AIX7-00-001138 - NFS file systems on AIX must be mounted with the nosuid option unless the NFS file systems contain approved setuid or setgid programs.

Information

The nosuid mount option causes the system to not execute setuid files with owner privileges. This option must be used for mounting any file system not containing approved setuid files. Executing setuid files from untrusted file systems, or file systems not containing approved setuid files, increases the opportunity for unprivileged users to attain unauthorized administrative access.

Solution

For each NFS file systems that does not contain approved 'setuid' or 'setgid' files, add the 'nosuid' option, along with other mount options, to the 'options' field in '/etc/filesystems' using the following command:
# chfs -a options=ro,bg,hard,intr,nosuid,sec=sys <NFS_mount_point>

Note that the other mount options (other than the nosuid options) may be different among NFS mounts.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_IBM_AIX_7-x_V2R9_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(8), CAT|II, CCI|CCI-002233, Rule-ID|SV-215234r853460_rule, STIG-ID|AIX7-00-001138, STIG-Legacy|SV-101609, STIG-Legacy|V-91511, Vuln-ID|V-215234

Plugin: Unix

Control ID: 9b7e89cbcbea70fa50a67c1e4dec10e74b682fc24ef26066bd11e73f53ed9310