STIGQter: STIG Summary: Solaris 11 X86 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Solaris 11 X86 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:SV-216083r603268_rule
V-216083
SRG-OS-000480
SOL-11.1-030050
CAT II
10
The root role is required.
To enable TCP Wrappers, run the following commands:
1. Create and customize your policy in /etc/hosts.allow:
# echo "ALL: [net]/[mask], [net]/[mask], ..." > /etc/hosts.allow
where each [net>/[mask> combination (for example, the Class C address block "192.168.1.0/255.255.255.0") can represent one network block in use by your organization that requires access to this system.
2. Create a default deny policy in /etc/hosts.deny:
# echo "ALL: ALL" >/etc/hosts.deny
3. Enable TCP Wrappers for all services started by inetd:
# inetadm -M tcp_wrappers=TRUE
The versions of SunSSH (0.5.11) and sendmail that ship with Solaris 11 will automatically use TCP Wrappers to filter access if a hosts.allow or hosts.deny file exists.
The use of OpenSSH access is controlled by the sshd_config file starting with Solaris 11.3.
SunSSH is removed starting with Solaris 11.4.
Check that TCP Wrappers are enabled and the host.deny and host.allow files exist.
# inetadm -p | grep tcp_wrappers
If the output of this command is "tcp_wrappers=FALSE", this is a finding.
# ls /etc/hosts.deny
/etc/hosts.deny
# ls /etc/hosts.allow
/etc/hosts.allow
If these files do not exist or do not contain the names of allowed or denied hosts, this is a finding.
V-216083
False
SOL-11.1-030050
Check that TCP Wrappers are enabled and the host.deny and host.allow files exist.
# inetadm -p | grep tcp_wrappers
If the output of this command is "tcp_wrappers=FALSE", this is a finding.
# ls /etc/hosts.deny
/etc/hosts.deny
# ls /etc/hosts.allow
/etc/hosts.allow
If these files do not exist or do not contain the names of allowed or denied hosts, this is a finding.
M
4021