4.1.4.5 NFS - restrict NFS access

Information

Only allow explicitly defined host access to NFS exported filesystems and directories.

Rationale:

The NFS server should be configured to only allow explicitly defined hosts to mount filesystems from the server. If an unauthorized host is denied the permission to mount a filesystem, then the unauthorized users on that host will not be able to access the server's files.

The default value of access allows any machine to mount any exported filesystems/directories.

Solution

Ensure that all exports defined in /etc/exports have explicit client access options which clearly define the host or hosts allowed access: Review the content of /etc/exports and that all exports have explicit access lists:

showmount -e | grep '(everyone)'

Ensure that each NFS export has an explicit access line, for example, modify:

/export/repo (everyone)

to:

/export/repo x071

The option -c is used to specify clients permitted access:

chnfsexp -d /export/repo -c x071

Default Value:

N/A

Additional Information:

Reversion: Clear the client access specification by supplying the NULL string ('') as argument.

chnfsexp -d /export/repo -c ''

See Also

https://workbench.cisecurity.org/benchmarks/13069

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b.

Plugin: Unix

Control ID: 963b4a0c5dd495a2d3bc3f4cc75b2b777782ac6ba539384d4ff04dbdd956387f