The NFS server must not have the insecure file locking option enabled.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-38677	RHEL-06-000309	SV-50478r1_rule		High

Description
Allowing insecure file locking could allow for sensitive data to be viewed or edited by an unauthorized user.

STIG	Date
Red Hat Enterprise Linux 6 Security Technical Implementation Guide	2017-04-28

Details

Check Text ( None )
None

Fix Text (F-43626r1_fix)
By default the NFS server requires secure file-lock requests, which require credentials from the client in order to lock a file. Most NFS clients send credentials with file lock requests, however, there are a few clients that do not send credentials when requesting a file-lock, allowing the client to only be able to lock world-readable files. To get around this, the "insecure_locks" option can be used so these clients can access the desired export. This poses a security risk by potentially allowing the client access to data for which it does not have authorization. Remove any instances of the "insecure_locks" option from the file "/etc/exports".

Fix Text (F-43626r1_fix)

By default the NFS server requires secure file-lock requests, which require credentials from the client in order to lock a file. Most NFS clients send credentials with file lock requests, however, there are a few clients that do not send credentials when requesting a file-lock, allowing the client to only be able to lock world-readable files. To get around this, the "insecure_locks" option can be used so these clients can access the desired export. This poses a security risk by potentially allowing the client access to data for which it does not have authorization. Remove any instances of the "insecure_locks" option from the file "/etc/exports".