6.14 Disable 'nobody' Access for RPC Encryption Key Storage Service

Information

This action listed prevents keyserv from using default keys for the nobody user, effectively stopping the nobody user from accessing information via Secure RPC.

Rationale:

If login by the user nobody is allowed for secure RPC, there is an increased risk of system compromise. If keyserv holds a private key for the nobody user, it will be used by key_encryptsession to compute a magic phrase which can be easily recovered by a malicious user.

Solution

Perform the following to implement the recommended state:

# cd /etc/default

# cp keyserv keyserv.orig

# awk '/ENABLE_NOBODY_KEYS=/ { $1 = 'ENABLE_NOBODY_KEYS=NO' } { print }' keyserv > keyserv.CIS

# mv keyserv.CIS keyserv

See Also

https://workbench.cisecurity.org/benchmarks/4777

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(3), CSCv7|16.8

Plugin: Unix

Control ID: 61e365a427677ca9308d9f3c07f52e25702244295952ca0272ff5e65f6ec7356