Rules Related To 'inetd'

Component overview

Relevant packages:

Relevant groups:

Changelog:

No changes recorded.

Relevant rules:

Rule details

Ensure /etc/hosts.deny is configured

configure_etc_hosts_deny

Description

The file /etc/hosts.deny together with /etc/hosts.allow provides a simple access control mechanism for network services supporting TCP wrappers. The following line in the file ensures that access to services supporting this mechanism is denied to any clients not mentioned in /etc/hosts.allow:

ALL: ALL
It is advised to inspect available network services which might be affected by modification of file mentioned above prior to performing the remediation of this rule. If there exist services which might be affected and access to them should not be blocked, modify the /etc/hosts.allow file appropriately before performing the remediation.

Rationale

Correct configuration in /etc/hosts.deny ensures that no explicitly mentioned clients will be able to connect to services supporting this access control mechanism.

Verify Group Ownership of /etc/hosts.allow

file_groupowner_etc_hosts_allow

Description

To properly set the group owner of /etc/hosts.allow, run the command:

$ sudo chgrp root /etc/hosts.allow

Rationale

The /etc/hosts.allow file is used to control access of clients to daemons in the server. Insecure groupownership of this file could allow users to grant clients unrestricted access or no access at all to services in the server.

Verify Group Ownership of /etc/hosts.deny

file_groupowner_etc_hosts_deny

Description

To properly set the group owner of /etc/hosts.deny, run the command:

$ sudo chgrp root /etc/hosts.deny

Rationale

The /etc/hosts.deny file is used to control access of clients to daemons in the server. Insecure groupownership of this file could allow users to grant clients unrestricted access or no access at all to services in the server.

Verify Ownership of /etc/hosts.allow

file_owner_etc_hosts_allow

Description

To properly set the owner of /etc/hosts.allow, run the command:

$ sudo chown root /etc/hosts.allow 

Rationale

The /etc/hosts.allow file is used to control access of clients to daemons in the server. Insecure groupownership of this file could allow users to grant clients unrestricted access or no access at all to services in the server.

Verify Ownership of /etc/hosts.deny

file_owner_etc_hosts_deny

Description

To properly set the owner of /etc/hosts.deny, run the command:

$ sudo chown root /etc/hosts.deny 

Rationale

The /etc/hosts.deny file is used to control access of clients to daemons in the server. Insecure groupownership of this file could allow users to grant clients unrestricted access or no access at all to services in the server.

Verify Permissions on /etc/hosts.allow

file_permissions_etc_hosts_allow

Description

To properly set the permissions of /etc/hosts.allow, run the command:

$ sudo chmod 0644 /etc/hosts.allow

Rationale

The /etc/hosts.allow file is used to control access of clients to daemons in the server. Insecure groupownership of this file could allow users to grant clients unrestricted access or no access at all to services in the server.

Verify Permissions on /etc/hosts.deny

file_permissions_etc_hosts_deny

Description

To properly set the permissions of /etc/hosts.deny, run the command:

$ sudo chmod 0644 /etc/hosts.deny

Rationale

The /etc/hosts.deny file is used to control access of clients to daemons in the server. Insecure groupownership of this file could allow users to grant clients unrestricted access or no access at all to services in the server.

Install tcp_wrappers Package

package_tcp_wrappers_installed

Description

When network services are using the xinetd service, the tcp_wrappers package should be installed. The tcp_wrappers package can be installed with the following command:

$ sudo dnf install tcp_wrappers

Rationale

Access control methods provide the ability to enhance system security posture by restricting services and known good IP addresses and address ranges. This prevents connections from unknown hosts and protocols.

Uninstall tcpd Package

package_tcp_wrappers_removed

Description

The tcpd package can be removed with the following command:

$ sudo dnf erase tcpd

Rationale

Administrators can use TCP wrapper library and daemon for host control over network services. In these implementations, xinetd runs tcpd program, which first looks at the incomming connection as well as the access control lists in the /etc/hosts.allow and /etc/hosts.deny files. Removing the xinetd package decreases the risk of the xinetd service's accidental (or intentional) activation. The removal of tcpd package will support this protective measure in addition.

Uninstall xinetd Package

package_xinetd_removed

Description

The xinetd package can be removed with the following command:

$ sudo dnf erase xinetd

Rationale

Removing the xinetd package decreases the risk of the xinetd service's accidental (or intentional) activation.

Disable xinetd Service

service_xinetd_disabled

Description

The xinetd service can be disabled with the following command:

$ sudo systemctl mask --now xinetd.service

Rationale

The xinetd service provides a dedicated listener service for some programs, which is no longer necessary for commonly-used network services. Disabling it ensures that these uncommon services are not running, and also prevents attacks against xinetd itself.