4.4.1.4 NIS - restrict NIS server communication

Information

If NIS must be used in the environment, limit access to the NIS data to specific subnets.

Rationale:

By default the NIS server will authenticate all IP addresses if the /var/yp/securenets file does not exist, or exists without any subnets defined. The /var/yp/securenets file contains a list of subnets that are considered trusted and are allowed to access NIS data using the ypserv and ypxfrd daemons. This is a user-created file that resides on a NIS master server and any slave servers. Without configuring this file, anyone with knowledge of the NIS server address and the domain name, can obtain NIS served data, including the contents of the /etc/passwd file. Hence, it is recommended that the /var/yp/securenets file is configured to restrict access.

Solution

Create and secure the /var/yp/securenets file (if it does not already exist):

touch /var/yp/securenets
chmod u=rw,go= /var/yp/securenets
chown root:system /var/yp/securenets

Edit the file:

vi /var/yp/securenets

Add the allowed subnets:

255.255.255.0 128.311.10.0

NOTE: The format of the file is netmask netaddr as shown in the example above. Explicitly define all valid network subnets (one entry per line).
Stop and start NIS to implement the configuration changes:

stopsrc -g yp
startsrc -g yp

Default Value:

N/A

Additional Information:

Reversion:

Remove the /var/yp/securenets file:

rm /var/yp/securenets

See Also

https://workbench.cisecurity.org/benchmarks/7851