Check: AOSX-09-000142
Apple OS X 10.9 Workstation STIG:
AOSX-09-000142
(in version v1 r2)
Title
The NFS lock daemon must be disabled. (Cat II impact)
Discussion
If the system does not require access to NFS (Network File System) file shares or is not acting as an NFS server, then support for NFS is non-essential and NFS services must be disabled. NFS is a network file system protocol supported by Unix-like operating systems. Enabling any service increases the attack surface for an intruder. By disabling unnecessary services, the attack surface is minimized.
Check Content
The NFS lock daemon must be disabled. To check if the NFS lock daemon is disabled, run the following command: sudo /usr/libexec/PlistBuddy -c 'print com.apple.lockd:Disabled' /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't 'true', this is a finding.
Fix Text
To disable the NFS lock daemon, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist 'com.apple.lockd' -dict Disabled -bool true
Additional Identifiers
Rule ID: SV-72731r1_rule
Vulnerability ID: V-58301
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000381 |
The organization configures the information system to provide only essential capabilities. |
Controls
Number | Title |
---|---|
CM-7 |
Least Functionality |