Information
DVD or CD Sharing allows users to remotely access the system's optical drive. While Apple does not ship Macs with built-in optical drives any longer, external optical drives are still recognized when they are connected. In testing, the sharing of an external optical drive persists when a drive is reconnected.
Rationale:
Disabling DVD or CD Sharing minimizes the risk of an attacker using the optical drive as a vector for attack and exposure of sensitive data.
Impact:
Many Apple devices are now sold without optical drives, however drive sharing may be needed for legacy optical media. The media should be explicitly re-shared as needed rather than using a persistent share. Optical drives should not be used for long-term storage. To store necessary data from an optical drive it should be copied to another form of external storage. Optionally, an image can be made of the optical drive so that it is stored in its original form on another form of external storage.
Solution
Graphical Method:
Perform the following steps to disable DVD or CD Sharing:
Open System Preferences
Select Sharing
Set DVD or CD sharing to disabled
Terminal Method:
Run the following command to disable DVD or CD Sharing:
$ /usr/bin/sudo /bin/launchctl disable system/com.apple.ODSAgent
Note: If using the Terminal method, the GUI will still show the service checked until after a reboot.
Item Details
Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION
References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.1, CSCv7|9.2
Control ID: 0f71096f49c8b72e822835ae4e1d756241442c565f6439195f4dcc2460e18d5a