← Back to Apple macOS 26 (Tahoe) Security Technical Implementation Guide

V-277091

CAT II (Medium)

The macOS system must disable the built-in web server.

Rule ID

SV-277091r1149419_rule

STIG

Apple macOS 26 (Tahoe) Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-000213

Discussion

The built-in web server managed by launchd is a nonessential service built into macOS and must be disabled and not running. Note: The built-in web server is disabled at startup by default with macOS.

Check Content

Verify the macOS system is configured to disable the built-in web server with the following command:

result="FAIL"
  enabled=$(/bin/launchctl print-disabled system | /usr/bin/grep '"org.apache.httpd" => enabled')
  running=$(/bin/launchctl print system/org.apache.httpd 2>/dev/null)
  
  if [[ -z "$running" ]] && [[ -z "$enabled" ]]; then
    result="PASS"
  elif [[ -n "$running" ]]; then
    result=result+" RUNNING"
  elif [[ -n "$enabled" ]]; then
    result=result+" ENABLED"
  fi
  echo $result

If the result is not "PASS", this is a finding.

Fix Text

Configure the macOS system to disable the built-in web server with the following command:

/usr/sbin/apachectl stop 2>/dev/null
/bin/launchctl disable system/org.apache.httpd

The system may need a restart for the update to take effect.