4.1.4.7 NFS - secure NFS

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

For each NFS export, ensure that the secure option is selected.

Rationale:

Secure NFS uses DES encryption or Kerberos to authenticate hosts involved in RPC transactions. RPC is a protocol used by NFS to communicate requests between hosts. Secure NFS mitigates attempts by an attacker to spoof RPC requests by encrypting the time stamp in the RPC requests. A receiver successfully decrypts the time stamp and confirms that it is correct. This serves as a confirmation that the RPC request came from a trusted host.

Solution

Use chnfsexp to change/validate this value for all NFS exported filesystems:

chnfsexp -d <fs> -S <sec>

The available security method options are:

sys - UNIX authentication

dh - DES authentication

none - Use the anonymous ID if it has a value other than -1

krb5 - Kerberos. Authentication only

krb5i - Kerberos. Authentication and integrity

krb5p - Authentication, integrity, and privacy '

Once all exported filesystems have been successfully validated or changed, re-export the filesystems and directories to activate the new options:

exportfs -a

Default Value:

N/A

Additional Information:

Reversion: Copy back the original /etc/exports:

cp -p /etc/exports.pre_cis /etc/exports

See Also

https://workbench.cisecurity.org/benchmarks/7851