STIGQter: STIG Summary: Solaris 10 X86 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

The Samba Web Administration Tool (SWAT) must be restricted to the local host or require SSL.

DISA Rule

SV-220113r603266_rule

Vulnerability Number

V-220113

Group Title

SRG-OS-000095

Rule Version

GEN006080

Severity

CAT II

CCI(s)

CCI-000381 - The organization configures the information system to provide only essential capabilities.

Weight

Fix Recommendation

Enable tcp_wrappers for the SWAT daemon.
# inetadm -m swat tcp_wrappers=true
OR
# inetadm -M tcp_wrappers=true
Relfresh the inetd daemon.
# svcadm refresh inetd

Configure the hosts.allow and hosts.deny files to limit access to SWAT to localhost.
Example:
# echo ALL: ALL >> /etc/hosts.deny
# echo swat: localhost >> /etc/hosts.allow

Check Contents

Verify the SWAT daemon is running under inetd.

# svcs swat

If SWAT is disabled or not installed, this is not applicable.

Verify that TCP_wrappers is enabled for the SWAT daemon.

# inetadm -l swat | grep tcp_wrappers

If the tcp_wrappers value is unset or is set to FALSE, this is a finding.

Verify access to the SWAT daemon is limited to localhost through the use of TCP_Wrappers.

# more /etc/hosts.allow
# more /etc/hosts.deny

If the hosts.allow and hosts.deny access control files are configured such that remote access to SWAT is enabled, this is a finding.

Ask the SA if SSH port forwarding is used to enable remote access to SWAT. If it is, this is not a finding. If all access to SWAT is via localhost using a local web browser, this is not a finding.

The Samba Web Administration Tool (SWAT) must be restricted to the local host or require SSL.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments