← Back to Red Hat Enterprise Linux 10 Security Technical Implementation Guide

V-281231

CAT II (Medium)

RHEL 10 must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.

Rule ID

SV-281231r1166645_rule

STIG

Red Hat Enterprise Linux 10 Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000213

Discussion

When an NFS server is configured to use RPCSEC_SYS, a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The RPCSEC_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request.

Check Content

Note: If no NFS mounts are configured, this requirement is not applicable.

Verify RHEL 10 has the "sec" option configured for all NFS mounts with the following command:

$ sudo grep nfs /etc/fstab
192.168.22.2:/mnt/export /data nfs4 rw,nosuid,nodev,noexec,sync,soft,sec=krb5p:krb5i:krb5

If the system is mounting file systems via NFS and has the sec option without the "krb5:krb5i:krb5p" settings, the "sec" option has the "sys" setting, or the "sec" option is missing, this is a finding.

Fix Text

Configure RHEL 10 so that the "/etc/fstab" file "sec" option is defined for each NFS mounted file system, and the "sec" option does not have the "sys" setting.

Ensure the "sec" option is defined as "krb5p:krb5i:krb5".