{"description": "By default the NFS server requires secure file-lock requests, which require\ncredentials from the client in order to lock a file. Most NFS clients send\ncredentials with file lock requests, however, there are a few clients that\ndo not send credentials when requesting a file-lock, allowing the client to\nonly be able to lock world-readable files. To get around this, the\n<tt>insecure_locks</tt> option can be used so these clients can access the\ndesired export. This poses a security risk by potentially allowing the\nclient access to data for which it does not have authorization. Remove any\ninstances of the <tt>insecure_locks</tt> option from the file\n<tt>/etc/exports</tt>.", "rationale": "Allowing insecure file locking could allow for sensitive data to be\nviewed or edited by an unauthorized user.", "severity": "medium", "references": {}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "there is output", "ocil": "To verify insecure file locking has been disabled, run the following command:\n<pre>$ grep insecure_locks /etc/exports</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Ensure Insecure File Locking is Not Allowed", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/nfs_and_rpc/nfs_configuring_servers/no_insecure_locks_exports/rule.yml", "template": null}