Check: GEN003900
Solaris 10 SPARC STIG:
GEN003900
(in versions v2 r4 through v1 r19)
Title
The hosts.lpd file (or equivalent) must not contain a "+" character. (Cat II impact)
Discussion
Having the "+" character in the hosts.lpd (or equivalent) file allows all hosts to use local system print resources.
Check Content
Solaris uses the "IPP" print service and can also use the Samba print service. Verify remote host access is limited. Procedure: # grep -i Listen /etc/apache/httpd-standalone-ipp.conf The /etc/apache/httpd-standalone-ipp.conf file must not contain a Listen *:<port> or equivalent line. If the network address of the "Listen" line is unrestricted, this is a finding. # grep -i "Allow From" /etc/apache/httpd-standalone-ipp.conf The "Allow From" line within the "<Location />" element should limit access to the printers to @LOCAL and specific hosts. If the "Allow From" line contains "All", this is a finding. Verify guest access to printers shared via Samba is restricted according to GEN006235.
Fix Text
Configure IPP to use only the localhost or specified remote hosts. Procedure: Modify the /etc/apache/httpd-standalone-ipp.conf file to "Listen" only to the local machine or a known set of hosts (i.e., Listen localhost:631). Modify the /etc/apache/httpd-standalone-ipp.conf file "<Location />" element to "Deny From All" and "Allow from 127.0.0.1" or allowed host addresses. Restart the IPP service: # svcadm restart ipp-listener
Additional Identifiers
Rule ID: SV-226923r603265_rule
Vulnerability ID: V-226923
Group Title: SRG-OS-000480
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |