Details

NOTE: Update the value of HOSTS_ALLOW_NETWORK with the appropriate value for the local environment.

Solution

To enable TCP Wrappers, run the following commands:
1. Create and customize your policy in /etc/hosts.allow:
# echo “ALL: /, /” > /etc/hosts.allow
where each / combination (for example, the Class C address block “192.168.1.0/255.255.255.0”) can represent one network block in use by your organization that requires access to this system.
2. Create a default deny policy in /etc/hosts.deny:
# echo “ALL: ALL” >/etc/hosts.deny
3. Enable TCP Wrappers for all services started by inetd:
# inetadm -M tcp_wrappers=TRUE
To protect only specific inetd services, use the command:
# inetadm -m [FMRI] tcp_wrappers=TRUE
To enable TCP Wrappers for the RPC port mapping service, use the commands:
# svccfg -s rpc/bind setprop config/enable_tcpwrappers=true
# svcadm refresh rpc/bind

The versions of SSH and sendmail that ship with Solaris 11 will automatically use TCP Wrappers to filter access if a hosts.allow or hosts.deny file exists. To protect UDP and RPC-based services that are spawned from inetd, consider implementing a host-based firewall such as Solaris IP Filter. See ipfilter(5) for more information.

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/612

This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Unix.

References

• 800-53|SC-7(5)

Source

• Tenable.com/audits