Rules Related To 'libnfs'

Component overview

Relevant packages:

Relevant groups:

Changelog:

No changes recorded.

Relevant rules:

Rule details

Mount Remote Filesystems with Kerberos Security

mount_option_krb_sec_remote_filesystems

Description

Add the sec=krb5:krb5i:krb5p option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts.

Rationale

When an NFS server is configured to use AUTH_SYS a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The AUTH_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request.

Mount Remote Filesystems with nodev

mount_option_nodev_remote_filesystems

Description

Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts.

Rationale

Legitimate device files should only exist in the /dev directory. NFS mounts should not present device files to users.

Mount Remote Filesystems with noexec

mount_option_noexec_remote_filesystems

Description

Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts.

Rationale

The noexec mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.

Mount Remote Filesystems with nosuid

mount_option_nosuid_remote_filesystems

Description

Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts.

Rationale

NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem.

Configure lockd to use static TCP port

nfs_fixed_lockd_tcp_port

Description

Configure the lockd daemon to use a static TCP port as opposed to letting the RPC Bind service dynamically assign a port. Edit the file /etc/sysconfig/nfs. Add or correct the following line:

LOCKD_TCPPORT=lockd-port
Where lockd-port is a port which is not used by any other service on your network.

Rationale

Restrict service to always use a given port, so that firewalling can be done effectively.

Configure lockd to use static UDP port

nfs_fixed_lockd_udp_port

Description

Configure the lockd daemon to use a static UDP port as opposed to letting the RPC Bind service dynamically assign a port. Edit the file /etc/sysconfig/nfs. Add or correct the following line:

LOCKD_UDPPORT=lockd-port
Where lockd-port is a port which is not used by any other service on your network.

Rationale

Restricting services to always use a given port enables firewalling to be done more effectively.

Configure mountd to use static port

nfs_fixed_mountd_port

Description

Configure the mountd daemon to use a static port as opposed to letting the RPC Bind service dynamically assign a port. Edit the file /etc/sysconfig/nfs. Add or correct the following line:

MOUNTD_PORT=statd-port
Where mountd-port is a port which is not used by any other service on your network.

Rationale

Restricting services to always use a given port enables firewalling to be done more effectively.

Configure statd to use static port

nfs_fixed_statd_port

Description

Configure the statd daemon to use a static port as opposed to letting the RPC Bind service dynamically assign a port. Edit the file /etc/sysconfig/nfs. Add or correct the following line:

STATD_PORT=statd-port
Where statd-port is a port which is not used by any other service on your network.

Rationale

Restricting services to always use a given port enables firewalling to be done more effectively.

Specify UID and GID for Anonymous NFS Connections

nfs_no_anonymous

Description

To specify the UID and GID for remote root users, edit the /etc/exports file and add the following for each export:

anonuid=value greater than UID_MAX from /etc/login.defs
anongid=value greater than GID_MAX from /etc/login.defs
Note that a value of "-1" is technically acceptable as this will randomize the anonuid and anongid values on a Red Hat Enterprise Linux based NFS server. While acceptable from a security perspective, a value of -1 may cause interoperability issues, particularly with Red Hat Enterprise Linux 7 client systems. Alternatively, functionally equivalent values of 60001, 65534, 65535 may be used.

Rationale

Specifying the anonymous UID and GID ensures that the remote root user is mapped to a local account which has no permissions on the system.

Ensure All-Squashing Disabled On All Exports

no_all_squash_exports

Description

The all_squash maps all uids and gids to an anonymous user. This should be disabled by removing any instances of the all_squash option from the file /etc/exports.

Rationale

The all_squash option maps all client requests to a single anonymous uid/gid on the NFS server, negating the ability to track file access by user ID.

Ensure Insecure File Locking is Not Allowed

no_insecure_locks_exports

Description

By default the NFS server requires secure file-lock requests, which require credentials from the client in order to lock a file. Most NFS clients send credentials with file lock requests, however, there are a few clients that do not send credentials when requesting a file-lock, allowing the client to only be able to lock world-readable files. To get around this, the insecure_locks option can be used so these clients can access the desired export. This poses a security risk by potentially allowing the client access to data for which it does not have authorization. Remove any instances of the insecure_locks option from the file /etc/exports.

Rationale

Allowing insecure file locking could allow for sensitive data to be viewed or edited by an unauthorized user.

Restrict NFS Clients to Privileged Ports

restrict_nfs_clients_to_privileged_ports

Description

By default, the server NFS implementation requires that all client requests be made from ports less than 1024. If your organization has control over systems connected to its network, and if NFS requests are prohibited at the border firewall, this offers some protection against malicious requests from unprivileged users. Therefore, the default should not be changed.

To ensure that the default has not been changed, ensure no line in /etc/exports contains the option insecure.

Rationale

Allowing client requests to be made from ports higher than 1024 could allow a unprivileged user to initiate an NFS connection. If the unprivileged user account has been compromised, an attacker could gain access to data on the NFS server.

Disable Network File System (nfs)

service_nfs_disabled

Description

The Network File System (NFS) service allows remote hosts to mount and interact with shared filesystems on the local system. If the local system is not designated as a NFS server then this service should be disabled. The nfs-server service can be disabled with the following command:

$ sudo systemctl mask --now nfs-server.service

Rationale

Unnecessary services should be disabled to decrease the attack surface of the system.

Disable Secure RPC Server Service (rpcsvcgssd)

service_rpcsvcgssd_disabled

Description

The rpcsvcgssd service manages RPCSEC GSS contexts required to secure protocols that use RPC (most often Kerberos and NFS). The rpcsvcgssd service is the server-side of RPCSEC GSS. If the system does not require secure RPC then this service should be disabled. The rpcsvcgssd service can be disabled with the following command:

$ sudo systemctl mask --now rpcsvcgssd.service

Rationale

Unnecessary services should be disabled to decrease the attack surface of the system.

Use Kerberos Security on All Exports

use_kerberos_security_all_exports

Description

Using Kerberos on all exported mounts prevents a malicious client or user from impersonating a system user. To cryptography authenticate users to the NFS server, add sec=krb5:krb5i:krb5p to each export in /etc/exports.

Rationale

When an NFS server is configured to use AUTH_SYS a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The AUTH_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request.

Use Root-Squashing on All Exports

use_root_squashing_all_exports

Description

If a filesystem is exported using root squashing, requests from root on the client are considered to be unprivileged (mapped to a user such as nobody). This provides some mild protection against remote abuse of an NFS server. Root squashing is enabled by default, and should not be disabled.

Ensure that no line in /etc/exports contains the option no_root_squash.

Rationale

If the NFS server allows root access to local file systems from remote hosts, this access could be used to compromise the system.