Title

The system's NFS export configuration must not have the sec option set to none (or equivalent); additionally, the default authentication must not to be set to none. (Cat II impact)

Discussion

If sec=none on Solaris, all NFS requests are mapped to an unknown/common user instead of being processed according to the provided UID.

Check Content

Perform the following on NFS servers. # grep "^default" /etc/nfssec.conf Check to ensure the second column does not equal 0. This would indicate the default is set to none. Perform the following to check currently exported file systems. # more /etc/exports OR # more /etc/dfs/dfstab If the option sec=none is set on any of the exported file systems, this is a finding.

Fix Text

Edit the /etc/dfs/dfstab file and add the sec=XXX option to the share line as an option. XXX must be a valid option for the system other than none.

Additional Identifiers

Rule ID: SV-934r2_rule

Vulnerability ID: V-934

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.