The hosts.lpd file (or equivalent) must not contain a + character.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-827	GEN003900	SV-45812r1_rule		Medium

Description
Having the '+' character in the hosts.lpd (or equivalent) file allows all hosts to use local system print resources.

STIG	Date
SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide	2018-09-19

Details

Check Text ( C-43133r1_chk )
Look for the presence of a print service configuration file. Procedure: # find /etc -name hosts.lpd -print # find /etc -name Systems -print # find /etc -name printers.conf If none of the files are found, this check should be marked Not Applicable. Otherwise, examine the configuration file. Procedure: # more Check for entries that contain a ‘+’ or ‘_’ character. If any are found, this is a finding. For the "cups" print service, verify remote host access is limited. # grep -i Listen /etc/cups/cupsd.conf The /etc/cups/cupsd.conf file must not contain a Listen *: or equivalent line. If the network address of the "Listen" line is unrestricted. This is a finding. # grep -i "Allow From" /etc/cups/cupsd.conf The "Allow From" line within the "" element should limit access to the printers to @LOCAL and specific hosts. If the "Allow From" line contains "All" this is a finding.

Check Text ( C-43133r1_chk )

Look for the presence of a print service configuration file.

Procedure:
# find /etc -name hosts.lpd -print
# find /etc -name Systems -print
# find /etc -name printers.conf

If none of the files are found, this check should be marked Not Applicable.

Otherwise, examine the configuration file.

Procedure:
# more

Check for entries that contain a ‘+’ or ‘_’ character. If any are found, this is a finding.
For the "cups" print service, verify remote host access is limited.

# grep -i Listen /etc/cups/cupsd.conf
The /etc/cups/cupsd.conf file must not contain a Listen *: or equivalent line.
If the network address of the "Listen" line is unrestricted. This is a finding.

# grep -i "Allow From" /etc/cups/cupsd.conf
The "Allow From" line within the "" element should limit access to the printers to @LOCAL and specific hosts.
If the "Allow From" line contains "All" this is a finding.

Fix Text (F-39202r1_fix)
Remove the '+' entries from the hosts.lpd (or equivalent) file. Configure cups to use only the localhost or specified remote hosts. Procedure: Modify the /etc/cups/cupsd.conf file to "Listen" only to the local machine or a known set of hosts (i.e., Listen localhost:631). Modify the /etc/cups/cupsd.conf file "" element to "Deny From All" and "Allow from 127.0.0.1" or allowed host addresses. Restart cups: # rccups restart

Fix Text (F-39202r1_fix)

Remove the '+' entries from the hosts.lpd (or equivalent) file.

Configure cups to use only the localhost or specified remote hosts.

Procedure:
Modify the /etc/cups/cupsd.conf file to "Listen" only to the local machine or a known set of hosts (i.e., Listen localhost:631).
Modify the /etc/cups/cupsd.conf file "" element to "Deny From All" and "Allow from 127.0.0.1" or allowed host addresses.

Restart cups:
# rccups restart