3.1.4.2 NFS - enable both nosuid and nodev options on NFS client mounts - nosuid

Information

Disable suid/sgid program execution and/or access to system devices via permissions set on any mounted NFS filesystem.

Rationale:

Setting the nosuid and nodev options means that files on the NFS server cannot be used to gain privileged access on the client.

This hampers a malicious user from creating an attack vector on the server and then log onto an NFS client as a standard user and use the suid/sgid program to effectively become another user (especially root) on that client.

The nodev options blocks malicious/accidental (raw) access to system devices (e.g., /dev/kmem, /dev/rhdisk0). Access to devices is not exclusive to the /dev directory. Device access is so-called special-files that are defined as a Major, Minor device id's.

Solution

For each NFS mount, disable suid programs and device access. List the current NFS mounts:

lsnfsmnt -l | /usr/bin/egrep -v '^Name' | /usr/bin/grep -v 'nosuid' | while read remote local host rest; do
chnfsmnt -d ${remote} -f ${local} -h ${host} -y -z
done

lsnfsmnt -l | /usr/bin/egrep -v '^Name' | /usr/bin/grep -v 'nodev' | while read remote local host rest; do
chnfsmnt -d ${remote} -f ${local} -h ${host} -y -z
done

NOTE: The NFS mount needs is re-mounted automatically by chnfsmnt.
NOTE: The second loop might not do anything as both loops set both nosuid (-y) and nodev (-z)

Default Value:

N/A

See Also

https://workbench.cisecurity.org/files/4119

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 0e850eca0ac9390615b57559078d61356cf5002dc4a2e6d89611afb06c71aa01