Add the sec=krb5:krb5i:krb5p option to the fourth column of /etc/fstab for the line which controls mounting of
any NFS mounts.
When an NFS server is configured to use AUTH_SYS a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The AUTH_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request.
Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of
any NFS mounts.
Legitimate device files should only exist in the /dev directory. NFS mounts should not present device files to users.
Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of
any NFS mounts.
The noexec mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.
Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of
any NFS mounts.
NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem.
Configure the lockd daemon to use a static TCP port as opposed to letting the RPC Bind service dynamically assign a port. Edit the file /etc/sysconfig/nfs. Add or correct the following line:
LOCKD_TCPPORT=lockd-portWhere lockd-port is a port which is not used by any other service on your network.
Restrict service to always use a given port, so that firewalling can be done effectively.
Configure the lockd daemon to use a static UDP port as opposed to letting the RPC Bind service dynamically assign a port. Edit the file /etc/sysconfig/nfs. Add or correct the following line:
LOCKD_UDPPORT=lockd-portWhere lockd-port is a port which is not used by any other service on your network.
Restricting services to always use a given port enables firewalling to be done more effectively.
Configure the mountd daemon to use a static port as opposed to letting the RPC Bind service dynamically assign a port. Edit the file /etc/sysconfig/nfs. Add or correct the following line:
MOUNTD_PORT=statd-portWhere mountd-port is a port which is not used by any other service on your network.
Restricting services to always use a given port enables firewalling to be done more effectively.
Configure the statd daemon to use a static port as opposed to letting the RPC Bind service dynamically assign a port. Edit the file /etc/sysconfig/nfs. Add or correct the following line:
STATD_PORT=statd-portWhere statd-port is a port which is not used by any other service on your network.
Restricting services to always use a given port enables firewalling to be done more effectively.
To specify the UID and GID for remote root users, edit the /etc/exports file and add the following for each export:
anonuid=value greater than UID_MAX from /etc/login.defs anongid=value greater than GID_MAX from /etc/login.defsNote that a value of "-1" is technically acceptable as this will randomize the anonuid and anongid values on a Red Hat Enterprise Linux based NFS server. While acceptable from a security perspective, a value of -1 may cause interoperability issues, particularly with Red Hat Enterprise Linux 7 client systems. Alternatively, functionally equivalent values of 60001, 65534, 65535 may be used.
Specifying the anonymous UID and GID ensures that the remote root user is mapped to a local account which has no permissions on the system.
The all_squash maps all uids and gids to an anonymous user. This should be disabled by removing any instances of the all_squash option from the file /etc/exports.
The all_squash option maps all client requests to a single anonymous uid/gid on the NFS server, negating the ability to track file access by user ID.
By default the NFS server requires secure file-lock requests, which require credentials from the client in order to lock a file. Most NFS clients send credentials with file lock requests, however, there are a few clients that do not send credentials when requesting a file-lock, allowing the client to only be able to lock world-readable files. To get around this, the insecure_locks option can be used so these clients can access the desired export. This poses a security risk by potentially allowing the client access to data for which it does not have authorization. Remove any instances of the insecure_locks option from the file /etc/exports.
Allowing insecure file locking could allow for sensitive data to be viewed or edited by an unauthorized user.
By default, the server NFS implementation requires that all client requests be made
from ports less than 1024. If your organization has control over systems connected to its
network, and if NFS requests are prohibited at the border firewall, this offers some protection
against malicious requests from unprivileged users. Therefore, the default should not be changed.
To ensure that the default has not been changed, ensure no line in
/etc/exports contains the option insecure.
Allowing client requests to be made from ports higher than 1024 could allow a unprivileged user to initiate an NFS connection. If the unprivileged user account has been compromised, an attacker could gain access to data on the NFS server.
The Network File System (NFS) service allows remote hosts to mount
and interact with shared filesystems on the local system. If the local system
is not designated as a NFS server then this service should be disabled.
The nfs-server service can be disabled with the following command:
$ sudo systemctl mask --now nfs-server.service
Unnecessary services should be disabled to decrease the attack surface of the system.
The rpcsvcgssd service manages RPCSEC GSS contexts required to
secure protocols that use RPC (most often Kerberos and NFS). The rpcsvcgssd
service is the server-side of RPCSEC GSS. If the system does not require secure
RPC then this service should be disabled.
The rpcsvcgssd service can be disabled with the following command:
$ sudo systemctl mask --now rpcsvcgssd.service
Unnecessary services should be disabled to decrease the attack surface of the system.
Using Kerberos on all exported mounts prevents a malicious client or user from impersonating a system user. To cryptography authenticate users to the NFS server, add sec=krb5:krb5i:krb5p to each export in /etc/exports.
When an NFS server is configured to use AUTH_SYS a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The AUTH_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request.
If a filesystem is exported using root squashing, requests from root on the client
are considered to be unprivileged (mapped to a user such as nobody). This provides some mild
protection against remote abuse of an NFS server. Root squashing is enabled by default, and
should not be disabled.
Ensure that no line in /etc/exports contains the option no_root_squash.
If the NFS server allows root access to local file systems from remote hosts, this access could be used to compromise the system.