{"description": "Require packet signing of clients who mount Samba\nshares using the <tt>mount.cifs</tt> program (e.g., those who specify shares\nin <tt>/etc/fstab</tt>). To do so, ensure signing options (either\n<tt>sec=krb5i</tt> or <tt>sec=ntlmv2i</tt>) are used.\n<br /><br />\nSee the <tt>mount.cifs(8)</tt> man page for more information. A Samba\nclient should only communicate with servers who can support SMB\npacket signing.", "rationale": "Packet signing can prevent man-in-the-middle\nattacks which modify SMB packets in transit.", "severity": "unknown", "references": {}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "it does not", "ocil": "To verify that Samba clients using mount.cifs must use packet signing, run the following command:\n<pre>$ grep sec /etc/fstab</pre>\nThe output should show either <tt>krb5i</tt> or <tt>ntlmv2i</tt> in use.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "machine", "platforms": ["machine"], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": ["machine"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Require Client SMB Packet Signing, if using mount.cifs", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/smb/configuring_samba/mount_option_smb_client_signing/rule.yml", "template": null}