The system's NFS export configuration must not have the sec option set to none (or equivalent); additionally, the default authentication must not to be set to none.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-934 | GEN005860 | SV-934r2_rule | ECAN-1 | Medium |
| Description |
|---|
| If sec=none on Solaris, all NFS requests are mapped to an unknown/common user instead of being processed according to the provided UID. |
| STIG | Date |
|---|---|
| SOLARIS 9 X86 SECURITY TECHNICAL IMPLEMENTATION GUIDE | 2015-10-01 |
Details
| Check Text ( C-865r3_chk ) |
|---|
| Perform the following on NFS servers. # grep "^default" /etc/nfssec.conf Check to ensure the second column does not equal 0. This would indicate the default is set to none. Perform the following to check currently exported file systems. # more /etc/exports OR # more /etc/dfs/dfstab If the option sec=none is set on any of the exported file systems, this is a finding. |
| Fix Text (F-1088r2_fix) |
|---|
| Edit the /etc/dfs/dfstab file and add the sec=XXX option to the share line as an option. XXX must be a valid option for the system other than none. |