Title

The NFS server must have logging implemented. (Cat II impact)

Discussion

Filesystem logging, especially for NFS exported file systems, can be critical to detecting data misuse and possible hardware/system errors that may, otherwise, go unnoticed.

Check Content

To enable NFS server logging the log option must be applied to all exported file systems in the /etc/dfs/dfstab. Perform the following to verify NFS is enabled. # share The preceding command will display all exported filesystems. Each line should contain a log entry to indicate logging is enabled. If the log entry is not present, this is a finding. If the share command does not return anything, then this is not an NFS server and this is considered not applicable. NFS version 4 does not support server logging. Verify NFS_SERVER_VERSMAX in /etc/default/nfs. # grep NFS_SERVER_VERSMAX /etc/default/nfs If NFS_SERVER_VERSMAX is commented out or set to any value but 2 or 3, this is a finding.

Fix Text

Edit /etc/dfs/dfstab and add the log option to all exported filesystems. Run the shareall command for the changes to take effect. NFS version 2 or 3 must be forced by updating the NFS_SERVER_VERSMAX variable appropriately in /etc/default/nfs and restarting the NFS daemon.

Additional Identifiers

Rule ID: SV-227546r603266_rule

Vulnerability ID: V-227546

Group Title: SRG-OS-000470

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.