Check: GEN006080
Solaris 10 X86 STIG:
GEN006080
(in versions v2 r4 through v1 r17)
Title
The Samba Web Administration Tool (SWAT) must be restricted to the local host or require SSL. (Cat II impact)
Discussion
SWAT is a tool used to configure Samba. As it modifies Samba configuration, which can impact system security, it must be protected from unauthorized access. SWAT authentication may involve the root password, which must be protected by encryption when traversing the network. Restricting access to the local host allows for the use of SSH TCP forwarding, if configured, or administration by a web browser on the local system.
Check Content
Verify the SWAT daemon is running under inetd. # svcs swat If SWAT is disabled or not installed, this is not applicable. Verify that TCP_wrappers is enabled for the SWAT daemon. # inetadm -l swat | grep tcp_wrappers If the tcp_wrappers value is unset or is set to FALSE, this is a finding. Verify access to the SWAT daemon is limited to localhost through the use of TCP_Wrappers. # more /etc/hosts.allow # more /etc/hosts.deny If the hosts.allow and hosts.deny access control files are configured such that remote access to SWAT is enabled, this is a finding. Ask the SA if SSH port forwarding is used to enable remote access to SWAT. If it is, this is not a finding. If all access to SWAT is via localhost using a local web browser, this is not a finding.
Fix Text
Enable tcp_wrappers for the SWAT daemon. # inetadm -m swat tcp_wrappers=true OR # inetadm -M tcp_wrappers=true Relfresh the inetd daemon. # svcadm refresh inetd Configure the hosts.allow and hosts.deny files to limit access to SWAT to localhost. Example: # echo ALL: ALL >> /etc/hosts.deny # echo swat: localhost >> /etc/hosts.allow
Additional Identifiers
Rule ID: SV-220113r603266_rule
Vulnerability ID: V-220113
Group Title: SRG-OS-000095
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000381 |
The organization configures the information system to provide only essential capabilities. |
Controls
Number | Title |
---|---|
CM-7 |
Least Functionality |