Printer Browsing
By default, CUPS listens on the network for printer list broadcasts on UDP port 631. This functionality is called printer browsing.
3.8.3.1.1 Disable Printer Browsing Entirely if Possible
To disable printer browsing entirely, edit the CUPS configuration file, located at /etc/cups/cupsd.conf:
Browsing Off BrowseAllow none
CCE 4420-6, 4407-3
The CUPS print service can be configured to broadcast a list of available printers to the network. Other machines on the network, also running the CUPS print service, can be configured to listen to these broadcasts and add and configure these printers for immediate use. By disabling this browsing capability, the machine will no longer generate or receive such broadcasts.
3.8.3.1.2 Limit Printer Browsing to a Particular Subnet if Necessary
It is possible to disable outgoing printer list broadcasts without affecting incoming broadcasts from other machines. To do so, open the CUPS configuration file, located at /etc/cups/cupsd.conf. Look for the line that begins with BrowseAddress and remove it. The line will look like the following:
BrowseAddress @LOCAL
If the intent is not to block printer sharing, but to limit it to a particular set of machines, you can limit the UDP printer broadcasts to trusted network addresses.
BrowseAddress ip-address :631
Likewise, to ignore incoming UDP printer list broadcasts, or to limit the set of machines to listen to, use the BrowseAllow and BrowseDeny directives.
BrowseDeny all
BrowseAllow ip-address
This combination will deny incoming broadcasts from any machine except those that are explicitly allowed with BrowseAllow.
By default, when printer sharing is enabled, CUPS will broadcast to every network that its host machine is connected to through all available network interfaces on port 631. It will also listen to incoming broadcasts from other machines on the network. Either list one BrowseAddress line for each client machine and one BrowseAllow line for each print server or use one of the supported shorthand notations that the CUPS service recognizes.
Please see the cupsd.conf(5) man page or the documentation provided at http://www.cups.org for more information on other ways to format these directives.
3.8.3.2 Disable Print Server Capabilities if Possible
Disabling the print server capabilities in this manner will also disable the Web Administration interface.
To prevent remote users from potentially connecting to and using locally configured printers, disable the CUPS print server sharing capabilities. To do so, limit how the server will listen for print jobs by removing the more generic port directive from /etc/cups/cupsd.conf:
Port 631
and replacing it with the Listen directive:
Listen localhost:631
This will prevent remote users from printing to locally configured printers while still allowing local users on the machine to print normally.
By default, locally configured printers will not be shared over the network, but if this functionality has somehow been enabled, these recommendations will disable it again. Be sure to disable outgoing printer list broadcasts, or remote users will still be able to see the locally configured printers, even if they cannot actually print to them.
To limit print serving to a particular set of users, use the Policy directive.
3.8.3.3 Limit Access to the Web Administration Interface
By default, access to the CUPS web administration interface is limited to the local machine. It is recom-mended that this not be changed, especially since the authentication mechanisms that CUPS provides are limited in their effectiveness. If it is absolutely necessary to allow remote users to administer locally installed printers, be sure to limit that access as much as possible by taking advantage of the Location and Policy directive blocks.
For example, to enable remote access for ip-address for user username, modify each of the Location and Policy directive blocks as follows:
<Location />
AuthType Basic
Require user username Order allow,deny Allow localhost Allow ip-address
</Location>
As with the BrowseAllow directive, use one Allow directive for each machine that needs access or use one of the available CUPS directive definition shortcuts to enable access from a class of machines at once. The Require user directive can take a list of individual users, a group of users (prefixed with @), or the shorthand valid-user.
Host-based authentication has known limitations, especially since IP addresses are easy to spoof. Requiring users to authenticate themselves can alleviate this problem, but it cannot eliminate it. Do not use the root account to manage and administer printers. Create a separate account for this purpose and limit access to valid users with Require valid-user or Require user printeradmin .
3.8.3.4 Take Further Security Measures When Appropriate
Whenever possible, limit outside networks’ access to port 631. Consider using CUPS directives that limit the number of incoming clients, such as MaxClients or MaxClientsPerHost. Additionally, there are a series of Policy and Location directives intended to limit which users can perform different printing tasks. When used together, these may help to mitigate the possibility of a denial of service attack. See cupsd.conf(5) for a full list of possible directives.
3.8.4 The HP Linux Imaging and Printing (HPLIP) Toolkit
The HPLIP package is an HP printing support utility that is installed and enabled in a default installation. The HPLIP package is comprised of two separate components. The first is the main HPLIP service and the second is a smaller subcomponent called HPIJS. HPLIP is a feature-oriented network service that provides higher level printing support (such as bi-directional I/O, scanning, photo card, and toolbox functionality). HPIJS is a lower level basic printing driver that provides basic support for non-PostScript HP printers.
3.8.4.1 Disable HPLIP Service if Possible
Since the HPIJS driver will still function without the added HPLIP service, HPLIP should be disabled unless the specific higher level functions that HPLIP provides are needed by a non-PostScript HP printer on the system.
# chkconfig hplip off
CCE 4425-5
Note: If installing the HPLIP package from scratch, it should be noted that HPIJS can be installed directly without HPLIP. Please see the FAQ at the HPLIP web site athttp://hplip.sourceforge.net/faqs.htmlfor more information on how to do this.