GEN006080 - The Samba Web Administration Tool (SWAT) must be restricted to the local host or require SSL - '/etc/xinetd.d/swat'

Information

SWAT is a tool used to configure Samba. It modifies Samba configuration, which can impact system security, and must be protected from unauthorized access. SWAT authentication may involve the root password, which must be protected by encryption when traversing the network. Restricting access to the local host allows for the use of SSH TCP forwarding, if configured, or administration by a web browser on the local system.

Solution

Disable SWAT or require SWAT is only accessed via SSH.

Procedure:
If SWAT is not needed for operation of the system remove the SWAT package:
# rpm -qa|grep swat

Remove 'samba-swat' or 'samba3x-swat' depending on which one is installed
# rpm --erase samba-swat
or
# rpm --erase samba3x-swat

If SWAT is required but not at all times disable it when it is not needed.
Modify the /etc/xinetd.d file for 'swat' to contain a 'disable = yes' line.

To access using SSH:
Follow vendor configuration documentation to create an stunnel for SWAT.

See Also

http://iasecontent.disa.mil/stigs/zip/U_RedHat_5_V1R18_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-17(8), CAT|II, CCI|CCI-001436, Group-ID|V-1026, Rule-ID|SV-37870r1_rule, STIG-ID|GEN006080, Vuln-ID|V-1026

Plugin: Unix

Control ID: 77f4ca6e58dbfe5d18967092c46c667e46d8bbca8c61308b6885f729e1d8d810