{"description": "To specify the UID and GID for remote root users, edit the <tt>/etc/exports</tt> file and add the following for each export:\n<pre>\nanonuid=<tt>value greater than UID_MAX from /etc/login.defs</tt>\nanongid=<tt>value greater than GID_MAX from /etc/login.defs</tt>\n</pre>\nNote that a value of \"-1\" is technically acceptable as this will randomize the <tt>anonuid</tt> and\n<tt>anongid</tt> values on a Red Hat Enterprise Linux based NFS server. While acceptable from a security perspective,\na value of <tt>-1</tt>  may cause interoperability issues, particularly with Red Hat Enterprise Linux 7 client systems.\nAlternatively, functionally equivalent values of 60001, 65534, 65535 may be used.", "rationale": "Specifying the anonymous UID and GID ensures that the remote root user is mapped\nto a local account which has no permissions on the system.", "severity": "unknown", "references": {}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "anonuid or anongid are not set to a value greater than UID_MAX (for anonuid) and GID_MAX (for anongid)", "ocil": "Inspect the mounts configured in <tt>/etc/exports</tt>. Each mount should specify a value\ngreater than UID_MAX and GID_MAX as defined in /etc/login.defs.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Specify UID and GID for Anonymous NFS Connections", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/nfs_no_anonymous/rule.yml", "template": null}