STIGQter: STIG Summary: Solaris 11 X86 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The system must implement TCP Wrappers.

DISA Rule

SV-216144r603268_rule

Vulnerability Number

V-216144

Group Title

SRG-OS-000480

Rule Version

SOL-11.1-050140

Severity

CAT III

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

The root role is required.

Configure allowed and denied hosts per organizational policy.

1. Create and customize the policy in /etc/hosts.allow:

# echo "ALL: [net]/[mask] , [net]/[mask], ..." > /etc/hosts.allow

where each [net>/[mask> combination (for example, the Class C address block "192.168.1.0/255.255.255.0") can represent one network block in use by the organization that requires access to this system.

2. Create a default deny policy in /etc/hosts.deny: # echo "ALL: ALL" >/etc/hosts.deny

3. Enable TCP Wrappers for all services started by inetd:

# inetadm -M tcp_wrappers=TRUE

Check Contents

Determine if TCP Wrappers is configured.

# inetadm -p | grep tcp_wrappers

If the output of this command is "FALSE", this is a finding.

The above command will check whether TCP Wrappers is enabled for all TCP-based services started by inetd. TCP Wrappers are enabled by default for sendmail and SunSSH (version 0.5.11). The use of OpenSSH access is controlled by the sshd_config file starting with Solaris
11.3. SunSSH is removed starting with Solaris 11.4.

Individual inetd services may still be configured to use TCP Wrappers even if the global parameter (above) is set to "FALSE". To check the status of individual inetd services, use the command:


# for svc in `inetadm | awk '/svc:\// { print $NF }'`; do
val=`inetadm -l ${svc} | grep -c tcp_wrappers=TRUE`
if [ ${val} -eq 1 ]; then
echo "TCP Wrappers enabled for ${svc}"
fi
done

If the required services are not configured to use TCP Wrappers, this is finding.

# ls /etc/hosts.deny
# ls /etc/hosts.allow

If these files are not found, this is a finding.

Vulnerability Number

V-216144

Documentable

False

Rule Version

SOL-11.1-050140

Severity Override Guidance

Determine if TCP Wrappers is configured.

# inetadm -p | grep tcp_wrappers

If the output of this command is "FALSE", this is a finding.

The above command will check whether TCP Wrappers is enabled for all TCP-based services started by inetd. TCP Wrappers are enabled by default for sendmail and SunSSH (version 0.5.11). The use of OpenSSH access is controlled by the sshd_config file starting with Solaris
11.3. SunSSH is removed starting with Solaris 11.4.

Individual inetd services may still be configured to use TCP Wrappers even if the global parameter (above) is set to "FALSE". To check the status of individual inetd services, use the command:


# for svc in `inetadm | awk '/svc:\// { print $NF }'`; do
val=`inetadm -l ${svc} | grep -c tcp_wrappers=TRUE`
if [ ${val} -eq 1 ]; then
echo "TCP Wrappers enabled for ${svc}"
fi
done

If the required services are not configured to use TCP Wrappers, this is finding.

# ls /etc/hosts.deny
# ls /etc/hosts.allow

If these files are not found, this is a finding.

Check Content Reference

M

Target Key

4021

Comments