2.9 Disable NIS Server Services

Information

The NIS server software is not installed by default and is only required on systems that are acting as an NIS server for the local site. Typically, there are only a small number of NIS servers on any given network. These services are disabled by default unless the system has been previously configured to act as a NIS server.

Rationale:

As RPC-based services such as NIS may use non-secure authentication and share sensitive network object information with systems and applications using RPC-based services, this service should be disabled. Users are encouraged to use LDAP as a name service in place of NIS.

Solution

To disable this service, run the following commands:

# svcadm disable svc:/network/nis/server

Check to see if LDAP Client is in use:

# svcs -a | grep ldap | awk -F' ' '{if ($1 ~ /disabled/ && $3 ~ /client/) print 'LDAP Client is disabled - svc:/network/nfs/domain can be disabled.';}'

If LDAP is not in use also disable nis/domain:

# svcadm disable svc:/network/nis/domain

Additional Information:

It is possible that the svc:/network/nis/server package may not be installed by default on some systems. In this case, the above commands will indicate that the software is not installed.

See Also

https://workbench.cisecurity.org/benchmarks/4777

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CA-9, 800-53|SC-7, 800-53|SC-7(5), CSCv7|9.2

Plugin: Unix

Control ID: deabbab5e53de52e879ca00373ca48e62acf9746cc8b9dae15609a053e21b16c