Check: APPL-13-002003
Apple macOS 13 (Ventura) STIG:
APPL-13-002003
(in versions v1 r4 through v1 r1)
Title
The macOS system must be configured to disable the Network File System (NFS) daemon unless it is required. (Cat II impact)
Discussion
If the system does not require access to NFS file shares or is not acting as an NFS server, support for NFS is nonessential and NFS services must be disabled. NFS is a network file system protocol supported by UNIX-like operating systems. Enabling any service increases the attack surface for an intruder. By disabling unnecessary services, the attack surface is minimized.
Check Content
Verify the macOS system is configured to disable the NFS daemon with the following command: /bin/launchctl print-disabled system | /usr/bin/grep com.apple.nfsd "com.apple.nfsd" => disabled If the results are not "com.apple.nfsd => disabled" or the use of NFS has not been documented with the ISSO as an operational requirement, this is a finding.
Fix Text
Configure the macOS system to disable the NFS daemon with the following command: /usr/bin/sudo /bin/launchctl disable system/com.apple.nfsd The system may need to be restarted for the update to take effect.
Additional Identifiers
Rule ID: SV-257186r905191_rule
Vulnerability ID: V-257186
Group Title: SRG-OS-000095-GPOS-00049
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000381 |
The organization configures the information system to provide only essential capabilities. |
Controls
Number | Title |
---|---|
CM-7 |
Least Functionality |