← Back to Apple macOS 13 (Ventura) Security Technical Implementation Guide

V-257186

CAT II (Medium)

The macOS system must be configured to disable the Network File System (NFS) daemon unless it is required.

Rule ID

SV-257186r958478_rule

STIG

Apple macOS 13 (Ventura) Security Technical Implementation Guide

Version

V1R5

CCIs

CCI-000381

Discussion

If the system does not require access to NFS file shares or is not acting as an NFS server, support for NFS is nonessential and NFS services must be disabled. NFS is a network file system protocol supported by UNIX-like operating systems. Enabling any service increases the attack surface for an intruder. By disabling unnecessary services, the attack surface is minimized.

Check Content

Verify the macOS system is configured to disable the NFS daemon with the following command:

/bin/launchctl print-disabled system | /usr/bin/grep com.apple.nfsd

"com.apple.nfsd" => disabled

If the results are not "com.apple.nfsd => disabled" or the use of NFS has not been documented with the ISSO as an operational requirement, this is a finding.

Fix Text

Configure the macOS system to disable the NFS daemon with the following command:

/usr/bin/sudo /bin/launchctl disable system/com.apple.nfsd

The system may need to be restarted for the update to take effect.