{"description": "By default, the server NFS implementation requires that all client requests be made\nfrom ports less than 1024. If your organization has control over systems connected to its\nnetwork, and if NFS requests are prohibited at the border firewall, this offers some protection\nagainst malicious requests from unprivileged users. Therefore, the default should not be changed.\n<br /><br />\nTo ensure that the default has not been changed, ensure no line in\n<tt>/etc/exports</tt> contains the option <tt>insecure</tt>.", "rationale": "Allowing client requests to be made from ports higher than 1024 could allow a unprivileged\nuser to initiate an NFS connection. If the unprivileged user account has been compromised, an\nattacker could gain access to data on the NFS server.", "severity": "unknown", "references": {"cis-csc": ["11", "12", "14", "15", "16", "18", "3", "5"], "cobit5": ["DSS05.02", "DSS05.04", "DSS05.05", "DSS05.07", "DSS06.03", "DSS06.06"], "isa-62443-2009": ["4.3.3.2.2", "4.3.3.5.1", "4.3.3.5.2", "4.3.3.5.3", "4.3.3.5.4", "4.3.3.5.5", "4.3.3.5.6", "4.3.3.5.7", "4.3.3.5.8", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.1", "4.3.3.7.2", "4.3.3.7.3", "4.3.3.7.4"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.11", "SR 1.12", "SR 1.13", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.6", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1", "SR 2.2", "SR 2.3", "SR 2.4", "SR 2.5", "SR 2.6", "SR 2.7"], "iso27001-2013": ["A.6.1.2", "A.7.1.1", "A.9.1.2", "A.9.2.1", "A.9.2.3", "A.9.4.1", "A.9.4.4", "A.9.4.5"], "nist": ["CM-7(a)", "CM-7(b)", "CM-6(a)"], "nist-csf": ["PR.AC-4", "PR.AC-6", "PR.PT-3"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": null, "ocil": null, "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Restrict NFS Clients to Privileged Ports", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/nfs_and_rpc/nfs_configuring_servers/restrict_nfs_clients_to_privileged_ports/rule.yml", "template": null}