UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The hosts.lpd file (or equivalent) must not contain a + character.


Overview

Finding ID Version Rule ID IA Controls Severity
V-827 GEN003900 SV-45812r1_rule Medium
Description
Having the '+' character in the hosts.lpd (or equivalent) file allows all hosts to use local system print resources.
STIG Date
SUSE Linux Enterprise Server v11 for System z 2016-12-20

Details

Check Text ( C-43133r1_chk )
Look for the presence of a print service configuration file.

Procedure:
# find /etc -name hosts.lpd -print
# find /etc -name Systems -print
# find /etc -name printers.conf

If none of the files are found, this check should be marked Not Applicable.

Otherwise, examine the configuration file.

Procedure:
# more

Check for entries that contain a ‘+’ or ‘_’ character. If any are found, this is a finding.
For the "cups" print service, verify remote host access is limited.


# grep -i Listen /etc/cups/cupsd.conf
The /etc/cups/cupsd.conf file must not contain a Listen *: or equivalent line.
If the network address of the "Listen" line is unrestricted. This is a finding.

# grep -i "Allow From" /etc/cups/cupsd.conf
The "Allow From" line within the "" element should limit access to the printers to @LOCAL and specific hosts.
If the "Allow From" line contains "All" this is a finding.
Fix Text (F-39202r1_fix)
Remove the '+' entries from the hosts.lpd (or equivalent) file.

Configure cups to use only the localhost or specified remote hosts.

Procedure:
Modify the /etc/cups/cupsd.conf file to "Listen" only to the local machine or a known set of hosts (i.e., Listen localhost:631).
Modify the /etc/cups/cupsd.conf file "" element to "Deny From All" and "Allow from 127.0.0.1" or allowed host addresses.

Restart cups:
# rccups restart