2.1.3 Ensure NFS and RPC are not enabled - nfs-server

Information

The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network.

Rationale:

If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce the remote attack surface.

Solution

Run the following commands to disable the nfs-server and rpcbind:

# systemctl --now disable nfs-server
# systemctl --now disable rpcbind

/etc is stateless on Container-Optimized OS. Therefore, the steps mentioned above needs to be performed after every boot.

Additional Information:

Additional methods of disabling a service exist. Consult your distribution documentation for appropriate methods.

See Also

https://workbench.cisecurity.org/files/3659

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CA-9, 800-53|CM-6, 800-53|CM-7, 800-53|SC-7, 800-53|SC-7(5), CSCv7|9.2

Plugin: Unix

Control ID: eb13f48d72c4f5fa6e78d6431dbb1e96a262b4996ab216d2ed24d08142576dfa