4.1.4.7 NFS - secure NFS

Information

For each NFS export, ensure that the secure option is selected.

Rationale:

Secure NFS uses DES encryption or Kerberos to authenticate hosts involved in RPC transactions. RPC is a protocol used by NFS to communicate requests between hosts. Secure NFS mitigates attempts by an attacker to spoof RPC requests by encrypting the time stamp in the RPC requests. A receiver successfully decrypts the time stamp and confirms that it is correct. This serves as a confirmation that the RPC request came from a trusted host.

Solution

Use chnfsexp to change/validate this value for all NFS exported filesystems:

chnfsexp -d <fs> -S <sec>

The available security method options are:

sys - UNIX authentication

dh - DES authentication

none - Use the anonymous ID if it has a value other than -1

krb5 - Kerberos. Authentication only

krb5i - Kerberos. Authentication and integrity

krb5p - Authentication, integrity, and privacy '

Once all exported filesystems have been successfully validated or changed, re-export the filesystems and directories to activate the new options:

exportfs -a

Default Value:

N/A

Additional Information:

Reversion: Copy back the original /etc/exports:

cp -p /etc/exports.pre_cis /etc/exports

See Also

https://workbench.cisecurity.org/benchmarks/13069

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b.

Plugin: Unix

Control ID: 01439936cf13ec01d4a32dcb53d9cd17466ae5422fd48afbcc7f1feeef2707b6