Check: GEN005820
Solaris 10 X86 STIG:
GEN005820
(in versions v2 r4 through v1 r17)
Title
The NFS anonymous UID and GID must be configured to values that have no permissions. (Cat II impact)
Discussion
When an NFS server is configured to deny remote root access, a selected UID and GID are used to handle requests from the remote root user. The UID and GID should be chosen from the system to provide the appropriate level of non-privileged access.
Check Content
Check if the anon option is set correctly for exported file systems. List exported file systems. # exportfs -v OR # more /etc/dfs/sharetab Each of the exported file systems should include an entry for the 'anon=' option set to -1 or an equivalent (60001, 60002, 65534, or 65535). If an appropriate 'anon=' setting is not present for an exported file system, this is a finding.
Fix Text
Edit /etc/dfs/dfstab and add the "anon=-1" option for exports lacking it. Re-export the filesystems.
Additional Identifiers
Rule ID: SV-227919r603266_rule
Vulnerability ID: V-227919
Group Title: SRG-OS-000104
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000764 |
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). |
Controls
Number | Title |
---|---|
IA-2 |
Identification And Authentication (Organizational Users) |