The Lynis security audit tool has flagged up the following:
Check CUPS configuration if it really needs to listen on the network
The online note states: “Adjust the line stating “Listen” in the cupsd.conf file. Alter it so it only listens on the localhost interface, if appropriate. Listen localhost:631”.
The cupsd.conf file on my system has:
Listen localhost:631
Listen /run/cups/cups.sock
Is the flagging up by Lynis valid?
That appears to be a point where lynis has not kept up with systemd.
/run/cups/cups.sock is a valid socket for cups to use
# lsof /run/cups/cups.sock
lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs
Output information may be incomplete.
lsof: WARNING: can't stat() fuse.portal file system /run/user/1000/doc
Output information may be incomplete.
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root 214u unix 0x00000000b7450be9 0t0 18376 /run/cups/cups.sock type=STREAM (LISTEN)
cupsd 1397 root 3u unix 0x00000000b7450be9 0t0 18376 /run/cups/cups.sock type=STREAM (LISTEN)