UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Samba Web Administration Tool (SWAT) must be restricted to the local host or require SSL.


Overview

Finding ID Version Rule ID IA Controls Severity
V-1026 GEN006080 SV-42313r1_rule EBRP-1 ECCT-1 ECCT-2 Medium
Description
SWAT is a tool used to configure Samba. As it modifies Samba configuration, which can impact system security, it must be protected from unauthorized access. SWAT authentication may involve the root password, which must be protected by encryption when traversing the network. Restricting access to the local host allows for the use of SSH TCP forwarding, if configured, or administration by a web browser on the local system.
STIG Date
Solaris 9 X86 Security Technical Implementation Guide 2012-05-25

Details

Check Text ( C-40643r1_chk )
Verify the SWAT daemon is running under inetd.

# svcs swat

If SWAT is disabled or not installed, this is not applicable.

Verify that TCP_wrappers is enabled for the SWAT daemon.

# inetadm -l swat | grep tcp_wrappers

If the tcp_wrappers value is unset or is set to FALSE, this is a finding.

Verify access to the SWAT daemon is limited to localhost through the use of TCP_Wrappers.

# more /etc/hosts.allow
# more /etc/hosts.deny

If the hosts.allow and hosts.deny access control files are configured such that remote access to SWAT is enabled, this is a finding.

Ask the SA if SSH port forwarding is used to enable remote access to SWAT. If it is, this is not a finding. If all access to SWAT is via localhost using a local web browser, this is not a finding.
Fix Text (F-35945r1_fix)
Enable tcp_wrappers for the SWAT daemon.
# inetadm -m swat tcp_wrappers=true
OR
# inetadm -M tcp_wrappers=true
Relfresh the inetd daemon.
# svcadm refresh inetd

Configure the hosts.allow and hosts.deny files to limit access to SWAT to localhost.
Example:
# echo ALL: ALL >> /etc/hosts.deny
# echo swat: localhost >> /etc/hosts.allow