Title

The Samba Web Administration Tool (SWAT) must be restricted to the local host or require SSL. (Cat II impact)

Discussion

SWAT is a tool used to configure Samba. It modifies Samba configuration, which can impact system security, and must be protected from unauthorized access. SWAT authentication may involve the root password, which must be protected by encryption when traversing the network. Restricting access to the local host allows for the use of SSH TCP forwarding, if configured, or administration by a web browser on the local system.

Check Content

SWAT is a tool for configuring Samba and should only be found on a system with a requirement for Samba. If SWAT is used, it must be utilized with SSH to ensure a secure connection between the client and the server. Procedure: # grep -H "bin/swat" /etc/xinetd.d/*|cut -d: -f1 |xargs grep "only_from" If the value of the "only_from" line in the "xinetd.d" file which starts with "/usr/sbin/swat" does not contain "localhost" or the equivalent, this is a finding.

Fix Text

Disable SWAT or require that SWAT is only accessed via SSH. Procedure: If SWAT is required, but not at all times, disable it when it is not needed. Modify the /etc/xinetd.d file for "swat" to contain a "disable = yes" line. To access using SSH: Follow vendor configuration documentation to create an stunnel for SWAT.

Additional Identifiers

Rule ID: SV-46130r1_rule

Vulnerability ID: V-1026

Group Title: GEN006080

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.