3.1.4.6 NFS - secure NFS - secure NFS

Information

For each NFS export, ensure that the secure option is selected.

Rationale:

Secure NFS uses DES encryption or Kerberos to authenticate hosts involved in RPC transactions. RPC is a protocol used by NFS to communicate requests between hosts. Secure NFS mitigates attempts by an attacker to spoof RPC requests by encrypting the time stamp in the RPC requests. A receiver successfully decrypts the time stamp and confirms that it is correct. This serves as a confirmation that the RPC request came from a trusted host.

Solution

Use chnfsexp to change/validate this value for all NFS exported filesystems:

chnfsexp -d <fs> -S <sec>

The available security method options are:

sys - UNIX authentication

dh - DES authentication

none - Use the anonymous ID if it has a value other than -1

krb5 - Kerberos. Authentication only

krb5i - Kerberos. Authentication and integrity

krb5p - Authentication, integrity, and privacy '

Once all exported filesystems have been successfully validated or changed, re-export the filesystems and directories to activate the new options:

exportfs -a

Default Value:

N/A

Additional Information:

Reversion: Copy back the original /etc/exports:

cp -p /etc/exports.pre_cis /etc/exports

See Also

https://workbench.cisecurity.org/files/4119

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|9.2

Plugin: Unix

Control ID: 6e3e46077aebda185ec834e3075026699ae92e80802c80267dbcf4adab143ad5