TCP Wrappers must be enabled and configured per site policy to only allow access by approved hosts and services.

From Solaris 11 SPARC Security Technical Implementation Guide

Part of SRG-OS-999999

Associated with: CCI-000366

SV-60807r1_rule TCP Wrappers must be enabled and configured per site policy to only allow access by approved hosts and services.

Vulnerability discussion

TCP Wrappers are a host-based access control system that allows administrators to control who has access to various network services based on the IP address of the remote end of the connection. TCP Wrappers also provide logging information via syslog about both successful and unsuccessful connections.

Check content

Check that TCP Wrappers are enabled and the host.deny and host.allow files exist. # inetadm -p | grep tcp_wrappers If the output of this command is "tcp_wrappers=FALSE", this is a finding. # ls /etc/hosts.deny /etc/hosts.deny # ls /etc/hosts.allow /etc/hosts.allow If these files do not exist or do not contain the names of allowed or denied hosts, this is a finding.

Fix text

The root role is required. To enable TCP Wrappers, run the following commands: 1. Create and customize your policy in /etc/hosts.allow: # echo "ALL: [net]/[mask], [net]/[mask], ..." > /etc/hosts.allow where each [net>/[mask> combination (for example, the Class C address block "192.168.1.0/255.255.255.0") can represent one network block in use by your organization that requires access to this system. 2. Create a default deny policy in /etc/hosts.deny: # echo "ALL: ALL" >/etc/hosts.deny 3. Enable TCP Wrappers for all services started by inetd: # inetadm -M tcp_wrappers=TRUE The versions of SSH and sendmail that ship with Solaris 11 will automatically use TCP Wrappers to filter access if a hosts.allow or hosts.deny file exists.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer