UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

TCP Wrappers must be enabled and configured per site policy to only allow access by approved hosts and services.


Overview

Finding ID Version Rule ID IA Controls Severity
V-47935 SOL-11.1-030050 SV-60807r1_rule Medium
Description
TCP Wrappers are a host-based access control system that allows administrators to control who has access to various network services based on the IP address of the remote end of the connection. TCP Wrappers also provide logging information via syslog about both successful and unsuccessful connections.
STIG Date
Solaris 11 SPARC Security Technical Implementation Guide 2017-09-20

Details

Check Text ( C-50371r1_chk )
Check that TCP Wrappers are enabled and the host.deny and host.allow files exist.

# inetadm -p | grep tcp_wrappers

If the output of this command is "tcp_wrappers=FALSE", this is a finding.

# ls /etc/hosts.deny
/etc/hosts.deny
# ls /etc/hosts.allow
/etc/hosts.allow

If these files do not exist or do not contain the names of allowed or denied hosts, this is a finding.
Fix Text (F-51547r2_fix)
The root role is required.

To enable TCP Wrappers, run the following commands:

1. Create and customize your policy in /etc/hosts.allow:
# echo "ALL: [net]/[mask], [net]/[mask], ..." > /etc/hosts.allow

where each [net>/[mask> combination (for example, the Class C address block "192.168.1.0/255.255.255.0") can represent one network block in use by your organization that requires access to this system.

2. Create a default deny policy in /etc/hosts.deny:

# echo "ALL: ALL" >/etc/hosts.deny

3. Enable TCP Wrappers for all services started by inetd:

# inetadm -M tcp_wrappers=TRUE

The versions of SSH and sendmail that ship with Solaris 11 will automatically use TCP Wrappers to filter access if a hosts.allow or hosts.deny file exists.