The Network File System (NFS) anonymous UID and GID must be configured to values without permissions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-932	GEN005820	SV-46123r1_rule		Medium

Description
When an NFS server is configured to deny remote root access, a selected UID and GID are used to handle requests from the remote root user. The UID and GID should be chosen from the system to provide the appropriate level of non-privileged access.

STIG	Date
SUSE Linux Enterprise Server v11 for System z	2016-12-20

Details

Check Text ( C-43380r1_chk )
Check if the nfs-kernel-server package is installed. It contains the exportfs command as well as the nfsserver process itself. # rpm –q nfs-kernel-server If the package is not installed, this check does not apply. If it is installed, check if the 'anonuid' and 'anongid' options are set correctly for exported file systems. List exported filesystems: # exportfs -v Each of the exported file systems should include an entry for the 'anonuid=' and 'anongid=' options set to "-1" or an equivalent (60001, 65534, or 65535). If appropriate values for 'anonuid' or 'anongid' are not set, this is a finding.

Check Text ( C-43380r1_chk )

Check if the nfs-kernel-server package is installed. It contains the exportfs command as well as the nfsserver process itself.
# rpm –q nfs-kernel-server

If the package is not installed, this check does not apply. If it is installed, check if the 'anonuid' and 'anongid' options are set correctly for exported file systems.
List exported filesystems:
# exportfs -v

Each of the exported file systems should include an entry for the 'anonuid=' and 'anongid=' options set to "-1" or an equivalent (60001, 65534, or 65535). If appropriate values for 'anonuid' or 'anongid' are not set, this is a finding.

Fix Text (F-39464r1_fix)
Edit "/etc/exports" and set the "anonuid=-1" and "anongid=-1" options for exports lacking it. Re-export the filesystems.