Check: AOSX-09-000141
Apple OS X 10.9 Workstation STIG:
AOSX-09-000141
(in version v1 r2)
Title
The NFS daemon must be disabled. (Cat II impact)
Discussion
If the system does not require access to NFS (Network File System) file shares or is not acting as an NFS server, then support for NFS is non-essential and NFS services must be disabled. NFS is a network file system protocol supported by Unix-like operating systems. Enabling any service increases the attack surface for an intruder. By disabling unnecessary services, the attack surface is minimized.
Check Content
The NFS daemon must be disabled. To check if NFS is disabled, run the following command: sudo /usr/libexec/PlistBuddy -c 'print com.apple.nfsd:Disabled' /var/db/launchd.db/com.apple.launchd/overrides.plist If the returned value isn't 'true', this is a finding.
Fix Text
To disable NFS, run the following command: sudo defaults write /private/var/db/launchd.db/com.apple.launchd/overrides.plist 'com.apple.nfsd' -dict Disabled -bool true
Additional Identifiers
Rule ID: SV-72729r1_rule
Vulnerability ID: V-58299
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000381 |
The organization configures the information system to provide only essential capabilities. |
Controls
Number | Title |
---|---|
CM-7 |
Least Functionality |