The Samba Web Administration Tool (SWAT) must be restricted to the local host or require SSL.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-1026	GEN006080	SV-42313r1_rule	EBRP-1	Medium

Description
SWAT is a tool used to configure Samba. As it modifies Samba configuration, which can impact system security, it must be protected from unauthorized access. SWAT authentication may involve the root password, which must be protected by encryption when traversing the network. Restricting access to the local host allows for the use of SSH TCP forwarding, if configured, or administration by a web browser on the local system.

Description

SWAT is a tool used to configure Samba. As it modifies Samba configuration, which can impact system security, it must be protected from unauthorized access. SWAT authentication may involve the root password, which must be protected by encryption when traversing the network. Restricting access to the local host allows for the use of SSH TCP forwarding, if configured, or administration by a web browser on the local system.

STIG	Date
Solaris 10 SPARC Security Technical Implementation Guide	2020-02-26

Details

Check Text ( C-40643r1_chk )
Verify the SWAT daemon is running under inetd. # svcs swat If SWAT is disabled or not installed, this is not applicable. Verify that TCP_wrappers is enabled for the SWAT daemon. # inetadm -l swat \| grep tcp_wrappers If the tcp_wrappers value is unset or is set to FALSE, this is a finding. Verify access to the SWAT daemon is limited to localhost through the use of TCP_Wrappers. # more /etc/hosts.allow # more /etc/hosts.deny If the hosts.allow and hosts.deny access control files are configured such that remote access to SWAT is enabled, this is a finding. Ask the SA if SSH port forwarding is used to enable remote access to SWAT. If it is, this is not a finding. If all access to SWAT is via localhost using a local web browser, this is not a finding.

Check Text ( C-40643r1_chk )

Verify the SWAT daemon is running under inetd.

# svcs swat

If SWAT is disabled or not installed, this is not applicable.

Verify that TCP_wrappers is enabled for the SWAT daemon.

# inetadm -l swat | grep tcp_wrappers

If the tcp_wrappers value is unset or is set to FALSE, this is a finding.

Verify access to the SWAT daemon is limited to localhost through the use of TCP_Wrappers.

# more /etc/hosts.allow
# more /etc/hosts.deny

If the hosts.allow and hosts.deny access control files are configured such that remote access to SWAT is enabled, this is a finding.

Ask the SA if SSH port forwarding is used to enable remote access to SWAT. If it is, this is not a finding. If all access to SWAT is via localhost using a local web browser, this is not a finding.

Fix Text (F-35945r1_fix)
Enable tcp_wrappers for the SWAT daemon. # inetadm -m swat tcp_wrappers=true OR # inetadm -M tcp_wrappers=true Relfresh the inetd daemon. # svcadm refresh inetd Configure the hosts.allow and hosts.deny files to limit access to SWAT to localhost. Example: # echo ALL: ALL >> /etc/hosts.deny # echo swat: localhost >> /etc/hosts.allow