{"description": "Add the <code>sec=krb5:krb5i:krb5p</code> option to the fourth column of <tt>/etc/fstab</tt> for the line which controls mounting of\nany NFS mounts.", "rationale": "When an NFS server is configured to use AUTH_SYS a selected userid and groupid are used to handle\nrequests from the remote user. The userid and groupid could mistakenly or maliciously be set\nincorrectly. The AUTH_GSS method of authentication uses certificates on the server and client\nsystems to more securely authenticate the remote mount request.", "severity": "medium", "references": {"cis-csc": ["1", "12", "14", "15", "16", "18", "3", "5"], "cobit5": ["DSS05.04", "DSS05.10", "DSS06.10"], "isa-62443-2009": ["4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.3"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.2", "SR 1.5", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1"], "iso27001-2013": ["A.18.1.4", "A.6.1.2", "A.9.1.2", "A.9.2.1", "A.9.2.3", "A.9.2.4", "A.9.3.1", "A.9.4.1", "A.9.4.2", "A.9.4.3", "A.9.4.4", "A.9.4.5"], "nist": ["CM-7(a)", "CM-7(b)", "CM-6(a)", "IA-2", "IA-2(8)", "IA-2(9)", "AC-17(a)"], "nist-csf": ["PR.AC-4", "PR.AC-7"], "srg": ["SRG-OS-000480-GPOS-00227"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the setting is not configured, has the 'sys' option added, or does not have all Kerberos options added", "ocil": "To verify the <tt>sec</tt> option is configured for all NFS mounts, run the following command:\n<pre>$ mount | grep \"sec=\"</pre>\nAll NFS mounts should show the <tt>sec=krb5:krb5i:krb5p</tt> setting in parentheses.\nThis is not applicable if NFS is not implemented.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.", "vuldiscussion": "When an NFS server is configured to use RPCSEC_SYS, a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The RPCSEC_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request.", "checktext": "Verify Ubuntu 22.04 has the \"sec\" option configured for all NFS mounts with the following command:\n\nNote: If no NFS mounts are configured, this requirement is Not Applicable.\n\n$ cat /etc/fstab | grep nfs\n\n192.168.22.2:/mnt/export /data nfs4 rw,nosuid,nodev,noexec,sync,soft,sec=krb5p:krb5i:krb5\n\nIf the system is mounting file systems via NFS and has the sec option without the \"krb5:krb5i:krb5p\" settings, the \"sec\" option has the \"sys\" setting, or the \"sec\" option is missing, this is a finding.", "fixtext": "Update the \"/etc/fstab\" file so the option \"sec\" is defined for each NFS mounted file system and the \"sec\" option does not have the \"sys\" setting.\n\nEnsure the \"sec\" option is defined as \"krb5p:krb5i:krb5\"."}}, "platform": "nfs_mount_defined", "platforms": ["nfs_mount_defined"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["nfs_mount_defined"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Mount Remote Filesystems with Kerberos Security", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/rule.yml", "template": {"name": "mount_option_remote_filesystems", "vars": {"mount_has_to_exist": "yes", "mountoption": "sec=krb5:krb5i:krb5p", "mountpoint": "remote_filesystems"}, "backends": {}}}