STIGQter STIGQter: STIG Summary: Solaris 10 SPARC Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

The Samba Web Administration Tool (SWAT) must be restricted to the local host or require SSL.

DISA Rule

SV-220060r603265_rule

Vulnerability Number

V-220060

Group Title

SRG-OS-000095

Rule Version

GEN006080

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Enable tcp_wrappers for the SWAT daemon.
# inetadm -m swat tcp_wrappers=true
OR
# inetadm -M tcp_wrappers=true
Relfresh the inetd daemon.
# svcadm refresh inetd

Configure the hosts.allow and hosts.deny files to limit access to SWAT to localhost.
Example:
# echo ALL: ALL >> /etc/hosts.deny
# echo swat: localhost >> /etc/hosts.allow

Check Contents

Verify the SWAT daemon is running under inetd.

# svcs swat

If SWAT is disabled or not installed, this is not applicable.

Verify that TCP_wrappers is enabled for the SWAT daemon.

# inetadm -l swat | grep tcp_wrappers

If the tcp_wrappers value is unset or is set to FALSE, this is a finding.

Verify access to the SWAT daemon is limited to localhost through the use of TCP_Wrappers.

# more /etc/hosts.allow
# more /etc/hosts.deny

If the hosts.allow and hosts.deny access control files are configured such that remote access to SWAT is enabled, this is a finding.

Ask the SA if SSH port forwarding is used to enable remote access to SWAT. If it is, this is not a finding. If all access to SWAT is via localhost using a local web browser, this is not a finding.

Vulnerability Number

V-220060

Documentable

False

Rule Version

GEN006080

Severity Override Guidance

Verify the SWAT daemon is running under inetd.

# svcs swat

If SWAT is disabled or not installed, this is not applicable.

Verify that TCP_wrappers is enabled for the SWAT daemon.

# inetadm -l swat | grep tcp_wrappers

If the tcp_wrappers value is unset or is set to FALSE, this is a finding.

Verify access to the SWAT daemon is limited to localhost through the use of TCP_Wrappers.

# more /etc/hosts.allow
# more /etc/hosts.deny

If the hosts.allow and hosts.deny access control files are configured such that remote access to SWAT is enabled, this is a finding.

Ask the SA if SSH port forwarding is used to enable remote access to SWAT. If it is, this is not a finding. If all access to SWAT is via localhost using a local web browser, this is not a finding.

Check Content Reference

M

Target Key

4060

Comments