4.1.4.1 NFS - disable NFS client

Information

Disable NFS client unless system needs to access known NFS shares.

Rationale:

NFS can be exploited to gain unauthorized access to file and directories. If a system does not need access to an NFS server the NFS client should be disabled to minimize this risk.

As AIX software hierarchy does not permit the de installation of the NFS client functionality - the base recommendation is to disable NFS mount permissions. The secondary control is to frequently verify that unauthorized/unexpected NFS mounts are detected.

Impact:

NFS exploits are frequently based on file permission settings - and mistakes in the NFS server and/or NFS client configuration settings. A typical classroom example is getting root access via SUID with a executable originating from an NFS share.

Solution

Ensure that there are no current NFS client mounts:

mount |grep 'nfs'
cat /etc/filesystems |grep 'nfs'

The above commands should yield no output.
De-install the NFS client software:

installp -u bos.net.nfs.client

Default Value:

N/A

Additional Information:

Reversion:

Re-install the software from the product DVD's

See Also

https://workbench.cisecurity.org/benchmarks/13069

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b.

Plugin: Unix

Control ID: fd1af0e79cebecc24dd2a3681aeb64c502becfb4a6f36c7fb73b2b42fed496e9