Check: AIX7-00-001056
IBM AIX 7.x STIG:
AIX7-00-001056
(in versions v3 r1 through v1 r1)
Title
AIX nosuid option must be enabled on all NFS client mounts. (Cat II impact)
Discussion
Enabling the nosuid mount option prevents the system from granting owner or group-owner privileges to programs with the suid or sgid bit set. If the system does not restrict this access, users with unprivileged access to the local system may be able to acquire privileged access by executing suid or sgid files located on the mounted NFS file system.
Check Content
Check the system for NFS mounts not using the "nosuid" option using command: # lsfs -v nfs Name Nodename Mount Pt VFS Size Options Auto Accounting /home/doej -- /mount/doej nfs 786432 -- yes no If the "mounted" file systems do not have the "nosuid option", this is a finding.
Fix Text
Edit "/etc/filesystems" and add the "nosuid" option for all NFS file systems. Remount the NFS file systems to make the change take effect.
Additional Identifiers
Rule ID: SV-215210r991589_rule
Vulnerability ID: V-215210
Group Title: SRG-OS-000480-GPOS-00227
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
Implement the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |