The Samba Web Administration Tool (SWAT) must be restricted to the local host or require SSL.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-1026	GEN006080	SV-64123r1_rule		Medium

Description
SWAT is a tool used to configure Samba. It modifies Samba configuration, which can impact system security, and must be protected from unauthorized access. SWAT authentication may involve the root password, which must be protected by encryption when traversing the network. Restricting access to the local host allows for the use of SSH TCP forwarding, if configured, or administration by a web browser on the local system.

Description

SWAT is a tool used to configure Samba. It modifies Samba configuration, which can impact system security, and must be protected from unauthorized access. SWAT authentication may involve the root password, which must be protected by encryption when traversing the network. Restricting access to the local host allows for the use of SSH TCP forwarding, if configured, or administration by a web browser on the local system.

STIG	Date
Oracle Linux 5 Security Technical Implementation Guide	2020-02-25

Details

Check Text ( C-52571r1_chk )
SWAT is a tool for configuring Samba and should only be found on a system with a requirement for Samba. If SWAT is used, it must be utilized with SSL to ensure a secure connection between the client and the server. Procedure: # grep -H "bin/swat" /etc/xinetd.d/*\|cut -d: -f1 \|xargs grep "only_from" If the value of the "only_from" line in the "xinetd.d" file which starts "/usr/sbin/swat" is not "localhost" or the equivalent, this is a finding.

Check Text ( C-52571r1_chk )

SWAT is a tool for configuring Samba and should only be found on a system with a requirement for Samba. If SWAT is used, it must be utilized with SSL to ensure a secure connection between the client and the server.

Procedure:

# grep -H "bin/swat" /etc/xinetd.d/*|cut -d: -f1 |xargs grep "only_from"

If the value of the "only_from" line in the "xinetd.d" file which starts "/usr/sbin/swat" is not "localhost" or the equivalent, this is a finding.

Fix Text (F-54681r1_fix)
Disable SWAT or require SWAT is only accessed via SSH. Procedure: If SWAT is not needed for operation of the system remove the SWAT package: # rpm -qa\|grep swat Remove "samba-swat" or "samba3x-swat" depending on which one is installed # rpm --erase samba-swat or # rpm --erase samba3x-swat If SWAT is required but not at all times disable it when it is not needed. Modify the /etc/xinetd.d file for "swat" to contain a "disable = yes" line. To access using SSH: Follow vendor configuration documentation to create an stunnel for SWAT.

Fix Text (F-54681r1_fix)

Disable SWAT or require SWAT is only accessed via SSH.

Procedure:
If SWAT is not needed for operation of the system remove the SWAT package:
# rpm -qa|grep swat

Remove "samba-swat" or "samba3x-swat" depending on which one is installed
# rpm --erase samba-swat
or
# rpm --erase samba3x-swat

If SWAT is required but not at all times disable it when it is not needed.
Modify the /etc/xinetd.d file for "swat" to contain a "disable = yes" line.

To access using SSH:
Follow vendor configuration documentation to create an stunnel for SWAT.