TCP Wrappers must be enabled and configured per site policy to only allow access by approved hosts and services.

An XCCDF Rule

Description

<VulnDiscussion>TCP Wrappers are a host-based access control system that allows administrators to control who has access to various network services based on the IP address of the remote end of the connection. TCP Wrappers also provide logging information via syslog about both successful and unsuccessful connections.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-216318r959010_rule
Severity: Medium
References: CCI-000366
Updated: 18 days ago

The root role is required.

To enable TCP Wrappers, run the following commands:

1. Create and customize your policy in /etc/hosts.allow:
# echo "ALL: [net]/[mask], [net]/[mask], ..." > /etc/hosts.allow 
where each [net>/[mask> combination (for example, the Class C address block "192.168.1.0/255.255.255.0") can represent one network block in use by your organization that requires access to this system.

2. Create a default deny policy in /etc/hosts.deny: 

# echo "ALL: ALL" >/etc/hosts.deny

3. Enable TCP Wrappers for all services started by inetd:

# inetadm -M tcp_wrappers=TRUE

The versions of SunSSH (0.5.11) and sendmail that ship with Solaris 11 will automatically use TCP Wrappers to filter access if a hosts.allow or hosts.deny file exists.

The use of OpenSSH access is controlled by the sshd_config file starting with Solaris 11.3. 

SunSSH is removed starting with Solaris 11.4.

TCP Wrappers must be enabled and configured per site policy to only allow access by approved hosts and services.

Description

Remediation - Manual Procedure