4.1.1.5 rc.nfs

Information

The rcnfs entry starts the NFS, NIS and automount daemons during system boot. Additionally, it automounts filesystems with the attribute vfs = nfs.

Rationale:

NFS is a service with numerous historical vulnerabilities and should not be enabled unless there is no alternative.

Solution

Use the rmitab command to remove the NFS start-up script from /etc/inittab:

rmitab rcnfs

Also, to be certain NFS related services have been discounted - execute the following script:

/etc/nfs.clean

Default Value:

Uncommented

Additional Information:

If NFS related services are required, then read-only exports and mounts are recommended. NFS mounts should include the options nodev and nosuid to prevent unauthorized access. Further no filesystem or directory should be exported with root access.

Remember, Unless otherwise required the NFS related services should be disabled.

See Also

https://workbench.cisecurity.org/benchmarks/13069

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|9.2

Plugin: Unix

Control ID: 1384da4da646ece8c59be1084c5e83a5da997b7d920f1ad00a1faebf3cd9f126