4

We've recently gone through a security audit and among several valid and other, quite pointless findings is one that states that tcpwrappers is not disabled. I've never used tcpwrappers so I don't have a great deal of experience in how it is configured.

Having said that I've always been under the impression that it isn't simply disabled or enabled like a daemon. Instead, rules are created which define services that use it and which servers are and are not allowed to access the service.

By default, if nothing is defined then tcpwrappers is, effectively, disabled.

Am I wrong?

theillien
  • 445
  • 3
  • 13
  • 28
  • In the past we already concluded that [some auditors are idiots](http://serverfault.com/questions/293217) and this sounds like another example. - you are correct: no daemon, nothing in `/etc/hosts.*` and tcp-wrappers has no impact. Since it is a linked library removing it requires recompiling packages, which any capable auditor should even be more adverse to. – HBruijn Mar 05 '15 at 08:45

1 Answers1

2

I'm not 100% sure on what they mean by disabled but quite a few binaries on an average linux bistro would be linked to libwrap.so (e.g. sshd) which is a lib provided by the tcp_wrappers package.

You're correct in that this won't make any difference unless there is configuration in hosts.allow or hosts.deny files.

Martin
  • 501
  • 2
  • 5
  • Keep in mind that recent versions of OpenSSH have dropped support for tcp wrappers, so that isn't a great example. – Zoredache Mar 04 '15 at 23:36
  • @Zoredache RHEL6 still uses a version that is linked. When checking the impact of removing the tcp_wrappers and tcp_wrappers-libs RPMs OpenSSH was going to be removed as a dependency. – theillien Mar 04 '15 at 23:43
  • This is a relatively recent change (6.7+) back in October. You would only notice it if you are living on the bleeding edge. – Zoredache Mar 04 '15 at 23:48