4.6.4 NIS - restrict NIS server communication - review contents

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

If NIS must be used in the environment, limit access to the NIS data to specific subnets.

By default the NIS server will authenticate all IP addresses if the /var/yp/securenets file does not exist, or exists without any subnets defined. The /var/yp/securenets file contains a list of subnets that are considered trusted and are allowed to access NIS data using the ypservand ypxfrd daemons. This is a user-created file that resides on a NIS master server and any slave servers. Without configuring this file, anyone with knowledge of the NIS server address and the domain name, can obtain NIS served data, including the contents of the /etc/passwdfile. Hence, it is recommended that the /var/yp/securenets file is configured to restrict access.

Solution

Edit the file-

vi /var/yp/securenets

Add the allowed subnets-255.255.255.0 128.311.10.0

NOTE- The format of the file is netmask netaddr as shown in the example above. Explicitly define all valid network subnets (one entry per line).

Stop and start NIS to implement the configuration changes-
stopsrc -g yp
startsrc -g yp

See Also

https://workbench.cisecurity.org/files/528