GEN006080 - The Samba Web Administration Tool (SWAT) must be restricted to the local host or require SSL - hosts.allow

Information

SWAT is a tool used to configure Samba. As it modifies Samba configuration, which can impact system security, it must be protected from unauthorized access. SWAT authentication may involve the root password, which must be protected by encryption when traversing the network.

Restricting access to the local host allows for the use of SSH TCP forwarding, if configured, or administration by a web browser on the local system.

Solution

Enable tcp_wrappers for the SWAT daemon.
# inetadm -m swat tcp_wrappers=true
OR
# inetadm -M tcp_wrappers=true
Relfresh the inetd daemon.
# svcadm refresh inetd

Configure the hosts.allow and hosts.deny files to limit access to SWAT to localhost.
Example:
# echo ALL: ALL >> /etc/hosts.deny
# echo swat: localhost >> /etc/hosts.allow

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_SOL_10_SPARC_V2R4_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7a., CAT|II, CCI|CCI-000381, Rule-ID|SV-220060r603265_rule, STIG-ID|GEN006080, STIG-Legacy|SV-42313, STIG-Legacy|V-1026, Vuln-ID|V-220060

Plugin: Unix

Control ID: 6185314084cc88f537b3fd331737cbebb762d5716012761c872109b980070df7