Rules Related To 'samba'

Component overview

Relevant packages:

Relevant groups:

Changelog:

No changes recorded.

Relevant rules:

Rule details

Require Client SMB Packet Signing, if using mount.cifs

mount_option_smb_client_signing

Description

Require packet signing of clients who mount Samba shares using the mount.cifs program (e.g., those who specify shares in /etc/fstab). To do so, ensure signing options (either sec=krb5i or sec=ntlmv2i) are used.

See the mount.cifs(8) man page for more information. A Samba client should only communicate with servers who can support SMB packet signing.

Rationale

Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit.

Install the Samba Common Package

package_samba-common_installed

Description

The samba-common package should be installed. The samba-common package can be installed with the following command: 

$ apt-get install samba-common

Rationale

If the samba-common package is not installed, samba cannot be configured.

Uninstall Samba Package

package_samba_removed

Description

The samba package can be removed with the following command: 

 $ apt-get remove samba

Rationale

If there is no need to make the Samba software available, removing it provides a safeguard against its activation.

Require Client SMB Packet Signing, if using smbclient

require_smb_client_signing

Description

To require samba clients running smbclient to use packet signing, add the following to the [global] section of the Samba configuration file, /etc/samba/smb.conf: 

client signing = mandatory
Requiring samba clients such as smbclient to use packet signing ensures they can only communicate with servers that support packet signing.

Rationale

Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit.

Disable Samba

service_smb_disabled

Description

The smb service can be disabled with the following command: 

$ sudo systemctl mask --now smb.service

Rationale

Running a Samba server provides a network-based avenue of attack, and should be disabled if not needed.

Disable Root Access to SMB Shares

smb_server_disable_root

Description

Administrators should not use administrator accounts to access Samba file and printer shares. Disable the root user and the wheel administrator group: 

[share]
  invalid users = root @wheel
If administrator accounts cannot be disabled, ensure that local system passwords and Samba service passwords do not match.

Rationale

Typically, administrator access is required when Samba must create user and system accounts and shares. Domain member servers and standalone servers may not need administrator access at all. If that is the case, add the invalid users parameter to [global] instead.