Title

NFS file systems on AIX must be mounted with the nosuid option unless the NFS file systems contain approved setuid or setgid programs. (Cat II impact)

Discussion

The nosuid mount option causes the system to not execute setuid files with owner privileges. This option must be used for mounting any file system not containing approved setuid files. Executing setuid files from untrusted file systems, or file systems not containing approved setuid files, increases the opportunity for unprivileged users to attain unauthorized administrative access.

Check Content

Obtain a list of NFS file systems that contain approved "setuid" or "setgid" files from the ISSO/ISSM. Check the "nosuid" mount option is used on all NFS file systems that do not contain approved "setuid" or "setgid" files: # mount | grep -E "options|nfs|---" node mounted mounted over vfs date options -------- --------------- --------------- ------ ------------ --------------- ausgsa.ibm.com /gsa/ausgsa/projects/a/aix/71 /mnt_1 nfs3 Nov 05 14:11 ro,bg,hard,intr,nosuid,sec=sys ausgsa.ibm.com /gsa/ausgsa/projects/a/aix/72 /mnt_2 nfs3 Nov 05 14:12 ro,bg,hard,intr,sec=sys If the NFS mounts do not show the "nosuid" setting in their "options" fields, along with other mount options, this is a finding.

Fix Text

For each NFS file systems that does not contain approved "setuid" or "setgid" files, add the "nosuid" option, along with other mount options, to the "options" field in "/etc/filesystems" using the following command: # chfs -a options=ro,bg,hard,intr,nosuid,sec=sys <NFS_mount_point> Note that the other mount options (other than the nosuid options) may be different among NFS mounts.

Additional Identifiers

Rule ID: SV-215234r853460_rule

Vulnerability ID: V-215234

Group Title: SRG-OS-000326-GPOS-00126

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.