2.2.9 Ensure network file system services are not in use

Information

The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network.

If the system does not require access to network shares or the ability to provide network file system services for other host's network shares, it is recommended that the nfs-utils package be removed to reduce the attack surface of the system.

Solution

Run the following command to stop nfs-server.service and remove nfs-utils package:

# systemctl stop nfs-server.service
# dnf remove nfs-utils

-OR-

-IF- the nfs-utils package is required as a dependency:

Run the following commands to stop and mask the nfs-server.service :

# systemctl stop nfs-server.service
# systemctl mask nfs-server.service

Impact:

Many of the libvirt packages used by Enterprise Linux virtualization are dependent on the nfs-utils package. If the nfs-utils package is removed, these dependent packages will be removed as well. Before removing the nfs-utils package, review any dependent packages to determine if they are required on the system.

-IF- a dependent package is required: stop and mask the nfs-server.service leaving the nfs-utils package installed.

See Also

https://workbench.cisecurity.org/benchmarks/15289

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|9.2

Plugin: Unix

Control ID: 50d5db678aa83c3c2be41c2af468fd453380562d7a9f47dea8a54607c8172e6f