SV-220060r603265_rule
V-220060
SRG-OS-000095
GEN006080
CAT II
10
Enable tcp_wrappers for the SWAT daemon.
# inetadm -m swat tcp_wrappers=true
OR
# inetadm -M tcp_wrappers=true
Relfresh the inetd daemon.
# svcadm refresh inetd
Configure the hosts.allow and hosts.deny files to limit access to SWAT to localhost.
Example:
# echo ALL: ALL >> /etc/hosts.deny
# echo swat: localhost >> /etc/hosts.allow
Verify the SWAT daemon is running under inetd.
# svcs swat
If SWAT is disabled or not installed, this is not applicable.
Verify that TCP_wrappers is enabled for the SWAT daemon.
# inetadm -l swat | grep tcp_wrappers
If the tcp_wrappers value is unset or is set to FALSE, this is a finding.
Verify access to the SWAT daemon is limited to localhost through the use of TCP_Wrappers.
# more /etc/hosts.allow
# more /etc/hosts.deny
If the hosts.allow and hosts.deny access control files are configured such that remote access to SWAT is enabled, this is a finding.
Ask the SA if SSH port forwarding is used to enable remote access to SWAT. If it is, this is not a finding. If all access to SWAT is via localhost using a local web browser, this is not a finding.
V-220060
False
GEN006080
Verify the SWAT daemon is running under inetd.
# svcs swat
If SWAT is disabled or not installed, this is not applicable.
Verify that TCP_wrappers is enabled for the SWAT daemon.
# inetadm -l swat | grep tcp_wrappers
If the tcp_wrappers value is unset or is set to FALSE, this is a finding.
Verify access to the SWAT daemon is limited to localhost through the use of TCP_Wrappers.
# more /etc/hosts.allow
# more /etc/hosts.deny
If the hosts.allow and hosts.deny access control files are configured such that remote access to SWAT is enabled, this is a finding.
Ask the SA if SSH port forwarding is used to enable remote access to SWAT. If it is, this is not a finding. If all access to SWAT is via localhost using a local web browser, this is not a finding.
M
4060